PWStealer infection
I just got infected with the same Trojan (PWStealer) from a colleague USB memory-stick (which I scanned with BitDefender Internet Security 2009 Scan Tool).
It wasn't detected by BitDefender scanner and passed the BitDefender Real Time Protection infecting explorer.exe and iexplore.exe
Can the BitDefender Boot CD clean this infection at this moment?
...or is there any sure way to remove this infection without reinstalling the entire OS + software setup?
Comments
-
Hello Meridivs,
Please post a BitDefender Deep Scan log.
Cris.0 -
Unfortunately my IExplore is out of the picture so I can't read the report file/post it here. Now I'm using Opera to browse this forum but it cannot open the .xml file correctly.
I've sent it to the support department along with the suspected files for analysis and a possible solution.
The problem is that neither the Recovery CD or the Deep Scan didn't report any problems but I keep getting these:
1. Yesterday evening, when I tried to start Internet Explorer 8 BitDefender Real Time Protection warned about a changed .exe and blocked it
2. Same with explorer.exe
3. Now BitDefender warns about a \system32\msfeedssync.exe
4. Finally when I tried to save the Deep Scan report it opened in Internet Explorer 6?!0 -
Please read this article: http://kb.bitdefender.com/KB490
Use the 2 tools presented there to create system logs. Archive those logs and upload them on www.sendspace.com (or any other file sharing server of your choice) and leave the download link here.
Also, please put the 3 suspected files (iexplore.exe, explorer.exe and msfeedssync.exe) in a password-protected archive, with the password infected, upload it on Sendspace and send me the download link by PM.
Also, please attach to your next post the latest Deep Scan log, in XML format. It doesn't matter what you use to open them, as we need the original XML file, not a copy-paste of it's content in IE.
Cris.0 -
Multumesc pentru ajutor! Am primit raspunsul de la suportul tehnic BitDefender. Fisierele trimise de mine ca sample - iexplore.exe, explorer.exe si svchost.exe sunt curate.
Se pare ca scutul Real Time de BitDefender - setat pe nivel maxim de paranoia dupa ce am folosit stick-ul de la colegul meu - incepuse sa blocheze/semnaleze ca infectate aplicatii curate (sper).
Sistemul continua sa se comporte aiurea - tocmai am ramas in 640x480/16 culori dupa un update automat de windows XP asa ca am decis sa rad/reinstalez tot pana la urma. Pentru cine e interesat iata raportul de scanare al colegului meu de la care a inceput toata nebunia asta (si el a reinstalat sistemul dupa ce a ramas fara drivere de retea).
BitDefender - Fisier jurnal
Produs: BitDefender Internet Security 2009
Versiune: BitDefender UIScanner v.12
Cale scanare: Scanare profunda
Data inregistrare: 15.12.2009 08:55:45
Cale inregistrare: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1260860145_1_02.xml
Cai scanate:Cale 0000: C:\
Cale 0001: \
Cale 0002: E:\
Optiuni scanare:Scaneaza dupa virusi: Da
Scaneaza dupa adware: Da
Scaneaza dupa spyware: Da
Scaneaza dupa aplicatii: Da
Scaneaza dupa dialere: Da
Scaneaza dupa rootkituri: Da
Optiuni selectie tinta:Scaneaza chei registri: Da
Scaneaza fisiere cookie: Da
Scaneaza sectoarele de boot: Da
Scaneaza procese memorie: Da
Deschide arhive: Da
Scaneaza packerele runtime: Da
Scaneaza e-mailuri: Nu
Scaneaza toate fisierele: Da
Scanare euristica: Da
Extensii scanate:
Extensii excluse:
Procesare tinta:Actiune implicita pentru obiectele infectate: Dezinfecteaza
Actiune implicita pentru obiectele suspecte: Nici una
Actiune implicita pentru obiectele ascunse: Nici una
Actiune implicita pentru obiectele infectate criptate: Nici una
Actiune implicita pentru obiectele suspecte criptate: Nici una
Actiune implicita pentru obiectele infectate protejate cu parola: Salveaza in jurnal ca ne-scanat
Statistici motoare scanare:Numar semnaturi virusi: 4728710
Pluginuri de arhive: 44
Pluginuri de e-mail: 6
Pluginuri de scanare: 13
Pluginuri de sistem: 5
Pluginuri de despachetare: 8
Rezumat general scanareObiecte scanate: 238536
Obiecte infectate: 7
Obiecte suspecte: 0
Obiecte rezolvate: 3
Obiecte nerezolvate: 4
Obiecte protejate cu parola: 0
Obiecte multi-comprimate: 0
Virusi diferiti detectati: 6
Directoare scanate: 17365
Sectoare de boot scanate: 4
Arhive scanate: 8269
Erori input-output: 1
Durata scanarii: 01:30:49
Fisiere/secunda 43
Rezumat procese scanateScanate: 67
Infectate : 5
Rezumat chei registri scanateScanate: 1160
Infectate : 0
Rezumat fisiere cookie scanateScanate: 57
Infectate : 0
Probleme nerezolvate:Nume obiect Nume amenintare Situatie finala
[system]=]C:\Program Files\Internet Explorer\IEXPLORE.EXE [2092] (full dump) DeepScan:Generic.PWStealer.78D3D91E Nicio actiune nu a putut fi aplicata
[system]=]C:\WINDOWS\System32\svchost.exe [2600] (full dump) DeepScan:Generic.SpamTool.02607593 Nicio actiune nu a putut fi aplicata
[system]=]C:\WINDOWS\System32\svchost.exe [2600] (memory dump) DeepScan:Generic.SpamTool.33B53E4E Nicio actiune nu a putut fi aplicata
[system]=]C:\Program Files\Internet Explorer\IEXPLORE.EXE [2092] (memory dump) Generic.PWStealer.0E96BF1A Nicio actiune nu a putut fi aplicata
Probleme rezolvate:Nume obiect Nume amenintare Situatie finala
[system]=]C:\WINDOWS\TEMP\~TM30.tmp [2544] (memory dump) Trojan.Kobka.E Sters
[system]=]C:\WINDOWS\System32\svchost.exe [1104] (memory dump) Trojan.Kobka.E Sters
[system]=]C:\WINDOWS\TEMP\~TM2F.tmp [508] (memory dump) Trojan.Proxy.MSO Sters0 -
Intrebarea este cum se poate scoate virusul de pe stick-ul USB Vodafone 3G?
Are un program automat de instalare inainte sa se inregistreze in sistem/poata fi scanat cu BitDefender.0 -
Since you started your topic on the English section of this forum, please use English to write your posts. If you wish to get support in Romanian, there is a dedicated section of the forum for this language. If you want to move this conversation there, let me know. I will close this thread and you can open a new topic on the appropriate section. Thank you for understanding.
Back to your question: Do you still have the problem? The problem is like this: on-disk files (iexplore.exe and svchost.exe) were probably clean. However, the scan log clearly shows that the only infections were detected on running processes, not on on-disk files. Different malware have capabilities to inject themselves into running, clean processes, thus ”infecting” only the memory. When this happens, BitDefender will detect the threats as ”memory dump” (or as ”full dump”).
Another proof for my theory (that there really WAS an infection) is the fact that BitDefender also detected 3 other infected files, which were deleted (~TM30.TMP, ~TM2F.TMP and a fake svchost.exe). There is a chance that, at a second deep scan, your system was clean because those 3 files might have been the whole infection.
Long story short: if you still have the infection on your system, it needs further investigation. And this can be done using 2 analysis tools described in this article: http://kb.bitdefender.com/KB490
If you need further assistance on this matter, download the 2 tools, run them and generate the logs (as described in the article), upload the logs on a file sharing server (like www.sendspace.com) and post here the download link.
As for your second question: "How can you clean a Vodafone 3G USB device?"
Are you referring to a mobile Vodafone modem? Does it have any storage space (like a normal USB flash drive), or is just a plain USB wireless modem? Because if it doesn't have any storage capabilities, then it can't become infected. It BitDefender reacts to something when you plug in that device, it might be a false alarm, or the problem might be somewhere else. Please post more details about the problem.
Cris.0 -
Thank you for your help!
I have uploaded the logs to http://www.sendspace.com/file/zksvfg
Please let me know if there's any problem we should address.
For the moment the system (Windows XP Professional) is compromised - at every startup it "loses" a driver (Video or Network). The driver would look ok in Device Manager, is reported as running by the system but it does not function (I cannot increase video resolution beyond 640x480 or use the network).
The same problem happened to my colleague after the infection - his network drivers - wireless and cable - ceased to function. I am currently using System Restore to recover from this error but this is not a long-term solution.0 -
As far as I can see, the logs you posted do not show any active infection or suspicious files. svchost.exe processes look clean (no suspicious modules injected in them), explorer.exe the same (clean), iexplore.exe is not even running, nor there are any other processes running from temporary folders (like the ones detected and removed by BitDefender in the previous scan). The rest of the running processes are legit. Also, there are no strange hooks present in your system (besides the hooks made by BitDefender and other legit drivers, everything looks clean).
Have you tried another BitDefender Deep Scan, to see the results?
About your driver problems, as far as I can see, you have an nVidia graphic card and it's processes and services are up and running. However, I don't know the names of the drivers, so I couldn't check if they are actually loaded.
About your network problems, I see you have 4 network adapters installed. 2 of them are DHCP enabled: two of them have similar IPs, but in different classes: 192.168.1.102 and 192.168.0.102; both have the gateway set accordingly, to 192.168.1.1 and 192.168.0.1; the third one is disconnected (DHCP enabled, but no IP is assigned to it), and the fourth one is also connected (DHCP enabled, with a private IP: 10.80.55.81 having the DHCPServer set to 10.80.55.82, but no gateway is registered on this adapter). Again, I couldn't check if the drivers are loaded because I didn't know their name, but since the adapters are connected I don't see an actual problem.
Have you tried uninstalling and reinstalling the problematic drivers (rebooting after uninstall and after the reinstall)?
Also, you didn't mention anything else about the USB modem. Have you tried connecting to the internet using it, to see if that works?
Cris.0