TechSpot

Trojan terrible like I have never seen

By mike240se
Jan 8, 2008
  1. Ok i have been removing trojans and viruses for years, i consider myself pretty good at it, i use a variety of tools mostly under a pe enviroment. but i have come across the first one today that i cant fix. either its the slickest virus ever or i am being profoundly dumb and missing something staring me in the face.

    nothing in hijackthis that doesnt make sense, full spybot under winpe and full avg under pe and in windows.

    it just keeps giving me popups, porn, indian radios, etc.

    the only thing that might be a clue is that it renamed a bunch of files, adding a space between the filename and the dot. like alot of regular system files like

    smaxpnp4 .exe <- notice the space in all of these
    msmsgs .exe
    sisraid .exe

    etc, etc, now sisraid is not very common, i doubt the virus would target that.but i found every file with a space in the name and deleted it, strangely none of them were important.

    i do have avgcc.exe
    and avgw.exe
    but i believe that is from the new avg network edition i just installed.

    anyweays this is driving me nuts, let me know what you would like to see, there isnt much in hijack log but if you want me to attach it np.


    EDIT: two things, 1, i am attaching hijack this log since of course your gonna want it :)
    and 2) the popups only load in IE, even though firefox is deault web browser as of now. also this system is xp sp1.
     
  2. mike240se

    mike240se TS Rookie Topic Starter

    ogfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 9:00:29 PM, on 1/8/2008
    Platform: Windows XP (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
    C:\WINDOWS\system32\sistray.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\logonui.exe
    C:\WINDOWS\system32\rdpclip.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\logon.scr
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Documents and Settings\home\Desktop\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CED800DE-28E9-49A5-8AEA-DD4BF235780F}: NameServer = 192.168.1.1
    O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: 4D Server: Label Traxx (4DS Label Traxx.4DC) - Unknown owner - C:\TSI\Label 5 Server\Label Traxx Server.exe (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\rtejexawua.html

    --
    End of file - 4123 bytes
     
  3. drpepper55

    drpepper55 TS Member Posts: 65

    Just a suggestion or two...1) have you tried removal through on-line a trojan.com? 2.) Since you have xp, have you tried going back via system restore to a point before your problem? Of course both of those are pretty elementary, but you did ask if it might be something staring you in the face that you might have overlooked...best to you...
     
  4. jointulo

    jointulo TS Rookie

    I have faced alot of them, but it is hard using just one or two tools. Try using the steps the on this thread thechspot.com/vb/topic58138.html and led us know how did it go. I know you have some of them but try them especially combofix and antirootkit
     
  5. jointulo

    jointulo TS Rookie

    I have faced alot of them, but it is hard using just one or two tools. Try using the steps the on this thread thechspot.com/vb/topic58138.html and led us know how did it go. I know you have some of them but try them especially combofix and antirootki
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...