vbs.runauto

It didn't find anything.

Nortons is still finding it as wee speak.

# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0e2461d534e0f84dbc9755fbd712aff8
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-12-18 01:52:37
# local_time=2011-12-18 12:52:37 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 1522 1522 0 0
# scanned=171081
# found=0
# cleaned=0
# scan_time=7813

This is the log form Nortons. Does that help?

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: VBS.Runauto
File: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\SRTSP\Quarantine\APQ4E6.tmp
Location: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\SRTSP\Quarantine
Computer: WORKSTATION-H
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Sunday, 18 December 2011 1:02:05 PM

These logs are popping up contantly. I close it and then another one pops up almost immediately.

see ya

LOL, Norton is detecting it's own quarantine! fail!

Navigate to this folder: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\SRTSP\Quarantine

Delete everything inside it, let me know if the popups still happen now.

yeah I tried that once but I can't get access to the folder. It says acess denied.

I have just added that folder as an "exception" in the symantec setup I'll see what happens.

this the nortons log this morning. popped up at 3.59 am, we after I changed the exceptions :-(

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: VBS.Runauto
File: C:\Documents and Settings\BryanC\Local Settings\temp\DWH1170.tmp
Location: C:\Documents and Settings\BryanC\Local Settings\temp
Computer: WORKSTATION-H
User: BryanC
Action taken: Pending Side Effects Analysis : Access denied
Date found: Thursday, 22 December 2011 3:59:13 AM

Had a good day yesterday but it came back overnight. Norton log below:

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: VBS.Runauto
File: C:\Documents and Settings\BryanC\Local Settings\temp\DWH11A7.tmp
Location: C:\Documents and Settings\BryanC\Local Settings\temp
Computer: WORKSTATION-H
User: BryanC
Action taken: Pending Side Effects Analysis : Access denied
Date found: Friday, 23 December 2011 3:56:49 AM

there were actually actually hundreds of these discovered. each the same location with a different DWH*** file name.

any clues?

Found this on the web. Any help?

http://www.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

Hello.
Do you know this IP? it could be malicious: 10.10.10.254

no not really, but how would I know. Could it be something to do with my work network? Is it active at home?
How can I tell when its active.

I tried a trace on the IP and it doesn't trace back to anything, so we can remove it safely.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

I will do that, but it is ineteresting that I rebooted in safe mode and disconnected form the net. I navigated to the directory where all the DWH files were and deleted them by highlighting them form latest to oldest so they could reproduce while I was deleting them ( beats me if that makes any sense?) I haven't had a virus report all day or overnight. I did get one straight after the "fix" and it highlighte diferent files.

anyway here goes.

Here's the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:48:07 AM, on 25/12/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\dellxpm09b_6124v037\wdm\stacsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Telstra\Mobile Broadband Manager\TelstraUCM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
c:\PROGRA~1\mcafee\SITEAD~1\saui.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.254:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nexus.*;nexus;10.10.10.1;
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5

It came back this morning :-(

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: VBS.Runauto
File: C:\Documents and Settings\BryanC\Local Settings\temp\DWH84B8.tmp
Location: Quarantine
Computer: WORKSTATION-H
User: BryanC
Action taken: Quarantine succeeded : Access denied
Date found: Monday, 26 December 2011 3:58:44 AM

Hello.

• Open HijackThis.
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.10.10.254:3128
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = nexus.*;nexus;10.10.10.1;
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Reboot normally.
How is the machine running now?

before I do this, Nexus is our office intranet that operates when I'm at work.
Will that be affected?

Ahh yeah it might be, okay don't do that.

What issues currently still exist?

same issues. Still get the nortons pop ups. though maybe not as often I'll send the log from the next one if you wish.

I take it back, they are just as often. That is almost continuous. I delete the Nortons message and another one appears within seconds.

here's the latest.
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: VBS.Runauto
File: C:\Documents and Settings\BryanC\Local Settings\temp\DWH996C.tmp
Location: Quarantine
Computer: WORKSTATION-H
User: BryanC
Action taken: Quarantine succeeded : Access denied
Date found: Friday, 6 January 2012 7:00:21 AM

Sorry I should have sent log much sooner. They are still happening constantly.
Here's the latest log. Same as the rest :-(

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: VBS.Runauto
File: C:\Documents and Settings\BryanC\Local Settings\temp\DWHE517.tmp
Location: Quarantine
Computer: WORKSTATION-H
User: BryanC
Action taken: Quarantine succeeded : Access denied
Date found: Sunday, 15 January 2012 10:21:23 AM

does this one have you stumped :-)

Yes :/ everything looks fine, not sure what's causing it, not sure where the autorun is coming from, everything looks fine.

Are you using any external hardware?

I use external hard drives reasonably regulary. I plug a phone in to charge. I use usb sticks and cards. It has a couple of card readers I have added to existing slots in teh side.

VBS Runauto is supposed to be a virus that attaches itself to cards isn't it.

I once tried clening the computer then not using the cards for a while, but it came back anyway.

Yeah it is.

The machine is clean, but some of the externel hardware is infected.

1. Open My Computer.
   
2. Go to Tools > Folder Options.
   
3. Select the View tab.
   
4. Scroll down to Hidden files and folders.
   
5. Select Show hidden files and folders.
   
6. Uncheck (untick) Hide extensions of known file types.
   
7. Uncheck (untick) Hide protected operating system files (Recommended).
   
8. Click Yes when prompted.
   
9. Click OK.
   
10. Close My Computer.
    

Plug in any/all external hardware and look through the root of the drive for an autorun folder, or an autorun.inf/autorun.ini/autorun.pnf file, or any weirdly named files, could be cmd/bat files, if so, delete them - they are all malicious.

I can't find anything.
I have removed the two card readers and the other thing I connect most often is my phone.

If you could confirm that the laptop is clean and I keep all external hardware away from it we could check to see if the bug is on the laptop or an accessary couldn't we.

I did that last time and the bug came back before I reconnected anything.

What do you think?

The only thing hard to keep out of this test would be the office network :-(

Hmmm, not sure.

Might be best to format the externel hardware, take off anything you want and format them just to be sure.

Thankyou, done that.

can we run a scan to see if the computer is clean, then not connect any external hardware to see if it stays that way?

I found this on a Toshiba Thumb Drive. It's called autorun.inf but it looks OK to me.

It does go away with a format.

"[AutoRun]
open=LaunchU3.exe -a
icon=LaunchU3.exe,0

[Definitions]
Launchpad=LaunchPad.exe
Vtype=1

[CopyFiles]
FileNumber=1
File1=LaunchPad.zip
[Update]
URL=http://www.toshiba.co.jp/p-media/english/u3/update/"

Hello, I've been away for two weeks so no activity on my computer :-)

Just got back saw the error message again.

In the post above I meant "It does NOT go away with a format"

do you think doing a scan once more to confirm the compter is clean and then keeping all accessories away from it to see if the message comes back would confirm the bug is on the computer and not an external drive?

see ya