Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

low threat trojan virus detected by symantec in temp folder


  • This topic is locked This topic is locked
2 replies to this topic

#1 brookstonfowler

brookstonfowler

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 22 October 2009 - 02:16 PM

it appears as though every time i wake my vista HP pavilion laptop from sleep my symantec antivirus gives me an alert about low threat trojan viruses in my temp folder.

the files change in name each time it seems, but the files follow a pattern of DWHxxxx.tmp where x = digits or letters. this post shows some examples of the DWH temp files: http://www.bleepingcomputer.com/forums/ind...t&p=1455022

i've used symantec, avg free, spybot search and destroy, and malbytes to try and remove the root cause to no avail.

while i'm not seriously concerned about the integrity of my computer, i'm more just thoroughly annoyed at having to delete viruses from my computer everytime i use it. I have to admit that i have already used ComboFix...

thanks for the help.

here are the log files:

DDS:


DDS (Ver_09-10-13.01) - NTFSx86
Run by ____ at 14:54:11.02 on Thu 10/22/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_10
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3006.1212 [GMT -4:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\system32\taskeng.exe
C:\Windows\keyacc32.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\kass.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Nick\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [KeyAccess] kass.exe
StartupFolder: c:\users\nick\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
uPolicies-explorer: NoAddPrinter = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
AppInit_DLLs: c:\windows\katrack.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\nick\appdata\roaming\mozilla\firefox\profiles\eeetzaqv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\cambridgesoft\chemoffice2008\chem3d\npChem3DPlugin.dll
FF - plugin: c:\program files\cambridgesoft\chemoffice2008\chemdraw\NPCDP32.DLL
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\nick\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\nick\appdata\roaming\mozilla\firefox\profiles\eeetzaqv.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071302000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============

R2 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [2007-12-14 1024704]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-8-5 121744]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
R3 gbridge;Gbridge Virtual Miniport;c:\windows\system32\drivers\gbridge.sys [2009-5-10 41216]
S2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
S3 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-21 24652]

=============== Created Last 30 ================

2009-10-22 12:22 236,544 a------- c:\windows\PEV.exe
2009-10-22 12:22 161,792 a------- c:\windows\SWREG.exe
2009-10-22 12:22 98,816 a------- c:\windows\sed.exe
2009-10-21 12:42 --d----- c:\users\nick\appdata\roaming\Malwarebytes
2009-10-21 12:42 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 12:42 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-21 12:42 --d----- c:\programdata\Malwarebytes
2009-10-21 12:42 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 12:42 --d----- c:\progra~2\Malwarebytes
2009-10-21 00:08 --d----- C:\$AVG
2009-10-21 00:07 --d----- c:\program files\AVG
2009-10-21 00:07 --d----- c:\programdata\avg9
2009-10-21 00:07 --d----- c:\progra~2\avg9
2009-10-19 15:01 --d----- c:\programdata\Spybot - Search & Destroy
2009-10-19 15:01 --d----- c:\progra~2\Spybot - Search & Destroy
2009-10-19 14:15 --d-h--- c:\windows\PIF
2009-10-19 13:15 --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-10-19 13:15 --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-10-19 13:15 --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-10-19 13:15 --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-10-18 15:17 --d----- c:\users\nick\appdata\roaming\Thinstall
2009-10-18 15:06 388 a------- c:\users\nick\appdata\roaming\hexplorer.dat
2009-10-18 15:06 4 a------- c:\users\nick\appdata\roaming\mclip.dat
2009-10-16 23:26 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-16 03:13 --d----- c:\programdata\AIM
2009-10-16 03:13 --d----- c:\progra~2\AIM
2009-10-16 03:13 --d----- c:\program files\AIM
2009-10-16 03:12 --d----- c:\program files\common files\Software Update Utility
2009-10-15 23:40 107 a------- c:\windows\Gbridge.INI
2009-10-15 23:10 --d----- c:\users\nick\appdata\roaming\Gbridge
2009-10-15 23:09 --d----- c:\program files\Gbridge LLC
2009-10-15 13:31 218,624 a------- c:\windows\system32\msv1_0.dll
2009-10-15 13:31 3,600,456 a------- c:\windows\system32\ntkrnlpa.exe
2009-10-15 13:31 3,548,216 a------- c:\windows\system32\ntoskrnl.exe
2009-10-15 13:26 60,928 a------- c:\windows\system32\msasn1.dll
2009-10-15 13:26 144,896 a------- c:\windows\system32\drivers\srv2.sys
2009-10-15 13:21 604,672 a------- c:\windows\system32\WMSPDMOD.DLL
2009-10-14 12:27 --d----- c:\program files\Zards software
2009-10-09 15:54 103,720 a------- c:\users\nick\GoToAssistDownloadHelper.exe
2009-10-09 13:46 1,409,024 a------- c:\windows\system32\temp.00A
2009-10-09 13:46 598,288 a------- c:\windows\system32\temp.006
2009-10-09 13:46 164,112 a------- c:\windows\system32\temp.007
2009-10-09 13:46 147,728 a------- c:\windows\system32\temp.008
2009-10-09 13:46 22,288 a------- c:\windows\system32\temp.00B
2009-10-09 13:46 17,920 a------- c:\windows\system32\temp.009
2009-10-06 11:37 --d----- c:\program files\common files\SafeNet Sentinel
2009-10-06 11:37 --d----- c:\program files\Gene Codes
2009-10-06 11:22 --d----- c:\program files\Sassafras K2
2009-10-02 11:15 2,421,760 a------- c:\windows\system32\wucltux.dll
2009-10-02 11:15 87,552 a------- c:\windows\system32\wudriver.dll
2009-10-02 11:14 171,608 a------- c:\windows\system32\wuwebv.dll
2009-10-02 11:14 33,792 a------- c:\windows\system32\wuapp.exe

==================== Find3M ====================

2009-10-15 23:09 143,360 a------- c:\windows\inf\infstrng.dat
2009-10-15 23:09 51,200 a------- c:\windows\inf\infpub.dat
2009-10-15 23:09 86,016 a------- c:\windows\inf\infstor.dat
2009-10-02 17:46 162,760 a------- c:\users\nick\appdata\roaming\nvModes.dat
2009-09-20 03:00 229,224 a------- c:\windows\system32\drivers\VMM.sys
2009-08-28 22:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 22:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 22:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 22:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 20:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 20:14 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-27 01:22 916,480 a------- c:\windows\system32\wininet.dll
2009-08-27 01:17 109,056 a------- c:\windows\system32\iesysprep.dll
2009-08-27 01:17 71,680 a------- c:\windows\system32\iesetup.dll
2009-08-26 23:42 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-08-24 15:46 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-14 11:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 09:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 09:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 09:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 09:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 09:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 09:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 09:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 09:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2009-07-23 13:39 665,600 a------- c:\windows\inf\drvindex.dat
2009-01-28 23:25 16 a---h--- c:\users\nick\SyncToy_4c888454-efee-4f0e-ac1b-7cd0f059b2ea.dat
2008-07-16 14:56 262,144 a------- c:\progra~2\ntuser.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2007-12-21 14:12 1,719,336 a------- c:\programdata\YugmaSE-Uninstaller.exe
2007-12-21 14:12 1,719,336 a------- c:\progra~2\YugmaSE-Uninstaller.exe
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-12-16 00:00 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-16 00:00 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-12-16 00:00 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-01-28 23:16 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 14:54:56.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 brookstonfowler

brookstonfowler
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 23 October 2009 - 12:27 AM

nevermind. whatever it was is no longer pestering my system. thanks anyway.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:08 AM

Posted 23 October 2009 - 05:53 PM

Hello

Thank you for letting us know. I'm glad that your computer problems have been fixed. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users