Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can not remove White Trader from my system


  • Please log in to reply
11 replies to this topic

#1 mark100

mark100

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 10 June 2013 - 10:35 AM

Greetings.  Thanks in advance for your assistance - it is very much appreciated.

 

A few days ago, I noticed that when I boot up my PC (Dell PC, Windows Vista Home Edition, Version 6 (Build 6002, Service Pack 2)), an icon would appear on the taskbar with a message stating "White Trader.  You didn't use White Trader Program for a long time".  The icon doesn't appear immediately, it appears to show up a minute or so after other items have loaded (ZoneAlarm, PC Tools Spyware Doctor).  The icon looks like the Windows security icon but with differnt colors.   If I don't click on the icon, then it eventually goes away but then an icon appears on my desktop that is an Internet Explorer icon with the properties URL = http://www.whitetrader.com.   The first time I received this icon on the taskbar, I thought it was a Windows message and clicked on the icon.  When you do that, it brings up a browser and takes you to whitetrader.com.   If you delete the desktop icon, then the next time you boot, it reappears (after the taskbar icon shows up).

 

So far I haven't had any issues with using my PC.   It appears to be functioning properly but I can't get rid of this White Trader thing.

 

So far, I have ran the following utilities:

 

PC Tools Spyware Doctor - Version 8.9.9.623  (Note is is my "active" anti-virus SW) - Ran quick scan & deep scan.  Reported clean.

 

Malwarebytes - Version 1.75.0.130 (This is passive and I run manually) - Ran quick scan and deep scan.  Reported clean

 

Malwarebytes Rootkit Utility - Version 1.06.0.1003 (Updating DB today) -  Ran both at reg boot and in Safe mode.  Reported clean

 

TDSSKiller - Version 2.8.17.0 -  Ran both at reg boot and in Safe mode.   I also checked "Loaded Modules", "Verify file digital signatures", "Detect  TDLFS file system" options.  Reported clean

 

CCleaner - Version  v4.02.4115

 

 

I'm not sure what additional information you need.   Again, appreciate any help you can provide.

 

 

 



BC AdBot (Login to Remove)

 


#2 abyte

abyte

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 10 June 2013 - 11:05 AM

I have the same problem and when I saw it a couple of days ago and did a search on the web for it, there was nothing there.

Today I found this post. 

I have ran Webroot, Malwarebytes, TDSS Killer, Symantec Power Eraser with Boot check.  All are clean.

Things that make you go HMMMMM.

I will be following this post.

Thanks for all you do - Bleeping Computer People.



#3 bndn

bndn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 10 June 2013 - 01:27 PM

I had a user getting this same deal as described last week. After about 40-60 seconds, a balloon tip occurs and a shortcut is created on the desktop.
 
Combofix, MBAM and the like all failed to pick it up. Turning everything off in start-up and non-MS services had no change.
 
HitmanPro found it however, identified the file as "wow.dll" in the users temp file directory, further identified as some Trojan.Generic variant. Gone after reboot, no changes in configuration.

Edited by bndn, 10 June 2013 - 01:28 PM.


#4 mark100

mark100
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 10 June 2013 - 07:16 PM

I'm not familar with Hitman Pro.    Is it free SW?  

 

Thanks,

Mark100



#5 bndn

bndn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 10 June 2013 - 08:37 PM

For none domain/business use, yes: http://www.surfright.nl/en/downloads/



#6 mark100

mark100
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 11 June 2013 - 08:23 AM

Just tried Hitman Pro.   Although it found other items that I removed (nothing major), everything else came back clean.   White Trader still showing up.....



#7 bndn

bndn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 11 June 2013 - 08:31 AM

I ran Hitman from a different user profile (an administrator), not the infected one, you might try creating another admin profile in case the file gets locked in someway under the infected profile. Turn off all start-up items, and non-MS services for good measure.



#8 deceptivedrip

deceptivedrip

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 11 June 2013 - 11:47 AM

I am currently removing this from a machine right now. So far I've figured out that it's not malware and it's a corrupted IE add on. Tearing into. I'll let you know how to remove it after I'm finished, without any 3rd party programs. 



#9 mark100

mark100
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 11 June 2013 - 12:44 PM

Great, thank you.   I did try running Hitman Pro from a new admin account as suggested but got same results .



#10 mrjonesluckiest

mrjonesluckiest

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 13 June 2013 - 11:16 AM

Hey mark,

 

Not sure where you're at with this (though I did see that you have posted in the "need more help" thread), but I am working on a computer with a similar situation. I get the White Trader notification, and there is an IE shortcut on the desktop called "White Trader" as well.

 

I couldn't find anything using RogueKiller or TDSS Killer, but I did find several Trojans, etc. using Hitman Pro, including "wow.dll" and items in the Recycle Bin. I'm not sure how much of it is coincidental, but in any case I ended up using Combo Fix, and haven't seen the White Trader notification since. It didn't remove the shortcut from the desktop, though. 

 

As others will probably say around the community, Combo Fix can be very aggressive when it comes to viruses in your system files, so use it at your discretion and only if you think you can understand what it is doing.

 

On a side note, the computer I'm working on needs a good Windows Update, though I doubt that that is really related to solving the virus, even if it is potentially a part of what allowed the virus in.



#11 OzonedMan

OzonedMan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 13 June 2013 - 12:47 PM

Just cleaned this out yesterday - tough little bugger. The loader for wow.exe was in a folder in the appdata/local/Temp, but the folder was locked and would not delete. Changed the security permissions (added Everyone with full control) and finally deleted it - problem gone.



#12 mark100

mark100
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:44 AM

Posted 17 June 2013 - 07:18 AM

@mrjonesluckiest:   Thanks for the post but I'm not comfortable trying Combo Fix without some expert assistance.  

 

 

@OzonedMan:  I looked through the entire appdata/local directory (including Temp) for wow.exe but could not find any occurance of it to remove.

 

 

Is there an expert in this forum that can help me with this?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users