sexlp.exe

[tino.mehlmann]

Hello,
my xp pc was infected recently. After cleaning up with anti-virus s/w
and manual checks I am still left with VERY resistent registry entries,
hidden files and processes in the task- manager.
One of them is called "sexlp.exe". I did not find anything about this
so far.

Anyone has an idea? Thanks, Tino

 

[Gabriele Neukam]

On that special day, , ([email protected]) said...

One of them is called "sexlp.exe". I did not find anything about this
so far.

Anyone has an idea? Thanks, Tino

really? You won't like it.

www.linkblock.de

And be careful, when asking the same question in de.comp.security.virus


Gabriele Neukam

(e-mail address removed)

 

[tino.mehlmann]

really? You won't like it.

www.linkblock.de

And be careful, when asking the same question in de.comp.security.virus

.... that does not sound very nice. But unfortunately I still did not
find any info. Can you please be more precise?

Thanks so much!
Tino

 

[David H. Lipman]

From: <[email protected]>

| Hello,
| my xp pc was infected recently. After cleaning up with anti-virus s/w
| and manual checks I am still left with VERY resistent registry entries,
| hidden files and processes in the task- manager.
| One of them is called "sexlp.exe". I did not find anything about this
| so far.
|
| Anyone has an idea? Thanks, Tino


Please submit a sample of "sexlp.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.



Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_%96_Getting_Help


* * * Please report back your results * * *

 

[Gabriele Neukam]

On that special day, , ([email protected]) said...

... that does not sound very nice. But unfortunately I still did not
find any info. Can you please be more precise?

It simply means: If you cannot tell *exactly* what the unwanted
software did on your machine, expect the worst. It might have hijacked
your comuter, taken control of it, and planted backdoors that are
unknown to every antivirus/spyware scanner, because this is a special
version, tailored for *you*.

So, you will not be able to remove it, because it cannot be found or
has a component that will reinstall after removal, ands so on.

The only way to make sure that your computer is free from *any*thing
unwanted, is to flatten and rebuild, patching it as much as possible
*before* going online.

And of course, this is something very unpleasant, yet the ONLY way to
make sure, your machine is under YOUR conttrol.

I didn't have to do it yet, because I avoid some things like the
*plague*

- using Internet Explorer (because of Active Scripting, see the
currently open flaws, three by their number, which aren't fixed yet)

- using Outlook Express

- opening shares on my machine, that could be written into.

Instead, I use
- Opera as browser (not that much a target)
- T-Online Mail for mail (doesn't execute anything)
- make all shares read-only.

Until now, I haven't been hit by malware (crosses fingers)


Gabriele Neukam

(e-mail address removed)

 

[tino.mehlmann]

Ok guys,
I think I got rid of it - hopefully. It costed me three hours min and
my hair almost fell out.

Here is the little story:

After disconnecting from the internet I removed all the crap that this
thing downloaded - it somehow started the IE in the background although
I am using firefox (OK, from now on my internet explorer gets renamed
to rubbish.exe).
I saw three processes that I could not kill (they came in pairs and
restarted themself mutually). They also always restored the registry
when I edited it. The files were protected and could not be deleted.
OK, started in safe mode (only prompt) and --> renamed the executables.
They could not be deleted. I then had to replace them (I choose
minesweeper.exe). Then I rebooted in safe mode, changed the registry,
changed autostart and rebooted).

The virus-scan with VIRUSTOTAL gives (no wonder, I am using avast and
avast does not know it.. grrrr):

Thanks for dealing with me!

Antivirus Version Update Result
AntiVir 6.34.0.14 03.28.2006 TR/Dldr.Qoolog.bj.3
Avast 4.6.695.0 03.28.2006 no virus found
AVG 386 03.28.2006 Downloader.Generic.UEO
Avira 6.34.0.54 03.28.2006 TR/Dldr.Qoolog.bj.3
BitDefender 7.2 03.28.2006 Trojan.Downloader.Qoologic.BC
CAT-QuickHeal 8.00 03.27.2006 (Suspicious) - DNAScan
ClamAV devel-20060202 03.28.2006 no virus found
DrWeb 4.33 03.28.2006 Trojan.Qoologic
eTrust-InoculateIT 23.71.113 03.28.2006 Win32/Qoologic.28672!Trojan
eTrust-Vet 12.4.2140 03.28.2006 Win32/Qoologic.AB
Ewido 3.5 03.28.2006 Downloader.Qoologic.bj
Fortinet 2.71.0.0 03.28.2006 W32/Qoologic.BJ!dldr
F-Prot 3.16c 03.28.2006 security risk named W32/Downloader.SJB
Ikarus 0.2.59.0 03.28.2006 Trojan-Downloader.Win32.Qoologic.BJ
Kaspersky 4.0.2.24 03.28.2006 Trojan-Downloader.Win32.Qoologic.bj
McAfee 4728 03.28.2006 Qoolaid
NOD32v2 1.1460 03.28.2006 no virus found
Norman 5.70.10 03.28.2006 W32/Qoologic.HW
Panda 9.0.0.4 03.28.2006 Trj/Qoologic.J
Sophos 4.04.0 03.28.2006 Troj/Qoolaid-AL
Symantec 8.0 03.28.2006 no virus found
TheHacker 5.9.7.121 03.28.2006 Trojan/Downloader.Qoologic.bj
UNA 1.83 03.23.2006 TrojanDownloader.Win32.Qoologic
VBA32 3.10.5 03.28.2006 Trojan-Downloader.Win32.Qoologic.bj