BV:Sl-2 trojan??

[cyberdelicat]

Today Avast! detected: BV:Sl-2 in C:\Documents and Settings\...\Temporary Internet Files\Content.IE5\...\trojanremoval[1].html. Panda's online scan found nothing except the 'Kuang2 virus', which I see is a false alarm.
I also ran DiamondCS-Trojan Defence Suite v3.2.0 which found nothing, but said that my Autostart Registry was changed TODAY (though I haven't installed anything-just ran Panda online). So I'm not sure if I have a registry problem and still don't know what BV:SI-2 is....
Please let me know if BV:SI-2 is a false alarm, and what may have changed my autostart registry (Panda??) so I can fix it!
Thanks- cyberdelicat  

[.: Mac :.]

panda may have. (WARNING! now that you have ran panda activescan avast WILL give a false alarm! It will see panda's unencrypted definitions as a virus)

have you ran spybot search and destroy? it has quite an extensive trojan database and can clean most trojans for you

[cyberdelicat]

panda may have. (WARNING! now that you have ran panda activescan avast WILL give a false alarm! It will see panda unencrypted definitions as a virus)
have you ran spybot search and destroy? it has quite an extensive trojan database and can clean most trojans for you

[/i]
Thanks MacLover2000: I haven't yet run Spybot SD today but will to see what pops-up. But I'm a bit confused about Spybot's newest release: I thought the new version had a new user interface but I got v1.2 this week and it still has the same old interface!
Can you provide a download link? I used one from DSLreports....
Thanx again for your suggestion!  
cyberdelicat...

[whocares]

Hi,

scan the file with Onlinescanners KAV (see below) & from www.ravantivirus.com (Pause Avast Shield first)

if neither finds anything in it, please send the file to
avast (at) asw (dot) cz
with a link to this posting

otherwise just delete it..

[whocares]

P.S.:
Here's some info & removal instructions:
VGREP

try the links to Trendmicro and McAfee first

 

mmh, sounds like a backdoor, please post a logfile of HIJACKTHIS here:
www.lurkhere.com -> nicefiles

[cyberdelicat]

Thanx...
I posted my HJT log on lurkhere, and cross-posted it on this forum. Really appreciated the research... I can't believe this isn't being detected more often by common vendors (symantec etc...)!!  
-cyberdelicat

Posted by:whocares March 27, 2004, 10:24:45PM

mmh, sounds like a backdoor, please post a logfile of HIJACKTHIS here:www.lurkhere.com -> nicefiles

Logfile of HijackThis v1.97.7
Scan saved at 1:27:59 PM, on 3/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\rundll32.exe
C:\computer-stuff\programs\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\COMPUT~1\SPYBOT~2\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: VTAgentReboot.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab