Congratulations to AcaCandy on her 100,000th post!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
acer black screen blue screen boot bsod computer connection crash css dell driver drivers email error ethernet excel firefox firefox 3 freeze game hard drive internet internet explorer itunes laptop linux malware monitor network networking nvidia outlook outlook 2003 outlook 2007 outlook express partition password problem router slow software sound trojan usb video virus vista windows windows xp wireless
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Need help removing Trojan.EliteBar on Vista


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

Closed Thread
Page 2 of 3 < 1 2 3 >
 
Thread Tools
Randall_Price's Avatar
Computer Specs
Junior Member with 19 posts.
  
Join Date: Jun 2008
Location: Blacksburg, VA
Experience: Advanced
23-Jun-2008, 12:38 PM #16
Hello Cheeseball,


The virus warnings just popup up again. Same as before.

What is the next step?

Thanks,

Randall Price
Cheeseball81's Avatar
Moderator with 71,635 posts.
  
Join Date: Mar 2004
Location: New York
Experience: Mighty Nerdy
26-Jun-2008, 05:42 PM #17
Make sure to empty the Quarantine
The other is still found in Hosts?
Randall_Price's Avatar
Computer Specs
Junior Member with 19 posts.
  
Join Date: Jun 2008
Location: Blacksburg, VA
Experience: Advanced
27-Jun-2008, 03:53 PM #18
Hello Cheeseball,

I have been deleting the files in the quarantine folder. In fact, I have a batch file on my desktop that does

DEL C:\ProgramData\Symantec\SRTSP\Quarantine\*.* /F
PAUSE

Usually as soon as I run this batch file and all the files are deleted, Symantec detects them again and popups up the warning. I can repeat this behavior at will.

I went into Symantec and set the notification to automatically terminate the process and when it detects the infection it instantlhy terminates IE.

Does this indicate an infection within IE or maybe I have some IE setting wrong?

As far as Hosts file goes, it is still the one restored from Windows default and is still marked as read-only. Here is the contents:

<-- START OF FILE -->
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
<-- END OF FILE -->


I await your guidance!

Thanks,

Randall Price
Randall_Price's Avatar
Computer Specs
Junior Member with 19 posts.
  
Join Date: Jun 2008
Location: Blacksburg, VA
Experience: Advanced
30-Jun-2008, 05:12 PM #19
Hello Cheeseball,

Just checking in to see what my next step is to try to rid my computer of these viruses. If I need to send you something else, just let me know.

Thanks,

Randall Price
Cheeseball81's Avatar
Moderator with 71,635 posts.
  
Join Date: Mar 2004
Location: New York
Experience: Mighty Nerdy
30-Jun-2008, 06:23 PM #20
I've asked for the other Security Mods to step in in case we are missing something.
Is it the same file originally which was C:\Users\randallp\AppData\Local\Temp\DWH6ADA.tmp
JSntgRvr's Avatar
Distinguished Member with 14,271 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
30-Jun-2008, 07:21 PM #21
Hi, Randall_Price

Lets take a deeper look:

Download Deckard's System Scanner (DSS) from here or here to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the main.txt and the extra.txt in your next reply.
If the files are too long, attach them to a reply:
  1. Scroll down and click the [Manage Attachments] button
  2. Browse to the following folder:
    • C:\Deckard\System Scanner
  3. Click Upload to upload these files one by one
  4. Submit your reply
__________________
Sometimes I think I understand everything,
then I regain consciousness.



If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here

Unanswered threads for 5 days will no longer be part of my subscriptions. For further help, please send me a Private Message. This applies only to the original thread starter. Everyone else please begin a New Thread.
Randall_Price's Avatar
Computer Specs
Junior Member with 19 posts.
  
Join Date: Jun 2008
Location: Blacksburg, VA
Experience: Advanced
01-Jul-2008, 03:49 PM #22
Hello JSntgRvr,

I downloaded dss.exe to my desktop and ran it. It prompted that it needed admin privileges to run so I allowed it to do that. It ran for several minutes then popped up Notepad with nothing in it and Notepad had an error message stating that it could not find the file. Nor did the minimized Notepad appear that you mentioned.

I searched for a C:\Decard\System Scanner folder but it was not there either. I searched for main.txt and errata.txt but they are not found either.

What next?

Thanks,

Randall Price
JSntgRvr's Avatar
Distinguished Member with 14,271 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
01-Jul-2008, 06:46 PM #23
Right click dss.exe and select "Run as an Administrator".
Randall_Price's Avatar
Computer Specs
Junior Member with 19 posts.
  
Join Date: Jun 2008
Location: Blacksburg, VA
Experience: Advanced
02-Jul-2008, 02:10 PM #24
Hello JSntgRvr,

I logged in as an Administrator and right-clicked dss.exe and ran it. This time it popped up Notepad with the results, but it did NOT create a minimized Notepad containing Extra.txt -- I searched the entire drive and did not find it.

Also, does it matter that I logged in with a local admin account versus my normal Domain account when I ran dss.exe?

<----- START OF FILE ----->
Deckard's System Scanner v20071014.68
Run by Master on 2008-07-02 13:56:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------
System Drive C: has 2.18 GiB (less than 15%) free.

-- HijackThis (run as Master.exe) ----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:34 PM, on 7/2/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Users\Master\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Master.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [vtwsus] C:\Program Files\VTWSUS\vtwsusmsg.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1824200278-923733676-1501187911-14997\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'randallp')
O4 - HKUS\S-1-5-21-1824200278-923733676-1501187911-14997\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun (User 'randallp')
O4 - HKUS\S-1-5-21-1824200278-923733676-1501187911-14997\..\Run: [RecentX] (User 'randallp')
O4 - S-1-5-21-1824200278-923733676-1501187911-14997 Startup: RecentX.lnk = C:\Program Files\Conceptworld\RecentX\RecentX.exe (User 'randallp')
O4 - S-1-5-21-1824200278-923733676-1501187911-14997 User Startup: RecentX.lnk = C:\Program Files\Conceptworld\RecentX\RecentX.exe (User 'randallp')
O4 - Global Startup: Microsoft Office Outlook 2007.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = univsvcs.w2k.vt.edu
O17 - HKLM\Software\..\Telephony: DomainName = univsvcs.w2k.vt.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{9199DA5D-BC9A-4555-8BD6-47233E9A266B}: NameServer = 198.82.161.236,198.82.145.6,198.82.162.237,198.82.247.98
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = univsvcs.w2k.vt.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = univsvcs.w2k.vt.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TSM Acceptor - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\dsmcad.exe
O23 - Service: TSM Scheduler - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
O23 - Service: VT WSUS Client (vtwsus) - Unknown owner - C:\Program Files\VTWSUS\vtwsus.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: YIIXAB - Sysinternals - www.sysinternals.com - C:\Users\randallp\AppData\Local\Temp\YIIXAB.exe
--
End of file - 9610 bytes
-- Files created between 2008-06-02 and 2008-07-02 -----------------------------
2008-07-01 11:59:57 0 d-------- C:\Decard
2008-06-26 14:08:03 0 d-------- C:\KB941422
2008-06-22 23:36:33 0 d-------- C:\Windows\Sun
2008-06-17 09:29:11 0 d-------- C:\Program Files\Trend Micro
2008-06-13 14:10:11 0 d-------- C:\Program Files\Hitachi Consulting
2008-06-09 09:50:49 0 d-------- C:\Program Files\Panda Security

-- Find3M Report ---------------------------------------------------------------
2008-07-02 13:56:34 0 d-------- C:\Users\Master\AppData\Roaming\.purple
2008-06-22 23:39:07 0 d-------- C:\Program Files\Java
2008-06-19 14:23:44 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-11 21:23:10 0 d-------- C:\Program Files\WinPcap
2008-06-11 21:23:10 0 d-------- C:\Program Files\VTWSUS
2008-06-11 21:23:10 0 d-------- C:\Program Files\Symantec AntiVirus
2008-06-11 21:23:10 0 d-------- C:\Program Files\Pidgin
2008-06-11 21:23:10 0 d-------- C:\Program Files\Microsoft Works
2008-06-11 21:23:10 0 d-------- C:\Program Files\Microsoft Virtual PC
2008-06-11 21:23:10 0 d-------- C:\Program Files\Microsoft Office Outlook Connector
2008-06-11 21:23:09 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-06-11 21:23:09 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-06-03 15:10:05 0 d-------- C:\Program Files\Common Files
2008-05-30 17:25:57 0 d-------- C:\Program Files\QuickTime
2008-05-30 17:25:52 0 d-------- C:\Program Files\Xilisoft
2008-05-21 09:26:33 0 d-------- C:\Program Files\Button Shop
2008-05-16 15:04:18 0 d-------- C:\Program Files\PSPad editor
2008-05-16 11:55:23 262144 --a------ C:\ntuser.dat
2008-05-16 11:41:21 0 d-------- C:\Users\Master\AppData\Roaming\VMware
2008-05-06 14:53:32 0 d-------- C:\Program Files\Conceptworld

-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [08/28/2007 04:26 AM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/10/2006 01:14 PM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/09/2007 02:32 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/09/2007 02:32 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/09/2007 02:32 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [07/27/2004 04:50 PM]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [10/20/2006 05:23 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [11/22/2006 05:12 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [11/28/2006 06:34 AM]
"vtwsus"="C:\Program Files\VTWSUS\vtwsusmsg.exe" [09/20/2007 01:57 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pidgin"="C:\Program Files\Pidgin\pidgin.exe" [10/23/2007 08:14 PM]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office Outlook 2007.lnk - C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe [4/11/2008 12:34:09 PM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"=2 (0x2)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInf o]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSv c]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Tablet InputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Truste dInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr .sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr x.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5 B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1 FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D4817 9BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE 5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
iissvcs w3svc was
*Newly Created Service* - ERASERUTILDRV10741
*Newly Created Service* - PROCMON13
*Newly Created Service* - RKREVEAL150
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2008-07-02 13:57:30 ------------
<----- END OF FILE ----->

I hope this helps in your analysis.

Just let me know what to do next.

Thanks very much!

Randall Price
JSntgRvr's Avatar
Distinguished Member with 14,271 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
02-Jul-2008, 02:36 PM #25
Hi, Randall_Price

Quote:
Also, does it matter that I logged in with a local admin account versus my normal Domain account when I ran dss.exe?
No, as long as it is ran as an Administrator.

Fix this line in HJT:

O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)

I see no sign of malware in that log, Are you still experiencing that detection?

Lets perform a scan:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
__________________
Sometimes I think I understand everything,
then I regain consciousness.



If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here

Unanswered threads for 5 days will no longer be part of my subscriptions. For further help, please send me a Private Message. This applies only to the original thread starter. Everyone else please begin a New Thread.
Randall_Price's Avatar
Computer Specs
Junior Member with 19 posts.
  
Join Date: Jun 2008
Location: Blacksburg, VA
Experience: Advanced
07-Jul-2008, 09:14 AM #26
Hello JSntgRvr,

Yes, I am still getting the detection from Symantac for the following:

Adware.Istbar
Adware.CDT
Trojan.Elitebar

I fixed the line in HijackThis as you suggested. I have run the Malware-bytes Anti-Malware twice now and it detects nothing. Here is the log:

Malwarebytes' Anti-Malware 1.19
Database version: 918
Windows 6.0.6000
9:12:14 AM 7/7/2008
mbam-log-7-7-2008 (09-12-14).txt
Scan type: Quick Scan
Objects scanned: 39415
Time elapsed: 2 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


However, the virus is still being detected. In fact one just popped up while I am typing this.

Any more suggestions or do you need anything else from me?

Thanks,

Randall Price
JSntgRvr's Avatar
Distinguished Member with 14,271 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
07-Jul-2008, 10:52 AM #27
Quote:
Yes, I am still getting the detection from Symantac for the following:

Adware.Istbar
Adware.CDT
Trojan.Elitebar
Does it shows their location?

Chances are these entries are part of System Restore.The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To turn off Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
9. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK

Re-scan and let me know he outcome.
__________________
Sometimes I think I understand everything,
then I regain consciousness.



If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here

Unanswered threads for 5 days will no longer be part of my subscriptions. For further help, please send me a Private Message. This applies only to the original thread starter. Everyone else please begin a New Thread.
Randall_Price's Avatar
Computer Specs
Junior Member with 19 posts.
  
Join Date: Jun 2008
Location: Blacksburg, VA
Experience: Advanced
07-Jul-2008, 02:20 PM #28
Hello

I deleted system restore points from drive C: as you indicated and rebooted, then turned the restore points back on. I did NOT create a new restore point. I did not do this for drive D: because it is the DELL recovery volume. Should I repeat and include drive D: as well?

I re-ran Malwarebyte's Anti-Malware (quick scan) and it reported nothing found. Here is the log:

Malwarebytes' Anti-Malware 1.19
Database version: 929
Windows 6.0.6000
2:15:23 PM 7/7/2008
mbam-log-7-7-2008 (14-15-23).txt
Scan type: Quick Scan
Objects scanned: 39747
Time elapsed: 4 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Should I re-run with full scan?

Also, Symantec popped up during the scan and detected the same viruses.

Is maybe another scanner in order or what should be the next step?

Thanks,

Randall Price
Randall_Price's Avatar
Computer Specs
Junior Member with 19 posts.
  
Join Date: Jun 2008
Location: Blacksburg, VA
Experience: Advanced
07-Jul-2008, 05:40 PM #29
Hello JSntgRvr,

After I sent you the last response, and Symantec messages were on my screen, I closed them down. Symantec said it needed to reboot to rid the viruses. So I rebooted and have not had any Symnatec virus detection warning yet. I am still a little skeptical that they are gone so I will keep monitoring and see what happens.

If they appear again I will let you know as soon as possible. Either way, I will reply back tomorrow morning (Tuesday, July 8) and let you know something.

So far, so good! (Keeping fingers crossed)...

Thanks,

Randall Price
JSntgRvr's Avatar
Distinguished Member with 14,271 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
07-Jul-2008, 07:02 PM #30
Closed Thread
Page 2 of 3 < 1 2 3 >

Tags
trojan.elitebar

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who help people like you solve computer problems. See our Welcome Guide to get started.



Thread Tools


Related Sites: 56k Dial-Up | Tech Gift Ideas | Mobile TechGuy | Advertise on TSG
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 01:41 AM.
Copyright © 1996 - 2008 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Powered by Cermak Technologies, Inc.