Trojan.Downloader.Small.WV

I have ran bitdefender and it keeps coming up with
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Counter.class-65b432d-34796baf.class: infected with Trojan.Downloader.Small.WV

I have ran my virus scanner and came up clean I also have run Adaware SE and spybot S&D and the keep coming up clean.. Can any help ?

 

Hi
Provided the operating system and sunjava are up to date thats nothing to worry about.
Simply clear Suns cache.
Java Technology Help - Virus found in Java Plug-in cache directory: http://java.com/en/download/help/cache_virus.jsp

Regards

 

I am running windows xp with service pack 2

I did what you said to do.. Cleared that up.. Now a nother problume.. My pc is getting really slow to boot up and getting slower every day... I did a msconfig and stoped every thing from running but my virus detection.. I have run Adaware SE and SpyBot S&D Both have come up clean and also spysubtract <---- This one was givin to me by HP Tech Suport who said my PC was loded with spy wear and that scan came up clean as well.. Any Ideas ?

 

Get the beta Microsoft from Here.

If you still have problems after that cleaning is done, get Hijackthis (see quicklinks in my signature), unzip it to a folder other than desktop or any temp folder (I like to use a new folder c:\hjt), scan and create a log then post the log here.

DO NOT take any action based on the Hijackthis scan until someone looks it over and says what to do since this utility shows everything, good and bad, with no attempt to sort them out.

 

Ok I ran that spy ware thing and it also came up clean.
Here is my hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 12:15:44 PM, on 1/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FraudEliminator\2.1.2\FraudEliminator_Helper.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: FraudEliminator - {A5181F8A-0B9D-43AC-8BE5-EB61651DB685} - C:\Program Files\FraudEliminator\2.1.2\FETB.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4419/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A232B0A7-446D-4F20-A836-0580D95492EF}: NameServer = 68.92.19.11 68.92.19.12
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

 

Interesting. Your system is about as clean as one could possibly be so the tech's guess of spyware is wrong.

This sounds like much the same problem (speed and hard-to-find critters) that you were dealing with in October. Never did hear if you got fixed that time.

One item from the HJT log (not a problem - just interesting)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A232B0A7-446D-4F20-A836-0580D95492EF}: NameServer = 68.92.19.11 68.92.19.12
The name servers both seem legit but the CLSID is not a common one. In fact, the only hit I got on it was your October HJT log.

Not really sure what is going on with your PC but it certainly does not seem like spyware/adware or virus.

To keep down confusion, I suggest you post a new topic to the XP section dealing purely with the speed issues. Probably good to put in a link to this thread and a disclaimer that you know it isn't spyware-related.

 

The last time I had the problum I ended up doing a System recovery and every thing was fine.. I am trying to avoid that this go around.. Thanks for the help I posted a message in the XP Forum.. Will go from there..

 

svchost.exe?

I don't know how it relates to speed (if at all) but isn't "C:\WINDOWS\system32\svchost.exe" a trojan related program? I keep removing it from my regestry but it keeps coming back - however, even though it seems to remain in the registry it apparently doesn't run anymore becuase I don't get the "dltime.dll" run error I used to get (thanks to PeteC). -Bob

 

BBPanel - the svchost.exe in \system32 is a legit windows file that does lots of work on 2K\XP\2K3 systems. Nothing by itself really but acts as a 'wrapper' for other running services.

scvhost.exe is dropped on systems by a trojan and is for sure a baddie and svchost.exe located anywhere other than \system32 (or your system cache) is probably a baddie as well.

I just took this from my PC running XP-pro SP2

Code:

Image Name    PID   Services                                     
============ ====== =============================================
svchost.exe    864 DcomLaunch, TermService                      
svchost.exe    912 RpcSs                                        
svchost.exe   1008 AudioSrv, Browser, CryptSvc, Dhcp, dmserver, 
                   ERSvc, EventSystem, helpsvc, lanmanserver,   
                   lanmanworkstation, Netman, Nla, RasMan,      
                   Schedule, seclogon, SENS, SharedAccess,      
                   ShellHWDetection, TapiSrv, Themes, TrkWks,   
                   W32Time, winmgmt, wscsvc, wuauserv, WZCSVC   
svchost.exe   1052 Dnscache                                     
svchost.exe   1104 Alerter, LmHosts, RemoteRegistry, SSDPSRV,   
                   WebClient                                    
svchost.exe   1792 stisvc

 

Ah, I see now. Thanks. I downloaded Hijack and ran it - I'll post the log in another thread. -Bob