Endpoint Protection

I know this might have been circulating for quite sometime now. But one of our users have been getting alerts lately - 902 total in 2 months.
The threats detectected were Trojan Horses. All were either deleted or quarantined. And I'm expecting another barrage of alerts sometime soon.

C:/Users/username/AppData/Local/Temp/DWH1198.tmp

The number of the temp file varies. It's in hexadecimal format.

The very first 2 alerts recieved from this PC was from a removable storage F:\bar311.exe

It was quarantined when found and I didn't look into it until the next hundred alerts came.

I think you need to do a full scan of your removable drive and check if you find any suspectable file in there..There might be Untected downloader that is downloading trojans and since these trojans would be old ones so they are getting detected.

I already told the user to scan the removable drive, plus create the autorun.inf folder. Aside from this, I know that SAV or SEP scans the file before being run, except for the System files which I'm having doubts with. The succeeding alerts, however, are coming from the harddrive and not a removable storage.

Yes i meant to say is there might be a downloader on the removalble drive that iis undetectable ( submit to Symantec) that is downloading trojans on the temp folder of your local user account.
Also make sure no 3rd party or un-known add-in are loaded in Internet Explorer.

 Did you have autorun enabled on this machine when the drive was initially plugged in? Is this only happening on one of your machines? Also by default SEP/SAV will scan all files before being ran including system files. I am guessing you already submitted the files to symantec but if not do so and download the rapid release. But you already know that mon.       : )

Cheers
Grant

Thanks for the vote of confidence. But I think I just missed the opportunity to submit here.  :(

The PC in question was a laptop of a user with admin rights and the local policy. The alert from the removable drive was 2 months ago. Then a few alerts on the local drive afterwards almost daily for a month (total so far 52), had no alerts for 2 weeks. Then the next 850 just happened the last 2 weeks. I have no idea if he's using the USB drive or if it is still infected. The only alerts are from the .tmp files.

Why not delete all the exucutables and other temp files in the temp folder.
Then check if you are still getting the pop-ups

@Vikram: The tmp files are being successfully quarantined or deleted by Symantec. It just keeps coming back as soon as the user logs in or connects to the network and the logs are reported to the server.

As a virus removal process the first thing i do is empty temp folders.
 Well there might be some files in your temp folders that are downloading others file ...So clear out everything.in temp folers and also try running process xp to check if anything suspected is running
%temp% and \windows\temp

Hmmm...
So I'll just look into the temp folders to see if SEP missed anything?

I'll see what I can do. This is another users Laptop PC whom I rarely meet.

Hi Team mates,

I just browsed IE with the following links:

http://answers.yahoo.com/question/index?qid=20080312182703AA9X7Rx

http://hubpages.com/hub/How-to-remove-Bar311

Steps:

Restart your comptuer into safe mode then delete file from follwoing paths:
C:\WINDOWS\bar311.exe
all drives>\bar311.exe
or u search this files using windows search (also check mark hidden files and folder from advance options). delete it wherever u find it.

Remove it from registry:
HKEY_LOCAL_MACHINE
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
at the right side double click "Userinit" value and remove that file only.
NOw restart your computer to normal mode n check.

also u need Antispyware protection.
Download and Install Ad-Aware 2007 and Spybot Search & Destroy!

Update them and then scan your computer. Hope you will get your permanent solution.

Hope this helps...

thanks...

When I first saw this virus its kind of frustrating, i almost gave up hope, then I finally figured out how to removed this bar311.exe with a smiley icon on it, this virus also includes the pc-off.bat, where once you run an application in just a few seconds it will turn off your application automatically.  You can find both of them inside the Windows folder, to be able to find it you must be in safe mode (where in safe mode some virus like this wont work) and show all your hidden and super hidden files first, then locate them in Windows folder. after that you will see a smiley icon and its name is bar311.exe and its in faded mode (means it is a hidden file) shift+delete on it, and browse down until you see the pc-off.bat with an icon of a utility. just shift+delete it again, then go to regedit and find the bar311.exe there and remove it for there will be no more bar311.exe registered in you system. And don't forget to delete some autorun.inf in your C:\ drive you can also find them by showing all the hidden and super hidden files. Once your done restart your pc. And no more bar311.exe in your pc...

Hi all,

I have talked with the user. He haven't used any infected USB devices in the past month although he's guilty of using a software to bypass proxies and he also have another application that could be making all the tmp files.

I'll keep you guys posted on this.