Trojan adding start menu entries?

[TheGrandHooHa]

I have a weird one here...at least, weird in that I have never seen it before:

A computer running Windows ME (I know, I know, but it's not mine...) has been infected with a virus that neither Norton AntiVirus, AVG, AdAware, or Spybot are able to detect.

Upon loading Windows, this trojan adds anywhere from 5-500 bogus entries to the StartUp folder in the Start Menu. The computer tries to execute these bogus entries, which means that one must click OK about 500 times. These entries appear to be named randomly; example names include "QU01C9NK.lnk" and "M7GK4FHL.lnk" The programs they point to are supposed to be in the Windows directory, but the actual executables are not there.

Also, there are a few strange processes running in the background as well. These are, again, randomly named, but include "53ystfe3c" and "ANXC6EZ0". I did find a registry entry for 53ystfe3c and deleted it, but the problem with the StartUp items still remains.

I originally suspected the Dr.Peper trojan, but the removal instructions I tried did not work as this does not have the same registry entries as Dr.Peper. I don't believe it is one of the new worms because Norton did not get it, nor did AVG or any spyware detector. I will try to get a HiJackThis log later tonight, but if anyone has heard of this let me know, thanks!

 

[Xemus]

Where was the reg entry for 53ystfe3c?
Have you checked the common run keys?
HKLM/Software/Microsoft/Windows/Current Version/Run (and the other run keys below it)
and
HKCU/Software/Microsoft/Windows/Current Version/Run

These will appear in the Hijack This log.

http://www.closedsocket.com

 

[diogenes10]

Unfortunately random names are a trick of the trade nowadays. Here's a thread that shows you some of the applications that create them.

http://www.wilderssecurity.com/archive/index.php/t-15983

Seeing the program in context with other programs in a hijack this log would be a first step. If that doesnt get you enough info to get complete removal:

carrr has recommended Kephyr's bazooka as a more detailed process lister,
Merijn recommends process viewer, and
shrubble has a thread with comments about the "rip it out by the roots" approach.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[carrr]

Since AdAware and SpyBot are not panning out for you (I'm assuming you've applied the latest updates to both), I'd give it a go with Bazooka and SpySweeper.

Get them here:

Bazooka

http://www.topshareware.com/Bazooka-Adware-and-Spyware-Scanner-transfer-8169.htm

SpySweeper

http://www.webroot.com/wb/products/spysweeper/index.php

That failing, download Hijack This, scan your pc, and post the log back here for us to take a look at.
Hijack This!:

http://s89223352.onlinehome.us/mirror/hjt/

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[diogenes10]

Here is a win 98 log that shows you what xemus is talking about.

http://www.cybertechhelp.com/forums/showthread.php?t=32099

Down in the startup area you see the kind of thing that you are talking about, but look up above in the O4 run lines and you'll see two more lines with one of the misc file names.

This particular log also shows a number of other spyware issues and an out of date explorer, these could also be issues that you will have to face.

Also in regard to av scanning, I see commonly recommended that folks run an online scan as a cross check on their own scanner. I know you cross checked Norton with AVG but an online scan might be appropriate too. Smah has posted a faq with links to several.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?