PWStealer infection

I just got infected with the same Trojan (PWStealer) from a colleague USB memory-stick (which I scanned with BitDefender Internet Security 2009 Scan Tool).

It wasn't detected by BitDefender scanner and passed the BitDefender Real Time Protection infecting explorer.exe and iexplore.exe

Can the BitDefender Boot CD clean this infection at this moment?

...or is there any sure way to remove this infection without reinstalling the entire OS + software setup?

Find more posts tagged with

Comments

alexcrist

Hello Meridivs,

Please post a BitDefender Deep Scan log.

Cris.

Meridivs

Unfortunately my IExplore is out of the picture so I can't read the report file/post it here. Now I'm using Opera to browse this forum but it cannot open the .xml file correctly.

I've sent it to the support department along with the suspected files for analysis and a possible solution.

The problem is that neither the Recovery CD or the Deep Scan didn't report any problems but I keep getting these:

1. Yesterday evening, when I tried to start Internet Explorer 8 BitDefender Real Time Protection warned about a changed .exe and blocked it

2. Same with explorer.exe

3. Now BitDefender warns about a \system32\msfeedssync.exe

4. Finally when I tried to save the Deep Scan report it opened in Internet Explorer 6?!

alexcrist

Please read this article: http://kb.bitdefender.com/KB490

Use the 2 tools presented there to create system logs. Archive those logs and upload them on www.sendspace.com (or any other file sharing server of your choice) and leave the download link here.

Also, please put the 3 suspected files (iexplore.exe, explorer.exe and msfeedssync.exe) in a password-protected archive, with the password infected, upload it on Sendspace and send me the download link by PM.

Also, please attach to your next post the latest Deep Scan log, in XML format. It doesn't matter what you use to open them, as we need the original XML file, not a copy-paste of it's content in IE.

Cris.

Meridivs

Multumesc pentru ajutor! Am primit raspunsul de la suportul tehnic BitDefender. Fisierele trimise de mine ca sample - iexplore.exe, explorer.exe si svchost.exe sunt curate.

Se pare ca scutul Real Time de BitDefender - setat pe nivel maxim de paranoia dupa ce am folosit stick-ul de la colegul meu - incepuse sa blocheze/semnaleze ca infectate aplicatii curate (sper).

Sistemul continua sa se comporte aiurea - tocmai am ramas in 640x480/16 culori dupa un update automat de windows XP asa ca am decis sa rad/reinstalez tot pana la urma. Pentru cine e interesat iata raportul de scanare al colegului meu de la care a inceput toata nebunia asta (si el a reinstalat sistemul dupa ce a ramas fara drivere de retea).

BitDefender - Fisier jurnal

Produs: BitDefender Internet Security 2009

Versiune: BitDefender UIScanner v.12

Cale scanare: Scanare profunda

Data inregistrare: 15.12.2009 08:55:45

Cale inregistrare: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1260860145_1_02.xml

Cai scanate:Cale 0000: C:\

Cale 0001: \

Cale 0002: E:\

Optiuni scanare:Scaneaza dupa virusi: Da

Scaneaza dupa adware: Da

Scaneaza dupa spyware: Da

Scaneaza dupa aplicatii: Da

Scaneaza dupa dialere: Da

Scaneaza dupa rootkituri: Da

Optiuni selectie tinta:Scaneaza chei registri: Da

Scaneaza fisiere cookie: Da

Scaneaza sectoarele de boot: Da

Scaneaza procese memorie: Da

Deschide arhive: Da

Scaneaza packerele runtime: Da

Scaneaza e-mailuri: Nu

Scaneaza toate fisierele: Da

Scanare euristica: Da

Extensii scanate:

Extensii excluse:

Procesare tinta:Actiune implicita pentru obiectele infectate: Dezinfecteaza

Actiune implicita pentru obiectele suspecte: Nici una

Actiune implicita pentru obiectele ascunse: Nici una

Actiune implicita pentru obiectele infectate criptate: Nici una

Actiune implicita pentru obiectele suspecte criptate: Nici una

Actiune implicita pentru obiectele infectate protejate cu parola: Salveaza in jurnal ca ne-scanat

Statistici motoare scanare:Numar semnaturi virusi: 4728710

Pluginuri de arhive: 44

Pluginuri de e-mail: 6

Pluginuri de scanare: 13

Pluginuri de sistem: 5

Pluginuri de despachetare: 8

Rezumat general scanareObiecte scanate: 238536

Obiecte infectate: 7

Obiecte suspecte: 0

Obiecte rezolvate: 3

Obiecte nerezolvate: 4

Obiecte protejate cu parola: 0

Obiecte multi-comprimate: 0

Virusi diferiti detectati: 6

Directoare scanate: 17365

Sectoare de boot scanate: 4

Arhive scanate: 8269

Erori input-output: 1

Durata scanarii: 01:30:49

Fisiere/secunda 43

Rezumat procese scanateScanate: 67

Infectate : 5

Rezumat chei registri scanateScanate: 1160

Infectate : 0

Rezumat fisiere cookie scanateScanate: 57

Infectate : 0

Probleme nerezolvate:Nume obiect Nume amenintare Situatie finala

[system]=]C:\Program Files\Internet Explorer\IEXPLORE.EXE [2092] (full dump) DeepScan:Generic.PWStealer.78D3D91E Nicio actiune nu a putut fi aplicata

[system]=]C:\WINDOWS\System32\svchost.exe [2600] (full dump) DeepScan:Generic.SpamTool.02607593 Nicio actiune nu a putut fi aplicata

[system]=]C:\WINDOWS\System32\svchost.exe [2600] (memory dump) DeepScan:Generic.SpamTool.33B53E4E Nicio actiune nu a putut fi aplicata

[system]=]C:\Program Files\Internet Explorer\IEXPLORE.EXE [2092] (memory dump) Generic.PWStealer.0E96BF1A Nicio actiune nu a putut fi aplicata

Probleme rezolvate:Nume obiect Nume amenintare Situatie finala

[system]=]C:\WINDOWS\TEMP\~TM30.tmp [2544] (memory dump) Trojan.Kobka.E Sters

[system]=]C:\WINDOWS\System32\svchost.exe [1104] (memory dump) Trojan.Kobka.E Sters

[system]=]C:\WINDOWS\TEMP\~TM2F.tmp [508] (memory dump) Trojan.Proxy.MSO Sters

Meridivs

Intrebarea este cum se poate scoate virusul de pe stick-ul USB Vodafone 3G?

Are un program automat de instalare inainte sa se inregistreze in sistem/poata fi scanat cu BitDefender.

alexcrist

Since you started your topic on the English section of this forum, please use English to write your posts. If you wish to get support in Romanian, there is a dedicated section of the forum for this language. If you want to move this conversation there, let me know. I will close this thread and you can open a new topic on the appropriate section. Thank you for understanding.

Back to your question: Do you still have the problem? The problem is like this: on-disk files (iexplore.exe and svchost.exe) were probably clean. However, the scan log clearly shows that the only infections were detected on running processes, not on on-disk files. Different malware have capabilities to inject themselves into running, clean processes, thus ”infecting” only the memory. When this happens, BitDefender will detect the threats as ”memory dump” (or as ”full dump”).

Another proof for my theory (that there really WAS an infection) is the fact that BitDefender also detected 3 other infected files, which were deleted (~TM30.TMP, ~TM2F.TMP and a fake svchost.exe). There is a chance that, at a second deep scan, your system was clean because those 3 files might have been the whole infection.

Long story short: if you still have the infection on your system, it needs further investigation. And this can be done using 2 analysis tools described in this article: http://kb.bitdefender.com/KB490

If you need further assistance on this matter, download the 2 tools, run them and generate the logs (as described in the article), upload the logs on a file sharing server (like www.sendspace.com) and post here the download link.

As for your second question: "How can you clean a Vodafone 3G USB device?"

Are you referring to a mobile Vodafone modem? Does it have any storage space (like a normal USB flash drive), or is just a plain USB wireless modem? Because if it doesn't have any storage capabilities, then it can't become infected. It BitDefender reacts to something when you plug in that device, it might be a false alarm, or the problem might be somewhere else. Please post more details about the problem.

Cris.

Meridivs

Thank you for your help!

I have uploaded the logs to http://www.sendspace.com/file/zksvfg

Please let me know if there's any problem we should address.

For the moment the system (Windows XP Professional) is compromised - at every startup it "loses" a driver (Video or Network). The driver would look ok in Device Manager, is reported as running by the system but it does not function (I cannot increase video resolution beyond 640x480 or use the network).

The same problem happened to my colleague after the infection - his network drivers - wireless and cable - ceased to function. I am currently using System Restore to recover from this error but this is not a long-term solution.

alexcrist

As far as I can see, the logs you posted do not show any active infection or suspicious files. svchost.exe processes look clean (no suspicious modules injected in them), explorer.exe the same (clean), iexplore.exe is not even running, nor there are any other processes running from temporary folders (like the ones detected and removed by BitDefender in the previous scan). The rest of the running processes are legit. Also, there are no strange hooks present in your system (besides the hooks made by BitDefender and other legit drivers, everything looks clean).

Have you tried another BitDefender Deep Scan, to see the results?

About your driver problems, as far as I can see, you have an nVidia graphic card and it's processes and services are up and running. However, I don't know the names of the drivers, so I couldn't check if they are actually loaded.

About your network problems, I see you have 4 network adapters installed. 2 of them are DHCP enabled: two of them have similar IPs, but in different classes: 192.168.1.102 and 192.168.0.102; both have the gateway set accordingly, to 192.168.1.1 and 192.168.0.1; the third one is disconnected (DHCP enabled, but no IP is assigned to it), and the fourth one is also connected (DHCP enabled, with a private IP: 10.80.55.81 having the DHCPServer set to 10.80.55.82, but no gateway is registered on this adapter). Again, I couldn't check if the drivers are loaded because I didn't know their name, but since the adapters are connected I don't see an actual problem.

Have you tried uninstalling and reinstalling the problematic drivers (rebooting after uninstall and after the reinstall)?

Also, you didn't mention anything else about the USB modem. Have you tried connecting to the internet using it, to see if that works?

Cris.