TheTechGuide Forum
General Category => Tech Clinic => Topic started by: alinato on July 31, 2010, 10:23:53 PM
-
Hi all,
I keep getting the annoying Symantec popup screen telling me it is detecting trojan horses of the type DWH*.tmp... It keeps detecting plenty of those and continuously trying to quarantine them. I logged into the SafeMode and ran Symantec and MalwareBytes. Both detecting something in the 'AppData\Local\Temp' folder and deleting them. However, After a while the same messages start again and again.
I ran Hijackthis and here u go..
Thanks in advance
Alinato
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 04:19:08, on 01/08/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Users\User0002\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 (http://"http://go.microsoft.com/fwlink/?LinkId=69157")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 (http://"http://go.microsoft.com/fwlink/?LinkId=69157")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 (http://"http://go.microsoft.com/fwlink/?LinkId=54896")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 (http://"http://go.microsoft.com/fwlink/?LinkId=54896")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 (http://"http://go.microsoft.com/fwlink/?LinkId=69157")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Users\User0002\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (HKCU)
O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (HKCU)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab (http://"http://download.divx.com/player/DivXBrowserPlugin.cab")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab (http://"http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab")
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\Windows\System32\acaptuser32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NitroPDFDriverCreatorReadSpool (NitroDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
O23 - Service: NLS Service (nlsX86cc) - Nalpeiron Ltd. - C:\Windows\system32\NLSSRV32.EXE
O23 - Service: RMWPService - Apache Software Foundation - C:\Program Files\Reference Manager 12 Demo\WebPublisher\thirdparty\Apache2\bin\RMWP_Apache_Admin.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
--
End of file - 7994 bytes
-
I believe it's a false positive by Symantec's
Take a read of the following:
http://service1.symantec.com/support/ent-security.nsf/docid/2007111911135548?Open&seg=ent
But you mentioned Malwarebytes antimalware is detecting them also?
Can you open MBAM, open the LOGS tab, open the last couple logs and post the contents back here please
-
Yep, I have the exact problem on my desktop. I ran MalwareBytes in the SafeMode and here is the log file.
If u wish I can upload the Hijackthis log of my desktop too.
Regards,
Alianto
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4372
Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385
31/07/2010 20:46:09
mbam-log-2010-07-31 (20-46-09).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 270421
Time elapsed: 32 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\Users\User-no0001\AppData\Local\Temp\DWHFFE2.tmp.vir (Backdoor.RBot) -> Quarantined and deleted successfully.
-
I'm going to copy/paste what is mentioned in the Symantec link, as it seems that link is not always working
When new virus definitions are in place and the quarantine is being scanned, a DWHxxx.tmp file is created and detected by Auto-Protect
Situation:
If the "%temp%" folder window is open while the quarantine is being rescanned, a DWHxxx.tmp file will be created and detected by Auto-Protect.
Solution:
This problem is fixed in Maintenance Patch 2 of Symantec Endpoint Protection Maintenance Release 4 (11.0.4202.75). You can apply this patch over Symantec Endpoint Protection MR4 or MR4 MP1.
Please refer to the product Download page to obtain the update:
http://www.symantec.com/business/support/downloads.jsp?pid=54619
If you are unable to migrate up at this time, here are workarounds that should alleviate the issue. These are listed in order of preference.
1. Disable rescanning of quarantine upon receipt of new virus definitions: edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
2. Ensure no process or services (such as Windows Indexing Service for example) can access/monitor our files.
3. Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
4. Restart in safe mode, deleting DWH files in the temporary folder, cleaning the quarantine folder.
Additional improvements are expected in SEP 11 RU6 MP1.
Document ID: 2007111911135548
Last Modified: 07/23/2010
Date Created: 11/19/2007
I noticed you ran ComboFix on this computer
Can I see it's log please
You should find a copy of it at C:\ComboFix.txt
-
Thanks for the info..
Combofix log below..
ComboFix 10-07-29.01 - User-no0001 29/07/2010 23:38:08.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1256.966.1033.18.3292.1657 [GMT 1:00]
Running from: c:\users\User-no0001\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\USER-N~1\AppData\Local\Temp\DWHC8F8.tmp
c:\users\User-no0001\AppData\Local\Temp\DWHFFE2.tmp
.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.
2010-07-29 22:54 . 2010-07-29 22:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-28 20:45 . 2010-07-28 21:49 -------- d-----w- c:\program files\دليل الهاتف
2010-07-28 20:45 . 2010-07-28 20:45 -------- d-----w- c:\windows\دليل الهاتف
2010-07-27 10:08 . 2010-07-27 10:08 -------- d-----w- C:\Boot
2010-07-26 15:30 . 2010-07-26 15:30 -------- d-----w- c:\program files\Partition Wizard Home Edition 5.0
2010-07-26 14:10 . 2010-07-27 13:18 -------- d-----w- c:\users\User-no0001\AppData\Local\Sony
2010-07-26 14:09 . 2010-07-26 14:09 -------- d-----w- c:\users\User-no0001\Podcasts
2010-07-26 14:09 . 2010-07-26 14:09 -------- d-----w- c:\program files\Common Files\Sony Shared
2010-07-26 14:08 . 2010-07-26 14:08 10134 ----a-r- c:\users\User-no0001\AppData\Roaming\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe
2010-07-26 14:08 . 2010-07-26 14:08 -------- d-----w- c:\users\User-no0001\AppData\Local\Downloaded Installations
2010-07-26 14:08 . 2010-07-26 14:09 -------- d-----w- c:\program files\Sony
2010-07-26 14:08 . 2010-07-26 14:08 -------- d-----w- c:\programdata\Sony Corporation
2010-07-26 14:06 . 2010-07-26 14:09 -------- d-----w- c:\users\User-no0001\AppData\Roaming\Sony
2010-07-25 17:31 . 2010-07-25 17:31 -------- d-----w- c:\program files\4DiskcleanG
2010-07-22 15:30 . 2010-07-22 15:30 -------- d-----w- c:\programdata\Sony Ericsson
2010-07-22 15:30 . 2010-07-22 15:30 -------- d-----w- c:\program files\Sony Ericsson
2010-07-16 15:57 . 2010-07-16 15:57 -------- d-----w- c:\users\User-no0001\AppData\Roaming\Leadertech
2010-07-09 08:45 . 2010-07-09 08:45 -------- d-----w- c:\users\User-no0001\AppData\Roaming\Malwarebytes
2010-07-09 08:45 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-09 08:45 . 2010-07-09 08:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-09 08:45 . 2010-07-09 08:45 -------- d-----w- c:\programdata\Malwarebytes
2010-07-09 08:45 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-08 15:07 . 2010-07-08 15:10 -------- d-----w- c:\users\User-no0001\AppData\Local\Xmarks
2010-07-08 15:07 . 2010-07-08 15:07 -------- d-----w- c:\program files\Xmarks
2010-07-06 00:05 . 2010-07-06 00:05 -------- d-----w- c:\users\User-no0001\AppData\Local\Google
2010-07-06 00:05 . 2010-07-06 00:05 -------- d-----w- c:\program files\Google
2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\programdata\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 01:10 . 2010-02-14 01:16 -------- d-----w- c:\users\User-no0001\AppData\Roaming\EndNote
2010-07-27 23:23 . 2010-02-16 22:12 -------- d-----w- c:\users\User-no0001\AppData\Roaming\vlc
2010-07-25 17:40 . 2010-01-11 19:48 -------- d-----w- c:\users\User-no0001\AppData\Roaming\uTorrent
2010-07-25 17:40 . 2010-02-14 01:15 -------- d-----w- c:\program files\Reference Manager 12 Demo
2010-07-22 15:34 . 2010-01-11 17:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-29 14:07 . 2010-01-10 22:39 -------- d-----w- c:\programdata\NOS
2010-06-29 13:44 . 2010-01-11 19:04 -------- d-----w- c:\users\User-no0001\AppData\Roaming\Teleca
2010-06-29 13:44 . 2010-01-11 19:00 -------- d-----w- c:\program files\Common Files\Teleca Shared
2010-06-26 02:01 . 2010-01-10 20:10 -------- d-----w- c:\program files\Microsoft.NET
2010-06-22 18:26 . 2010-03-02 16:59 148 ----a-w- c:\programdata\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2010-06-07 11:34 . 2010-01-10 20:09 -------- d-----w- c:\programdata\Microsoft Help
2010-06-03 15:31 . 2010-06-03 15:31 -------- d-----w- c:\users\User-no0001\AppData\Roaming\SPSSInc
2010-06-02 21:28 . 2010-05-18 23:13 2594584 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2010-06-02 21:28 . 2010-05-18 23:13 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2010-06-02 18:59 . 2010-05-18 00:33 161920 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-05-28 18:51 . 2010-05-28 18:51 6766 ----a-r- c:\users\User-no0001\AppData\Roaming\Microsoft\Installer\{B9FFCD7E-450A-430B-AD79-8D0EA466864D}\_4ae13d6c.exe
2010-05-28 18:51 . 2010-05-28 18:51 6766 ----a-r- c:\users\User-no0001\AppData\Roaming\Microsoft\Installer\{B9FFCD7E-450A-430B-AD79-8D0EA466864D}\_294823.exe
2010-05-28 18:51 . 2010-05-28 18:51 6766 ----a-r- c:\users\User-no0001\AppData\Roaming\Microsoft\Installer\{B9FFCD7E-450A-430B-AD79-8D0EA466864D}\_18be6784.exe
2010-05-27 07:24 . 2010-06-09 13:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-09 13:13 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 05:18 . 2010-06-09 13:13 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-19 21:07 . 2010-02-06 23:47 2594584 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2010-05-19 21:07 . 2010-05-19 21:07 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2010-05-18 00:32 . 2010-05-18 00:32 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-14 11:15 . 2010-01-10 19:11 111552 ----a-w- c:\users\User-no0001\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-09 09:14 . 2010-06-22 19:01 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14 . 2010-06-22 19:01 417792 ----a-w- c:\windows\system32\msdri.dll
2010-05-06 09:36 . 2010-01-10 16:43 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-01 14:49 . 2010-06-09 13:13 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-07-06 00:05 . 2010-07-06 00:05 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xmarks"="c:\program files\Xmarks\IE Extension\xmarkssync.exe" [2010-04-18 1048576]
"Sony Ericsson PC Companion"="c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" [2010-04-19 405712]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-16 198160]
"NWTRAY"="NWTRAY.EXE" [2009-12-27 31768]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-01-25 115560]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-06 30192]
c:\users\User-no0001\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptbehaviorAdmin"= 0 (0x0)
"ConsentPromptbehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 ncv1_0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-06 30192]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 RMWPService;RMWPService;c:\program files\Reference Manager 12 Demo\WebPublisher\thirdparty\Apache2\bin\RMWP_Apache_Admin.exe [2004-01-28 20537]
R3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe [2010-06-08 153808]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-08 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
S0 NCFilter;Novell UNC Filter - Filter;c:\windows\system32\DRIVERS\NCFilter.sys [2009-12-27 91160]
S0 NCRecognizer;Novell UNC Filter - Recognizer;c:\windows\system32\DRIVERS\NCRecognizer.sys [2009-12-27 110616]
S0 NCUncFilter;Novell UNC Filter - UNC Filter;c:\windows\system32\DRIVERS\NCUncFilter.sys [2009-12-27 22552]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-03-04 390528]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-01 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-01 166632]
S2 NCFSD;Novell Client File System Redirector;c:\program files\Novell\Client\XTier\Drivers\ncfsd.sys [2009-12-27 82456]
S2 NCIOCTL;Novell Xplat IoCtl Driver;c:\program files\Novell\Client\XTier\Drivers\ncioctl.sys [2009-12-27 54808]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-01 840936]
S2 XTSvcMgr;Novell XTier Service Manager;c:\program files\Novell\Client\XTier\Services\XTSvcMgr.exe [2009-12-27 17944]
S3 e1kexpress;IntelĀ® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6032.sys [2009-07-13 164864]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2010-04-09 16472]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2010-04-09 11104]
--- Other Services/Drivers In Memory ---
*Deregistered* - nccache
*Deregistered* - nciom
*Deregistered* - ncp
*Deregistered* - ncpfsp
*Deregistered* - ncpl
*Deregistered* - ndm
*Deregistered* - ndmndap
*Deregistered* - nds4
*Deregistered* - ndslpp
*Deregistered* - niam
*Deregistered* - nipctl
*Deregistered* - nscm
*Deregistered* - nsns
*Deregistered* - nsvccost
*Deregistered* - xtxplat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F27416BB-0248-4721-AF65-76A4DB43B351} = 143.117.14.25,143.117.14.50
FF - ProfilePath - c:\users\User-no0001\AppData\Roaming\Mozilla\Firefox\Profiles\iynniqu1.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Sony\Media Go\npmediago.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-Symantec Antvirus
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(644)
c:\windows\system32\ncv1_0.DLL
.
Completion time: 2010-07-30 00:11:15
ComboFix-quarantined-files.txt 2010-07-29 23:10
Pre-Run: 28,818,296,832 bytes free
Post-Run: 29,034,299,392 bytes free
- - End Of File - - F63500323AEE882FBE38BD9CF85825B7
-
I'm a bit surprised that both ComboFix and Malwarebytes found dwh**.tmp files also, but it does seem it is a problem with Symantec's endpoint
If you google
DWH***.tmp
You will find a massive amount of users having the same problem
I would be careful running ComboFix, it's not a tool to be used lightly
If you want to properly uninstall it, ensure there is a copy on your Desktop, not in your Download folder
- Press the Windows Key and R on your keyboard. This will bring up the Run... command.
- Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/"), or simply copy/paste that command
- Please follow the prompts to uninstall Combofix.
- You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
-
Many thanks indeed. this is a releif. I went to Symantec link you pointed out earlier and downloaded the patch.
No problems so far.
Thanks again,
Alinato