Need help removing Trojan.EliteBar on Vista

Randall_Price · 05-Jun-2008, 01:59 PM #1

Hello,

I keep getting Symantec Antivirus detections of the Trojan.EliteBar and cannot seem to get rid of it.

My system is:

OS: Vista Business Edition
RAM: 4GB
System: Dell OptiPlex 745
Antivirus: Symantec Antivirus 10.2.0.276, Scan Engine: 71.4.0.15

Here is the message from Symantec:

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Risk: Trojan.Elitebar
File: C:\Users\randallp\AppData\Local\Temp\DWH6ADA.tmp
Location: Quarantine
Computer: RPRICE3
User: SYSTEM
Action taken: Quarantine succeeded
Date found: Thursday, June 05, 2008 1:51:39 PM

There are several other (similar) messages like this as well.

I would like some assistance in getting rid of this if possible.

Thanks,

Randall Price

**Cheeseball81** · 05-Jun-2008, 06:52 PM #2

Go to here and download 'Hijack This!' self installer.
Save it to the desktop or other suitable place. DO NOT just press run from the website
Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu.
Click on the entry in start menu to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.

Randall_Price · 06-Jun-2008, 02:11 PM #3

Hello Cheesball,

Here is the contents of the HijackThis log as you requested:

----- START OF LOG -----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:29 PM, on 6/6/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\VTWSUS\vtwsusmsg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Conceptworld\RecentX\RecentX.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Symantec AntiVirus\DWHWIZRD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8008
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [vtwsus] C:\Program Files\VTWSUS\vtwsusmsg.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: RecentX.lnk = C:\Program Files\Conceptworld\RecentX\RecentX.exe
O4 - Global Startup: Microsoft Office Outlook 2007.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...b-20070115.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/F...ansferCtrl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = univsvcs.w2k.vt.edu
O17 - HKLM\Software\..\Telephony: DomainName = univsvcs.w2k.vt.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{9199DA5D-BC9A-4555-8BD6-47233E9A266B}: NameServer = 198.82.161.236,198.82.145.6,198.82.162.237,198.82.247.98
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = univsvcs.w2k.vt.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = univsvcs.w2k.vt.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TSM Acceptor - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\dsmcad.exe
O23 - Service: TSM Scheduler - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
O23 - Service: VT WSUS Client (vtwsus) - Unknown owner - C:\Program Files\VTWSUS\vtwsus.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9936 bytes
----- END OF LOG -----

I will wait for you analysis and recommendations before I do anything else.

Thanks,

Randall Price

**Cheeseball81** · 07-Jun-2008, 06:14 PM #4

* Click here to download ATF Cleaner by Atribune and save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
- If you use Firefox:
  - Click Firefox at the top and choose: Select All
  - Click the Empty Selected button.
  - NOTE: If you would like to keep your saved passwords, please click No at the prompt.
- If you use Opera:
  - Click Opera at the top and choose: Select All
  - Click the Empty Selected button.
  - NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Run ActiveScan online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the ActiveScan report.

Randall_Price · 09-Jun-2008, 10:44 AM #5

Hello Cheesball,

Here is the results of the ActiveScan as you requested:

----- START OF ACTIVESCAN REPORT -----
;************************************************************************** *************************************************************************** ******************************
ANALYSIS: 2008-06-09 10:41:13
PROTECTIONS: 1
MALWARE: 15
SUSPECTS: 0
;************************************************************************** *************************************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;========================================================================== =========================================================================== ==============================
Symantec AntiVirus 10.2.0.276 Yes Yes
;========================================================================== =========================================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;========================================================================== =========================================================================== ==============================
00046761 adware/xupiter Adware No 0 Yes No c:\users\randallp\favorites\free stuff
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ26A3.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ2B23.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ2F0C.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ3193.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ3616.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ40D.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ435D.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ475F.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ4FE4.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ53.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ5FE7.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ6324.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ6C75.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ6F66.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ70DD.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ7DDD.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ7E04.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQ7F7C.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQA662.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQABFF.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQAE2E.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQB24D.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQB546.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQCB56.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQCF68.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQE004.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQE47D.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQE854.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQE8C2.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQEAD.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQEBA8.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQEF9E.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQF1E3.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQF55D.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQF659.tmp
00047879 Adware/IST.ISTBar Adware No 1 Yes No C:\ProgramData\Symantec\SRTSP\Quarantine\APQF8C5.tmp
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@double click[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@fastcl ick[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@tribal fusion[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@ad.yie ldmanager[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@burstn et[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@servin g-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@bs.ser ving-sys[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@advert ising[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@realme dia[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\randallp\AppData\Roaming\Microsoft\Windows\Cookies\Low\randallp@qu estionmarket[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@questi onmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@zedo[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\Master\AppData\Roaming\Microsoft\Windows\Cookies\Low\master@adrevo lver[2].txt
;========================================================================== =========================================================================== ==============================
SUSPECTS
Sent Location ��@
3
;========================================================================== =========================================================================== ==============================
;========================================================================== =========================================================================== ==============================
VULNERABILITIES
Id Severity Description ��@
3
;========================================================================== =========================================================================== ==============================
;========================================================================== =========================================================================== ==============================
----- END OF ACTIVESCAN REPORT -----

I will await further instructions from you on what to do next.

Thanks,

Randall Price

**Cheeseball81** · 10-Jun-2008, 04:42 PM #6

Was ATF Cleaner run?

Delete this folder: c:\users\randallp\favorites\free stuff

Exit Internet Explorer 7, and then exit any instances of Windows Explorer
Click Start, click Run, type inetcpl.cpl, and then press ENTER
On the General tab, click Delete under Browsing History in the Internet Properties dialog box
In the Delete Browsing History dialog box, click Delete Cookies
In the Delete Cookies dialog box, click Yes.
(Also delete Temporary Internet Files)

Randall_Price · 11-Jun-2008, 09:43 AM #7

Hello Cheeseball,

Yes, I did run ATF Cleaner before I did the scan.

~9:30 AM...
I deleted the folder (c:\users\randallp\favorites\free stuff), the only file in it was a Shortcut to a web site that has free stuff. I did not examine the file to see the contents.

I exited IE, and Windows Explorer and ran the inetcpl.cp command and deleted the Temporary Internet Files, Browser Cookies, and Browser History as you suggested.

Is there anything else I need to do?

I will probably know within 1-2 hours if this works because it seems to be pretty consistent about popping up in Symantec around noon each day.

Thanks,

Randall Price

Randall_Price · 12-Jun-2008, 09:39 AM #8

Hello Cheeseball,

It has been about 24 hours since I followed your last instructions and I have NOT (knock on wood!) seen the Trojan popup in Symantec. Maybe this problem has been solved.

I will monitor this closely and let you know if it returns. So I will give it a day or so and if it does not show up I will return here and mark this problem solved and closed.

Thanks for all of your help with this. You Rock!

Randall Price

**Cheeseball81** · 12-Jun-2008, 06:06 PM #9

Hi Randall,
Glad to see things have improved.

Keep me posted, otherwise you can mark your thread "Solved" from the Thread Tools drop down menu.

Randall_Price · 17-Jun-2008, 09:42 AM **#10**

Hello Cheeseball,

I am still having problems with this virus. I had a boot problem on Friday afternoon that required reverting to a system restore point. That may have been a problem but I am not sure if it somehow may have restored the virus.

I ran ATF-Cleaner again but that did not fix the problem. So I am including another log from HijackThis for your examination. I noticed that at the start of the HijackThis scan, a message appeared stating that it could not get write access the the Hosts file. So I removed the read-only attribute and re-ran HijackThis. Here is the log.

----- Start of HijackThis log -----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:31 AM, on 6/17/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\VTWSUS\vtwsusmsg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Conceptworld\RecentX\RecentX.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis_2_0_0_2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8008
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [vtwsus] C:\Program Files\VTWSUS\vtwsusmsg.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: RecentX.lnk = C:\Program Files\Conceptworld\RecentX\RecentX.exe
O4 - Global Startup: Microsoft Office Outlook 2007.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...b-20070115.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/F...ansferCtrl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = univsvcs.w2k.vt.edu
O17 - HKLM\Software\..\Telephony: DomainName = univsvcs.w2k.vt.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{9199DA5D-BC9A-4555-8BD6-47233E9A266B}: NameServer = 198.82.161.236,198.82.145.6,198.82.162.237,198.82.247.98
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = univsvcs.w2k.vt.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = univsvcs.w2k.vt.edu
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TSM Acceptor - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\dsmcad.exe
O23 - Service: TSM Scheduler - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\dsmcsvc.exe
O23 - Service: VT WSUS Client (vtwsus) - Unknown owner - C:\Program Files\VTWSUS\vtwsus.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9340 bytes
----- End of HijackThis log -----

Thanks,

Randall Price

**Cheeseball81** · 18-Jun-2008, 06:14 PM **#11**

What location is it found in?

Randall_Price · 19-Jun-2008, 12:21 PM **#12**

Hello Cheeseball,

I am not sure what you are asking. What location is what in?

If it is the Hosts file you are asking about, it is located in the C:\WINDOWS\System32\drivers\etc\ folder and the file is just called Hosts (with no extension).

Also I noticed that my Symantec icon in the tray has a no sign (red circle with a slash) which indicates that the Auto-Protect is not enabled. When I right-click it and select "Enable Auto-Protect" the red circle goes away and then comes back in about 10 seconds. This looks odd...

What is the next step?

Thanks,

Randall Price

Randall_Price · 19-Jun-2008, 03:10 PM **#13**

Hello Cheeseball,

Here is some more info on the viruses I am seeing in Symantec:

Adware.Istbar
Adware.CDT
Trojan.Elitebar

I don't think I mentioned these before but I thought it might help you in your analysis of my problem.

Thanks,

Randall Price

**Cheeseball81** · 21-Jun-2008, 03:02 PM **#14**

Are they found in: C:\ProgramData\Symantec\SRTSP\Quarantine

Download the HostsXpert 4.2 - Hosts File Manager.

Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Run Kaspersky online virus scan here: http://www.kaspersky.com/virusscanner

When given the option, choose the "Extended database" for the scan.
When it's finished, save the results from the scan and post them here.

Randall_Price · 23-Jun-2008, 09:30 AM **#15**

Hello Cheeseball,

Yes, the infected files were quarantined by Symantec and placed in the

C:\ProgramData\Symantec\SRTSP\Quarantine

folder. They were all random file names with a .TMP extension.

I downloaded and ran HostsXpert 4.2 - Hosts File Manager and it restored my hosts file back to the Windows default. It is 1 KB in size and only has one entry now for:

127.0.0.1 localhost

The one SpyBot created was 208 KB and had ~7500 entries, although the were all: 127.0.0.01 {some web URL}. It is also marked as read-only.

I then ran the Kaspersky online virus scan and it found nothing. I ran it a second time and again it found nothing. It scanned 130,628 files and ran for 46 minutes. When I clicked the "View scan report" link it came up with an empty list.

I did this last night around 11:00 PM and it is now 9:30 AM. I have not seen any new virus warning messages yet but, as I mentioned before, they usually begin appearing around noon or so. I will report back here as soon as I see it happen again.

Is there anything else I can be doing in the meantime?

Thanks,

Randall Price

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)