# Solved: 3000 Trojans in 1 month



## cherry pie (Jun 4, 2007)

Since I had Vista, my Symantec is catching a lot of trojan horses everyday. I tried to figure out when exactly the threat appears (when connected to the internet, insert a usb storage device, run a certain program... etc) but it's happening at random times.

All of them are found on "C:\Users\local user\AppData\Local\Temp"
They all named "DWHxxxx.tmp" (x stands for any letter or number)

That's how the warning I get looks like:



> Scan type: Auto-Protect Scan
> Event: Security Risk Found!
> Risk: Trojan Horse
> File: C:\Users\hz11134\AppData\Local\Temp\DWH8C44.tmp
> ...


they're automatically quarantined. Used to delete them immediately but I have been collecting those ponies for a month now  just to know how many of them I can have I've made it to 2864  no... 2865 now  !!

I run a full system scan and it keeps detecting and quarantining and the scan never ends, gets stuck in this directory.

I have Symantec Antivirus Full Version 10.2.0.276 and the definition files are daily updated. I somehow feel proud of my antivirus for catching all the stuff but sometime I wonder if it's just being tricked by those temp files. Does anyone have an idea what those?


----------



## WhitPhil (Oct 4, 2000)

I think I would download and run HiJackThis. Run the Scan and save LOG.
When the LOG file opens in NotePad, select all, copy/paste back here in a reply post.

PS
It also seems to be a common issue


----------



## cherry pie (Jun 4, 2007)

OK... here goes...


----------



## WhitPhil (Oct 4, 2000)

Re-pasted for "easier" review.
------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:12 PM, on 10/13/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Halliburton\HalHelp\HalHelp.exe
C:\Program Files\Interwise\Participant\pull.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Symantec AntiVirus\DWHWIZRD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9c.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Symantec AntiVirus\SavUI.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://halworld.corp.halliburton.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:/Program Files/halliburton/PACFILES/houproxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = houprxy830.corp.halliburton.com:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ProxyUpdate] C:\Windows\HXP\ProxyUpdate.vbs
O4 - HKLM\..\Run: [SAPRUNHXP] C:\Windows\saplogoncheck.exe /s
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IAAnotif] F:\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [COMMUNICATOR] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HalHelp.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Push Client.LNK = C:\Program Files\Interwise\Participant\pull.exe
O4 - Global Startup: SetupUserAdd.vbs
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix: 
O15 - Trusted Zone: *.backup.knowledgepak.com
O15 - Trusted Zone: *.corp.halliburton.com
O15 - Trusted Zone: *.halliburton.com
O15 - Trusted Zone: *.halliburton.jobs
O15 - Trusted Zone: *.halnet.com
O15 - Trusted Zone: *.knowledgepack.com
O15 - Trusted Zone: *.knowledgepak.com
O15 - Trusted Zone: *.lgc.com
O15 - Trusted Zone: *.myhalliburton.com
O15 - Trusted IP range: 134.132.1.42
O15 - Trusted IP range: http://134.132.1.42
O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://74.53.69.87/cp/files/talk3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.halliburton.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.halliburton.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.halliburton.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.halliburton.com
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Unknown owner - F:\Intel Matrix Storage Manager\iaantmon.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nortel CVC Service (NvcRpcServer) - Nortel Networks NA, Inc. - C:\Program Files\Halliburton VPN\NvcRpcSvr.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10432 bytes


----------



## WhitPhil (Oct 4, 2000)

Interestingly, there is a task running call DWHWIZRD.EXE, which I might be guessing, is the one generating the DWH files.

From http://service1.symantec.com/support/ent-security.nsf/docid/2000042413265148

The Dwhwizrd.exe file is used when a new set of definitions comes in. If you set debug mode to "verbose" and copy a new .vdb file into the directory where NAV is installed, then Dwhwizrd.exe pops up a window that reports what it is doing. The window flashes by quickly, but the corresponding line in the Rtvscan.exe debug window is "Pattern File <path> loaded." It is also used to re-scan files sitting in quarantine when new virus definitions are updated and installed.

So, a little weird. The Wisards seems to be dropping the files, and NAV detects them as Trojans!!!

But, if this is so, try disabling the automatic checking for new definitions and see if the Trojans stop.


----------



## cherry pie (Jun 4, 2007)

This is interesting!

I'm not sure where I can turn off the auto live updates and even if I did I wouldn't, as this is a company system and a lot of the settings are defaults and In fact I shouldn't because there is an application I run that require the definition files to be up-to-date. So for me that's not an option.

My main concern was that those files are danger, but since you're saying they're harmless and are actually generated by the anti virus itself, I set the anti virus to exclude that specific path from it's automatic scans. it's been like 10 minutes now with no warning. 

I'll mark this solved and shall keep my settings this way for a while and see what goes. Thanks for the help


----------

