Trojan terrible like I have never seen

Status
Not open for further replies.
M

mike240se

Ok i have been removing trojans and viruses for years, i consider myself pretty good at it, i use a variety of tools mostly under a pe enviroment. but i have come across the first one today that i cant fix. either its the slickest virus ever or i am being profoundly dumb and missing something staring me in the face.

nothing in hijackthis that doesnt make sense, full spybot under winpe and full avg under pe and in windows.

it just keeps giving me popups, porn, indian radios, etc.

the only thing that might be a clue is that it renamed a bunch of files, adding a space between the filename and the dot. like alot of regular system files like

smaxpnp4 .exe <- notice the space in all of these
msmsgs .exe
sisraid .exe

etc, etc, now sisraid is not very common, i doubt the virus would target that.but i found every file with a space in the name and deleted it, strangely none of them were important.

i do have avgcc.exe
and avgw.exe
but i believe that is from the new avg network edition i just installed.

anyweays this is driving me nuts, let me know what you would like to see, there isnt much in hijack log but if you want me to attach it np.


EDIT: two things, 1, i am attaching hijack this log since of course your gonna want it :)
and 2) the popups only load in IE, even though firefox is deault web browser as of now. also this system is xp sp1.
 
ogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:00:29 PM, on 1/8/2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\logon.scr
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\home\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{CED800DE-28E9-49A5-8AEA-DD4BF235780F}: NameServer = 192.168.1.1
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: 4D Server: Label Traxx (4DS Label Traxx.4DC) - Unknown owner - C:\TSI\Label 5 Server\Label Traxx Server.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\rtejexawua.html

--
End of file - 4123 bytes
 
Just a suggestion or two...1) have you tried removal through on-line a trojan.com? 2.) Since you have xp, have you tried going back via system restore to a point before your problem? Of course both of those are pretty elementary, but you did ask if it might be something staring you in the face that you might have overlooked...best to you...
 
I have faced alot of them, but it is hard using just one or two tools. Try using the steps the on this thread thechspot.com/vb/topic58138.html and led us know how did it go. I know you have some of them but try them especially combofix and antirootkit
 
I have faced alot of them, but it is hard using just one or two tools. Try using the steps the on this thread thechspot.com/vb/topic58138.html and led us know how did it go. I know you have some of them but try them especially combofix and antirootki
 
Status
Not open for further replies.

Similar threads

Daniel Sims
Debris from the International Space Station confirmed to have hit a Florida home
Replies
15
Views
2K
Endymio
Endymio
A
Please help: Intel Core i9-11900KF with a H510M H V2 motherboard
Replies
2
Views
293
HardReset
H
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
477
eriksnyman1
E

Latest posts

Back