Possible Trojan? WFV3.TMP - 5 logs attached

Discussion in 'Malware Help (A Specialist Will Reply)' started by laxin213, Sep 4, 2008.

  1. laxin213

    laxin213 Private E-2

    Attached Files:

    Last edited: Sep 4, 2008
    laxin213, Sep 4, 2008
    #1
  2. laxin213

    laxin213 Private E-2

    Possible Trojan? WFV3.TMP - 4 logs, screenie attached

    I was helping out a family member transfer some data off their external hard drive 3 days ago. As soon as I plugged the external HD in, Macafee 8.5 enterprise that I have installed on my machine detected and deleted a Trojan. I then deleted that file (it was a .rar of 27 Dresses the movie, may or may not have been in rar or unzipped/unrarred if that is a word) from her external HD. At that time I ran a spybot scan, MacAfee scan, and a Trend Housecall online scan. All of them came up empty, saying my machine was clean.

    I noticed a slight slowdown. I went to dump my temp files in C:\windows\temp and I found 1 that could not be removed, WFV3.tmp. Upon deleting the other 2 files (the .txt and the .settings), they get recreated by the .tmp. A screenshot is attached:

    WFV3.tmp
    WGAErrLog.txt
    WGANotify.Settings

    At this point I did a netstat -a on my machine, with no webpages open, and noticed some weird connection (skyler is my pc name):
    TCP skyler:1060 cg-in-f127.google.com:http TIME_WAIT

    I went ahead and performed all the steps mentioned in "Read and Run Me First", from Major Attitude. here are the logs. Thanks in advance for the help.
     

    Attached Files:

    Last edited: Sep 4, 2008
    laxin213, Sep 4, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Based on your logs (which are clean) you do not have the infection you are pointing out. That temp file may be something related to Microsoft Update and Windows Genuine Advantage since the other two files are from Microsoft and appeared at the same time. The file may be in use by Windows which is why it cannot be deleted. You may be able to delete it in safe boot mode.

    You show no signs of the wfvs.exe file or the driver/service entries in the registry so it is unlikely that you have wfvs.exe infection which is often called Backdoor.Ranky. If you did, the service would be showing in several of your logs.
     
    chaslang, Sep 5, 2008
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds