Submit Your Article Forum Rules FAQ About Us
Search the forums:

Tech Support Team

Join Now!Nav Seperator FAQNav Seperator GalleryNav Seperator TutorialsNav Seperator BlogNav Seperator SearchNav Seperator Today's PostsNav Seperator Mark Forums ReadNav Seperator Navigation Right

Hello and Welcome to Tech Support Team! Before you can start posting and answering questions, you'll have to register. Registration is fast, simple and absolutely free! Feel free to browse through existing questions by choosing the forum you want to visit below.


Tech Support Team » Malware Removal & Security » Malware Removal » Removing WFV1.tmp File from Temp Folder

Notices
Before creating a new thread, we ask that you please read our Removal guide first: Malware Removal Guide - Read Before Posting. We also advise you reading this thread before continuing: P2P programs - please remove before posting for help

NOTE: NEVER follow someone elses fix. Just because the symptoms may appear to be the same, it does NOT mean your system has the same malware infection. ALWAYS start a new thread so that a member of our Security Team can take you through the steps of cleaning your computer.

Reply
Thread Tools
 
  #1 (permalink)   Top
Old 16th November 2009, 02:09 AM
dstaso's Avatar
Newcomer
  
Join Date: Nov 2009, 3 posts.
Reputation: dstaso is on a distinguished road
Removing WFV1.tmp File from Temp Folder
Hello TST:

Problem: Unable to remove the WFV1.tmp file from the C:\WINNT\Temp folder. This file is persistent even after completing all of the steps in the Malware Removal Guide. I have the same problem on both my production and test machines. The posted logs are from my test machine. I suspect that this file was most likely created while my children were playing their online games.

Supporting information: Hardware is DELL Dimension L667R, 384 MB RAM (yes, I'm aware of how antiquated this machine is but when it was provided at no cost, it made sense to build it for the kids use).

In addition to the steps in the Malware Guide, I attempted to boot the machine in SAFE MODE and to a DOS prompt. The file is not visible in these modes. I did check the folder options (in safe mode) to ensure that the protected and hidden files were visible, but again, no such file was detected.

File is located in C:\WINNT\Temp

Log Postings START....


Malwarebytes' Anti-Malware 1.41
Database version: 3171
Windows 5.0.2195 Service Pack 4

11/14/2009 2:47:08 PM
mbam-log-2009-11-14 (14-47-08).txt

Scan type: Quick Scan
Objects scanned: 95392
Time elapsed: 12 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\gamevancetext.linker (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gamevancetext.linker.1 (Adware.Gamevance) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


...


SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 11/14/2009 at 02:05 PM

Application Version : 4.30.1004

Core Rules Database Version : 4272
Trace Rules Database Version: 2154

Scan type : Complete Scan
Total Scan Time : 00:32:55

Memory items scanned : 336
Memory threats detected : 0
Registry items scanned : 2651
Registry threats detected : 0
File items scanned : 7399
File threats detected : 7

Adware.Gamevance
C:\Program Files\Gamevance\gamevancelib32.dll
C:\Program Files\Gamevance\gvtl.dll
C:\Program Files\Gamevance

Adware.Tracking Cookie
C:\Documents and Settings\Dylan\Cookies\dylan@2o7[2].txt
C:\Documents and Settings\Dylan\Cookies\dylan@atdmt[2].txt
C:\Documents and Settings\Dylan\Cookies\dylan@doubleclick[2].txt
C:\Documents and Settings\Dylan\Cookies\dylan@server.iad.liveperson[2].txt

...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:04 PM, on 11/14/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\Sniper.exe

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6796.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1257108054886
O17 - HKLM\System\CCS\Services\Tcpip\..\{50EAD5BF-7BC7-4BEA-9625-FC7B8AFE3B1C}: NameServer = 151.197.0.68,151.197.0.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{50EAD5BF-7BC7-4BEA-9625-FC7B8AFE3B1C}: NameServer = 151.197.0.68,151.197.0.38
O17 - HKLM\System\CS2\Services\Tcpip\..\{50EAD5BF-7BC7-4BEA-9625-FC7B8AFE3B1C}: NameServer = 151.197.0.68,151.197.0.38
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\VNC4\WinVNC4.exe

--
End of file - 3989 bytes


Log Postings END....


I also reviewed the thread about P2P applications. To my knowledge, those services have not been accessed using either of my two PCs but you will see the VNC Server in the log above. I don't consider VNC P2P software. Is it?

Any help is greatly appreciated. Thank you for your time.

Dave
Reply With Quote
  #2 (permalink)   Top
Old 20th November 2009, 07:29 PM
Jason's Avatar
Super Moderator
  
Join Date: Oct 2007, 2,181 posts.
Reputation: Jason will become famous soon enoughJason will become famous soon enough
Hi and welcome to TST!

Logs are clean. It appears that the McAfee Anti-Virus Scanning Engine 5.3.00 creates WFV* temporary files, every time a
computer boots into normal Windows XP mode.

If you wish to delete it, do the following:

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.

Let me know how it goes.
Last edited by Jason; 20th November 2009 at 09:32 PM.
Reply With Quote
  #3 (permalink)   Top
Old 21st November 2009, 03:05 AM
dstaso's Avatar
Newcomer
  
Join Date: Nov 2009, 3 posts.
Reputation: dstaso is on a distinguished road
Jason:

Ran ATF Cleaner for Win2K and rebooted. It appears the WFV1 file is persistent. Although it was probably deleted, it was recreated with today's date.

At this point I'm ok with the file but since I don't know what it contains (or why I should have to keep is resident on my HD), I'd rather it not be there.

Since McAfee insists that it be there, I live with it for now. I am running an enterprise version that is free to employees. When it is no longer available for use by employees (at no cost), I will likely switch to using either AVG or Vipre by Sunbelt Software.

I appreciate your reply and assistance. Thanks again.

Dave
Reply With Quote
  #4 (permalink)   Top
Old 21st November 2009, 05:30 PM
Jason's Avatar
Super Moderator
  
Join Date: Oct 2007, 2,181 posts.
Reputation: Jason will become famous soon enoughJason will become famous soon enough
Hi, yes, it will continue to make a new one on boot up. I would ask on their forums if I were you.

Here's an article: https://kc.mcafee.com/corporate/inde...ent&id=KB53739.

Best regards,
Jason
Reply With Quote
Reply

Only registered members can participate in forum threads. You must register or log in to contribute.


« Previous Thread | Next Thread »
Thread Tools

Forum Jump


All times are GMT. The time now is 10:10 AM.

Contact Us - Tech Support Team - Terms of Service - Top


Member Login
Forgot Password?



Post A Question!
Useful Links
Main Menu
Home
Forum Rules
FAQ
About Us
Welcome Pack
Search the forums
TST Mobile
Contact Us
Send Message

These are the 18 most used thread tags
Tag Cloud
32-bit cat drivers geforce hardware intel gfxui mobile 4 chipset driers modem monitor network no ring response no signal nvidia soft modem software wifi win7 windows 7
Copyright © Tech Support Team, Inc. All rights reserved.
TechSupportTeam.org is an Privacy Policy and Legal Powered by vBulletin® Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 ©2008, Crawlability, Inc.