Unknown Trojan after changing AV - regenerates - XPsp2

Hi everyone,

Here's my story.

Backgrounder: Since AVG released AVG 8, I started to use Avast for my AV, as AVG 8 was very unstable and caused my system to crash to blue screen. Since I started using avast, Spybot doesn't pick up anything at all, so I've just been using CCleaner.

Symptoms: On Tuesday or Wednesday I noticed I was getting random pop-ups that appeared in IE windows. Mainly they would appear when my mouse was idle, and I wasn't typing. My system was also running incredibly slow with multiple applications on the go. I checked task manager and there was an odd process running. 1eevsTbt.exe Searched in google and there were no entries for it so I assumed it was a virus or something. A scan with Avast indicates that it was a trojan and if I remove it or vault it, it just regenerates it self.

What was I doing to cause this: Here are some things that may or may not have relevance to what caused the virus.

I use Firefox most of the time, but I got the bright idea several weeks back, to install the Stumbleupon plugin for IE. I'm using IE 6.0.29. I love the plug-in and use it on my Mac at work with out worry. Of course, who'd a though IE would have security issues. rolleyes

As mentioned earlier, I stopped using AVG since 8 came out, and I started using Avast. I have auto-updates off and system tray icon off but update every week and quick scan weekly.

I started using some database/tracking software that uses PostgreSQL 8.3 shortly after getting rid of AVG. (possible vulnerabilities?)

I started using MSN messenger after a long hiatus on the evening before.

Several weeks ago I noticed that I would boot and Hardware Wizard would appear, saying "new hardware found" I would check for drivers and it wouldn't find any. It's listed as "Other Device/unknown device" in my device manager. I try to uninstall what ever it is, but I just comes back every restart. No new hardware was installed, however, I may have unplugged my hard drive at one point. I don't believe the hardware wizard message started until long after I had unplugged and replugged-in my hard drive.

Aside from that, there are no new pieces of software that I've introduced to the system or no new sites I've been going on other than the stumbleupon oncs.

Steps taken: I've gone through the Malware removal guide on this site.

- Uninstalled all programs that are no longer used or unknown apps
- Ran CCleaner + registry cleaner
- My startup items had originally been set to very minimal
- I didn't notice any maleware in add/remove programs but I did remove stumbleupon
- Uninstalled all old SunJava versions and have yet to install the latest
- Changed MSconfig to Normal startup mode, which, when I restarted, XP brought up a red X error about DAEMON Tools, which didn't appear in Add/remove, but I had installed previously and must have uninstalled. I deleted the folder from Program Files. I no longer get the error.
- I ensured there were no quarantined files in Avast, (emptied chest)
- Emptied recycle bin
- There is only one user account in my XP

- Enabled viewing of hidden files

- Followed steps in XP cleaning procedure
- Ran all applications as specified and seemed to work properly.

Once I was done, I waited a bit to see of I still received the pop-ups, and sure enough, I did. I wasn't sure, if maybe I should have toggled restore right after I was done, because I wasn't sure if the issue was resolved.

I've attached the logs.

I attempted all of the steps on Thursday, and today (Saturday) I noticed that when I booted, that my resolution is now at 640x480 and I no longer have my usual resolution in my display options, which is something like 1610x1280 for widescreen.

I have, and am still using old school Omega Drivers (3.8.421) for an ATI 9600 AIW, which had just replaced an ASUS 9600xt (got it for nothing and added some 3dmarks) about two weeks ago. I'm just about to reinstall them.

My hardware setup is.

XP SP2
Asus board with Athlon XP 2500+
1G of pc3200 memory
1 80gb WD hard drive (OS + Applications)
1 200gb Segate hard drive (all other files)
ATI AIW 9600
DVD-rw which the CDrom doesn't read or write (dvd is fine)
Old cdrw
500w sparkle PSU

I'll post logs in a minute.

Thanks for reading.

 

Logs

 

MGlogs

 

Before I ran this, I launched Avast and the memory check found a virus running in the memory. It prompted to do a scan from boot, so I restarted, ran the scan from boot, it found the same virus running in the memory, I selected FIX, which was unsuccessful, so I selected, Delete. Which appeared successful.

I then toggled Restore to delete any restore points. I then rebooted and the virus showed up in the memory scan again. I checked Restore, and it was enabled again. Not sure if it has any relevance.

Everything (Delete Windows Messenger, HJT, ComboFix, Fixme.reg and Ccleaner) ran successful.

I ran Ccleaner Cleaner and registry, hope that's what I was supposed to do.

Once all was done, saw Avast shield hadn't started, so I launched it. It scanned memory and didn't seem to find anything in the memory. I checked the vault and the following are there. Not sure if I was supposed to delete these before trying the steps in this post. (I ensured it was empty for the SCAN / RUN as per the sticky)

This is what is in the virus vault.

1eevstbt.exe - system32
jEE0S1BT.dll - system32
jee0s1bt.dll - system32
Tv224G0W.exe - temp

My Avast doesn't appear in system tray now, but I'll reboot to see if that changes. It shows ON in avast settings. XP shows that I'm not protected against virus's and has been showing that since yesterday, I believe. Even if I update Avast and if the icon appears in the system tray, it still shows the little red shield in system tray as well.

Need anymore info let me know. Also let me know if and when I should toggle restore again and if it should stay disabled.

Thanks.

 

Seems to be running alright.

I think we may have deleted some components of Avast, because, XP says "avast reports that it is turned off.

I launch it and it seems to work properly.

I ran a quick scan and it came up clean, but it doesn't seem the resident shield is on, for some reason.

Not getting anymore popups, and seems to be performing normally.

Should I delete the virus vault stuff?
What should I do about Avast not appearing to be on?
Should I toggle restore?

 

It doesn't appear to be fixed. I ran Malwarebytes again and it found a trojan once more.

I got all my Windows updates after thinking I took care of this.

I'm going through the READ/RUN and XP cleaning guide again.

Is this what I should be doing?

 

Hi,

You told me to tell you how things were running. It seemed everything was running fine so I proceeded to "No, I’m not having any problems" in the XP Cleaning procedure.

Once I was done, I felt everything was fine, so I decided to run Malwarebytes, resulting in it finding the same virus.

The Avast issue is taken care of but it seems I'm back to where I started with the Trojan. Should I start the READ ME / RUN ME guide once more?

Any special steps I should take since I had done this already?

I'll ensure to do nothing other than what you advise.

Thanks again for the help.

I await your response.

 

Thanks for the quick reply.

Here's the logs.

 

That's great.

I've decided to use BOClean for real time protection and Malwarebytes for scans.

I'm still going to use Avast. I fixed the issue with it no appearing, by uninstalling and reinstalling.

I did all the windows updates other than SP3. Some of the non critical ones were drivers, like chipset and video card drivers. Now my monitor won't go to 1650x1050, but I think that's a different thread. I should be able to fix it myself.

Thanks again for the help.