belt.exe

mysticum · Cadet Joined: Jan 20, 2004 Posts: 2 Location: Netherlands

Good morning!

I have a really irritating problem.

My virusscanner norton antivirus detected an virus called belt.exe
Well, glad as I was that it detected the virus I was really disappointed that it could not delete it.

COULD ANY ONE HELP ME!!!!!!!!!!!!!!!

I realised from someone on this site, who had the same problem , that it could help to add a log file from Hijack this so here it is:

Logfile of HijackThis v1.97.7
Scan saved at 11:08:30 AM, on 1/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\NetPumper\NetPumperIEProxy.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - HKCU\..\Run: [Komunikator] D:\tlen\tlen.exe
O4 - HKCU\..\Run: [NumberOneMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:NumberOneMP3:t
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: NumberOneMP3 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwe....0.0.6.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar...vSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...5228935185
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Shared.../cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l...cfscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

THANK YOU FOR SO FAR!!!!!!

steamwiz · Posted: Tue Jan 20, 2004 1:10 pm Post subject:

Hi

The belt.exe file is not running....what is the exact path to the belt.exe file ?

Close all browser windows - run hijackthis and tick to fix :-

R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

reboot

do you know what this is :-

O4 - HKCU\..\Run: [Komunikator] D:\tlen\tlen.exe

steam

mysticum · Cadet Joined: Jan 20, 2004 Posts: 2 Location: Netherlands

Thank you Steamwiz for advice,

I did what you suggested but unfortunately the problem is still there,

This is Nortons item information about the Belt.exe: " The compressed file Belt.exe within C:\Documenst and settings\Administrator\Temp|Belt.cab is a adware threat"

I located the file and it is compressed. Does this mean that I can simply delete the file manualy?

Ans if so? why didn t Norton deleted the file in the first place??

Another problem Norton detected was Setup.exe, With Item information:
" The file C:\Program Files\C2Media\Setup.exe is a Adware threat"

Whit Thread name " Adware.Lop" How can I remove that file wich Norton also cannot delete ?

steamwiz · Posted: Tue Jan 20, 2004 5:52 pm Post subject:

HI

It can't delete it because it's in a temp folder....but you can.

Also do this :-

Please Download and install SpyBot,

http://security.kolla.de/

click the online tab to search for and download the updates, then shut down and relaunch SpyBot.

Go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .
These aren't needed for our present purpose, and you can always experiment with them later on.

Finally, after closing down Internet Explorer, click 'Check for problems', and have SpyBot remove all it finds 'Fix selected problems'

you may have to run spybot more than once to clear everything

Remove everything pre-ticked in Red

steam

c0c0s · Guest

do you know what this is :-

O4 - HKCU\..\Run: [Komunikator] D:\tlen\tlen.exe

hey! hahaha it is Polish communicator program, something like ICQ or MSN, how come you have it and dont know what is this?? Unless same name - different file?

Via · Guest

Hello I am Via. I am CEO of yourvia.com. I have encountered this issue on a system at work. Norton Antivirus Corporate Edition did not recognize this as a virus but the infected machine was unable to run .exe files nor launch commands. Such .exe files and commands that would not run were Internet Explorer, Explorer, Show Desktop, My Computer, and the mapping of Network Drives.

I noticed the belt.exe file resided under the C:\WINNT folder.

There is also a registry setting. This setting is under HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run

The registry setting is named "Belt.exe" and references C:\WINNT\Belt.exe

Delete this registry setting and delete the Belt.exe file from your system. In Windows 2000, I noticed that when the Belt.exe file is deleted, it does not go to recycle bin! It went into C:\documents and settings\<profile logged into>\local settings\temp

I then deleted it from here to the recycle bin and emptied the recycle bin.

If you have any further questions, email me at

CSMorpheus · Guest

regarding that belt.exe problem, I too deleted the registry entry first, then deleted the belt.exe from the main Windows folder. I found it using a utility called AIDA32.EXE. It's utility that lists an unprecedented amount of info about your system everything from s/ware to h/ware and all the specifications you could ever imagine, you have to see it to believe it.

It's the most descriptive utility I've ever seen, tells you the speed your ram is running, cpu fan rpm's... and way way more.

Under the software list that's running, it showed one called belt.exe, so in google.ca I typed "what is belt.exe?" and that's how I found out it's a trojan horse that slowly restricts many .exe prog's and also used to d/load OTHER trojan's to your puter that may be more malicious than itself. It's truly a potentially destructive program, and hit's you slowly, one problem at a time until a low-level format and reinstall is your only option. AIDA32.EXE, try it, you'll love the ocean of info it gives you to monitor.

Good luck,

CSMorpheus.

trane · Cadet Joined: Feb 12, 2004 Posts: 1 Location: USA

I was just looking at my school's website and then, I got a prompt in a window saying that that file was needed, i quote:

Window Title: Files Needed

The file 'Belt.exe' on [unknown] is needed.

Type the path where the file is located and click ok. I had three options:
Copy files from (Since it isn't on my machine I couldn't
OK
Cancel-which is what I clicked

If it pops up again I'll be sure to let you know.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 772 pages served in previous 5 minutes. Page Rendered: 0.387 seconds.