Trojan generator /w hijackthis log

[harkim]

Hello,

Recently I started noticing I got a bunch of popups from Norton antivirus that there's a trojan generator and it keeps quarantining these tmp files. I was wondering if somebody could take a look at my hijackthis log and help me out so these popups stop.

Thanks

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 7:03:13 PM, on 1/31/2012

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v8.00 (8.00.7601.17514)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe

C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

C:\Windows\SysWOW64\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: UserInit=userinit.exe

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: dlbc_device - - C:\Windows\system32\dlbccoms.exe

O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: Splashtop® Remote Service (SplashtopRemoteService) - Splashtop Inc. - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)

O23 - Service: Splashtop Software Updater Service (SSUService) - Splashtop Inc. - C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: USADISK UPDATE SERVICE (USADISK_AGENT) - Unknown owner - C:\Program Files (x86)\USADISK\WEBHARD_Agent.exe

O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)

O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 7351 bytes

[Maniac]

Hello harkim! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

I want to find out will have to fight. Please find the log file that contains about these temp files and post it here:

http://service1.symantec.com/Support/nip.nsf/docid/2002091711361836

[harkim]

Hello Maniac,

Thank you for your quick response. I've copy and pasted the log below.

Thanks again

Filename Risk Action Risk Type Original Location Computer User Status Current Location Primary Action Secondary Action Logged By Action Description Date and Time vgoPWXVY.exe.part Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/29/2012 2:55 H5pVuoWi.exe.part Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/29/2012 2:56 DWH30A7.tmp Trojan.Gen Log only File C:\Users\Kim\AppData\Local\Temp\ KIM-PC SYSTEM Log only C:\Users\Kim\AppData\Local\Temp\ Clean security risk Quarantine Auto-Protect scan The file was left unchanged. 1/30/2012 18:03 DWH8611.tmp Trojan.Gen Log only File C:\Users\Kim\AppData\Local\Temp\ KIM-PC SYSTEM Log only C:\Users\Kim\AppData\Local\Temp\ Clean security risk Quarantine Auto-Protect scan The file was left unchanged. 1/31/2012 18:03 DWH30A7.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/30/2012 18:03 DWH8611.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/31/2012 18:04 DWH5FB3.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/30/2012 18:03 DWHADCD.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/31/2012 18:04 DWHC544.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/31/2012 18:04 DWHDCEA.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/31/2012 18:04 DWH3097.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC SYSTEM Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/31/2012 22:31 DWH57F5.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/31/2012 22:32 DWH6F7C.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/31/2012 22:32 DWH834B.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/31/2012 22:32 DWH96FB.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/31/2012 22:32 DWHAEB0.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/31/2012 22:32 DWHEAD8.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/31/2012 22:33 Cookie:kim@atwola.com/ Tracking Cookies Deleted Trackware Cookie:kim@atwola.com/ KIM-PC Kim Deleted Deleted Quarantine Leave alone (log only) Manual scan The file was deleted successfully. 1/29/2012 3:19 DWH96B3.tmp Trojan.Gen Log only File C:\Users\Kim\AppData\Local\Temp\ KIM-PC SYSTEM Log only C:\Users\Kim\AppData\Local\Temp\ Clean security risk Quarantine Auto-Protect scan The file was left unchanged. 1/29/2012 22:15 DWH96B3.tmp Trojan.Gen Quarantined File C:\Users\Kim\AppData\Local\Temp\ KIM-PC Kim Infected Quarantine Clean security risk Quarantine Auto-Protect scan The file was quarantined successfully. 1/29/2012 22:16

[Maniac]

It seems these problems comes from the old program version of Symantec Endpoint Protection. Take a look at this KB article:

http://www.symantec.com/business/support/index?page=content&id=TECH138856

Let me know.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!