WS. Trojan H

Norton Security | Norton Internet Security
1

Hi, as soon as my pc booted to Windows today, Norton 2012 internet security, advised me of a “Bloodhound…” virus and promptly asked me to restart my pc to get this removed. When i restarted and looked at the details of this i find that a “WS Trojan H” virus was found in an .exe file. This file was installed over 2 weeks ago, the program that it relates to has never been used, anybody shed any light ? The file belongs to the software “Cyberlink PowerDVD9\Navfilter\KMSVC.exe.” This software was installed 2 weeks ago as part of my supplied software with my new pc/Blu Ray Writer, from an original Cyberlink DVD. Thanks

2

Hi Surfer1000,

 

There is a chance of false positive from Norton 2012 product. I would recommend you to check the Quarantine, if the .exe file is there, try to submit it to Symantec for further analysis. You can also try reinstall the Cyberlink PowerDVD9 program, then submit the corresponding file to Symantec Security Response for analysis. You can refer to the instructions from the following Symantec Web site:

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=20100222230832EN

 

Let us know if you need further help with this.

 

Thanks,

HarryP

3

Hi, yes it’s still in quarantine, in the history it says submitted. Your instructions link provided does not currenlty have a “selection” for 2012 version! Thanks, Martin

4

It does take a bit of time getting all the little changes made after a new version is released.

5

Surfer1000,

 

If possible, please provide a screenshot of the details from the Quarantine. If the file has been already been submitted, the Security Response will analyze it further, and if it is a false positive, they will release updates to whitelist that specific file. Hope, this will help.

 

In meantime, I would suggest to try uninstall and reinstall the CyberDVD program. Then run LiveUpdate from Norton 2012 repeatedly to get all necessary updates, and then run a full system scan. Let us know if the file is again detected as threat.

 

Thanks,

HarryP

 

 

6

Hi, I have now run the program (PowerDVD) which then advised that there is an update for it. I installed this update, which put the problem file back again, but on a scan of the file nothing bad was found. Martin

7

I ran into the same problem today on my new Windows 7 laptop. Norton deleted the file though, so I cannot provide it.

8

Hi again, upon a system restart the same problem appeared again…Bloodhound Virus.sym.vt.fp.h found…etc! Unable to restore from quarrantine, as even though i tell norton to restore and exclude from scan, Auto-Protect instantly quarrantines the file again!

9

I have developed an issue with WS.Trojan.H as well in the last few days.  I have tried running NIS 2012, Adaware and Norton Power Eraser to rid my computers of this threat.  But it keeps replicating itself and coming back in other *.exe files.   What is Norton doing to address this potential security threat?

 

Full Path: c:\program files\motorola\motoconnectservice\installfile\installservice.exe
____________________________
____________________________
On computers as of Not Available
Last Used 9/21/2011 at 3:34:46 PM
Startup Item No
Launched No
____________________________
____________________________
Unknown
Number of users in the Norton Community that have used this file: Unknown
____________________________
Unknown
This file release is currently not known.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.
____________________________

____________________________
File Actions
File: c:\program files\motorola\motoconnectservice\installfile\installservice.exe
Removed
File: c:\program files\motorola\motoconnectservice\installfile\uninstallservice.exe
Removed
____________________________
File Thumbprint - SHA:
8018ff9aceeb0c42520dd790652480e49ab95f9732cbffcd42948b250e3eb107
____________________________
File Thumbprint - MD5:
d83fa0b99fb5748b1c4b1e1ae913703f
____________________________

 

However, this Trojan has changed it stripes and comes back as another *.exe file

10

Here is another quarantine report from my laptop.....same issue with this trojan.

 

Full Path: c:\blp\wintrv\smartclient\vboot.4\framework_data\stubexe\@windir@\microsoft.net\framework\v2.0.50727\mscorsvw.exe
____________________________
____________________________
On computers as of Not Available
Last Used 9/21/2011 at 2:53:35 PM
Startup Item No
Launched No
____________________________
____________________________
Unknown
Number of users in the Norton Community that have used this file: Unknown
____________________________
Unknown
This file release is currently not known.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.
____________________________

____________________________
File Actions
File: c:\blp\wintrv\smartclient\vboot.4\framework_data\stubexe\@windir@\microsoft.net\framework\v2.0.50727\mscorsvw.exe
Removed
____________________________
File Thumbprint - SHA:
7732157da7b8b77dbc29ce078361c9056c26f0e77e7426807c29bfedc492eb5b
____________________________
File Thumbprint - MD5:
cc11b85928d74d3dc3ad3d528b921410
____________________________

Full Path: c:\blp\wintrv\smartclient\vboot.4\framework_data\stubexe\@appdir@\dnet35mgr.exe
____________________________
____________________________
On computers as of Not Available
Last Used 9/21/2011 at 2:51:51 PM
Startup Item No
Launched No
____________________________
____________________________
Unknown
Number of users in the Norton Community that have used this file: Unknown
____________________________
Unknown
This file release is currently not known.
____________________________
High
This file risk is high.
____________________________
Threat Details
Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.
____________________________

____________________________
File Actions
File: c:\blp\wintrv\smartclient\vboot.4\framework_data\stubexe\@appdir@\dnet35mgr.exe
Removed
____________________________
File Thumbprint - SHA:
789018a4a11fd24ccd6ae740fb6c41566433b890e4554d2961c1e99341fb4a4a
____________________________
File Thumbprint - MD5:
6d867cf7280efc7260b29fd44e812b3e
____________________________

 

 

 

 

11

Hi All,

 

I too have now performed a full install of NIS 2012 - and immediately find that I appently have the WS.Trojan.H virus in not just 1, or 5 BUT 50 files. Many of these are recently downloaded .exe files from reliable suppliers. The files are scattered throughout my 14 disks. I took the report at face value and have since emptied my Recycle Bin. Having read your reports above, I now suspect that it is NIS 2012 that's wrong - and not the deleted files. I look forward to further comments.

12

I installed NIS 2012 two days ago and did a full system scan which found nothing.  However I was glancing through my Norton Community Watch history afterwards which had several entries presumably from the scan and saw the word "exonerated" after some submissions which I had never seen in previous NIS versions.  One of the entries which had been submitted was "WS.Trojan.H Exonerated" for which "No action required".    I ran Malwarebytes and NIS quick scan which picked up nothing. I take it "exonerated" has its normal meaning in effect nothing to worry about?  There is no trace of WS.Trojan.H on searching Symantec, Mcafee or EZ-AV  information sites. 

13

Hi imbart,

 

Files that are quarantined based on reputation are periodically re-scanned.  As more becomes known about a file, earlier convictions might be overturned and an unjustly accused file will be allowed to walk out of quarantine a free man.

14

Thanks SendOfJive - Norton didn't flag it  up and if I hadn't happened to casually look at the Norton Community Watch history I wouldn't even know about it.  I thought maybe Norton was taking the file in as a suspect for investigation on heuristic evidence. 

15

I've now discovered that files idnetified with "WS.Trojan.H" or "Suspicious.Cloud.2" are deleted if the scan is run in W7 Safe Mode, but they are not selected or deleted when the scan is run in W7 Normal Mode. I will refer the problem to Symantec's on-line Security Risk / False Positive Dispute Submission.

 

Normal Mode: (run before Safe Mode)

Scan Statistics:
  Scan Time: 136 seconds
  Scan Targets: C:\Users\Noel\Desktop\Restored 'Virus' files
  Counts:
   Total items scanned: 4,748
   - Files & Directories: 4,748
   - Registry Entries: 0
   - Processes & Start-up Items: 0
   - Network & Browser Items: 0
   - Other: 0
   - Trusted Files: 4
   - Skipped Files: 0

   Total security risks detected: 0
   Total items resolved: 0
   Total items that require attention: 0

Resolved Threats:
No risks have been resolved

Unresolved Threats:
No unresolved risks

 

=================================================================

then:- Safe with Network Mode  (only some is shown below)

 

Scan Statistics:
  Scan Time: 10,147 seconds
  Scan Targets: Entire computer
  Counts:
   Total items scanned: 3,194,338
   - Files & Directories: 3,189,716
   - Registry Entries: 1,602
   - Processes & Start-up Items: 2,141
   - Network & Browser Items: 871
   - Other: 4
   - Trusted Files: 0
   - Skipped Files: 0

   Total security risks detected: 38
   Total items resolved: 18
   Total items that require attention: 20

Resolved Threats:
Suspicious.Cloud.2
 Type: Compressed
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Heuristic Virus
 Status: Fully Resolved
 -----------
 1 File
[asicutil4.exe] inside of [webcelerator.exe] inside of [c:\users\noel\desktop\restored 'virus' files\c\desktop.zip] - Deleted


WS.Trojan.H
 Type: Compressed
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Heuristic Virus
 Status: Fully Resolved
 -----------
 1 File
[asicutil4.exe] inside of [webcelerator.exe] inside of [c:\users\noel\desktop\restored 'virus' files\c\desktop.zip] - Deleted


WS.Trojan.H
 Type: Compressed
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Heuristic Virus
 Status: Fully Resolved
 -----------
 1 File
[testscanner.exe] inside of [c:\users\noel\desktop\restored 'virus' files\c\desktop.zip] - Deleted


WS.Trojan.H
 Type: Compressed
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Heuristic Virus
 Status: Fully Resolved
 -----------
 1 File
[viacb.exe] inside of [c:\users\noel\desktop\restored 'virus' files\d\&download=usb4212.zip] - Deleted


WS.Trojan.H
 Type: Compressed
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Heuristic Virus
 Status: Fully Resolved
 -----------
 1 File
[hdsrv2k3sp1.exe] inside of [c:\users\noel\desktop\restored 'virus' files\d\audio_via_vt32_64_090427.zip] - Deleted


WS.Trojan.H
 Type: Compressed
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Heuristic Virus
 Status: Fully Resolved
 -----------
 1 File
[hdw2k3x64.exe] inside of [c:\users\noel\desktop\restored 'virus' files\d\audio_via_vt32_64_090427.zip] - Deleted


WS.Trojan.H
 Type: Compressed
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Heuristic Virus
 Status: Fully Resolved
 -----------
 1 File
[hdwxpx64.exe] inside of [c:\users\noel\desktop\restored 'virus' files\d\audio_via_vt32_64_090427.zip] - Deleted


Suspicious.Cloud.2
 Type: Compressed
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Heuristic Virus
 Status: Fully Resolved
 -----------
 1 File
[camera_vimicro_v1.9.904.1_win7_fpc65-5076-01.exe] inside of [c:\users\noel\desktop\restored 'virus' files\d\driveragent_2011_04.zip] - Deleted


WS.Trojan.H
 Type: Compressed
 Risk: High (High Stealth, High Removal, High Performance, High Privacy) 
 Categories: Heuristic Virus
 Status: Fully Resolved
 -----------
 1 File
[camera_vimicro_v1.9.904.1_win7_fpc65-5076-01.exe] inside of [c:\users\noel\desktop\restored 'virus' files\d\driveragent_2011_04.zip] - Deleted

 

 

16

A general Tread on this topic can be located here http://community.norton.com/t5/Norton-Internet-Security-Norton/Is-there-a-Bug-in-Safe-Mode-Scan/td-p/538446

 

 

17

I had today the same situation with APRP from Asus VX6.
File was originally in C:\Program Files\ASUS\APRP\aprp.exe
File was not touched since manufacturer’s installation on original Win7 HP image.
Application, I found an info, is Asus Product Registration Program.
PC is all clean, so this might be a fake alarm, too. Norton sent my file.

18

I also have an issue with the WS trojan.H since upgrading recently to version 2012. It is on a program I have used for over a year and was not an issue on version 2011. The file name is TMPGEncVMW5.exe from TMPGEnc Video Mastering Works 5, a video editing software. I tried submitting the file for false positive but the file will not upload because the file was too big.

 

I will use something else if this issue is not fixed. I have uninstalled the norton software and used other scanners and the issue does not come up. I can not be bothered by this everyday nor reinstall theTMPGEnc software just to be able to use it every day.

 

Please look into the matter and fix it!

 

Thanks

 

Rick

 

 

19

ive just scanned in safe mode no detections make sure your using version 19.1.1.3

20

I have this version and I had this issue with this version. With all updates up to today I had no other fake alerts… If I get any - I will post it here.