Quick help: sfx.exe- Virus ?

[mohanty1942]

OS- Win 2000 with SP4 installed in C: drive

Each time I connect to internet through dial up, the file named sfx.exe get downloaded silently to c:\ (root) within few minutes .(I notice - although I don't open any page after connection the My connection icon at the right bottom corner shows indication of data transfer)

Norton Antivirus 2003 with updated defs doesn't detect this file (sfx.exe)as virus. Once the file is seen in C: drive then it can be seen running in the Ctrl +Alt +Del list (taskmanager). I can't terminate this application. The only thing I do is reboot to DOS using 98 bootable & delete the file. But the next time I connect to net I again get that file recreated at c:\.

Now I have both adaware & spybot S&D installed with update & killed several entries all those were detected . But the above said problem continues .
Please help to solve. I get no error message. But background data transfer reduces my internet speed & I get too late response even after double clicking "My Computer ".

[QwertyManiac]

Try this > http://www.f-secure.com/v-descs/roro.shtml

[mohanty1942]

Now my system doesn't have any of the trace described at > http://www.f-secure.com/v-descs/roro.shtml.

But still sfx.exe is getting recreated silently after connection is established.

[legolas]

wel, it has both possibilities of being and not being a virus. post your hijack this file preferably before and after getting connected to net... and i wud recommend u to use lspfix and see how many entries do u find in it... also check your msconfig startt-> run -> type msconfig -> startup. since i hav no clue, i suggest these details wud help with me and many otehrs to spot out

edit: also try replacing your system files using SFC. go here

/legolas

[anandk]

interseting problem.
do post ur hijackthis log here, pls.

[Ravi+ish]

yeah!!.... i would like to know more too!!!

[swatkat]

Download HijackThis and unzip it to dedicated folder (like C:\HijackThisFolder\hijackthis.exe). Run it and click the button Do a System scan and save log file. HijackThis will perform a scan and gives you a log. Post its complete contents here.

[con_tester]

Hmmmm...
I think I heard about this problem somewhere...

Its like a trozen...

[__Virus__]

When your system starts and sfx.exe connects, do ad-aware scan it will surely list all the process running information and it will also list the dlls that are running. Once the scan is completed make a log file and check all the dlls listed. Check version from properties and if you find anything suspicious delete it. I did the same and got the issue resolved. Be careful with dlls though.

[JGuru]

Delete the file manually. Install ZoneAlarm Pro in your
System. ZoneAlarm monitors your PC for in-coming
and outgoing net requests. If this file sfx.exe asks to
access certain location on the Web click on 'Deny' button
and check the CheckBox 'Remember my Answer'

Hope this solves your problem.

[mohanty1942]

Sorry for : I couldn't post the 'Hijack this' file in time. Because The Spybot S&D's teatime scanner detected (after establishing connection) a registry entry which had some relation to c:\sfx.exe. I deleted the registry entry. On next boot after connection Spybot's teatime again detected the same entry. Instead of analysing the problem I installed Norton Internet Security 2005 & couldn't face the situation again.

[__Virus__]

Good for u that the problem is over now.