Trojan.heur.gm

The Antivirus 2009 can't seem to get rid of this trojan. Here's my log if someone could help! Thanks!


BitDefender Log File


Product : BitDefender Antivirus 2009


Version : BitDefender UIScanner v.12


Scanning task : Deep System Scan


Log date : 00:31:33 30/03/2009


Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1238387493_1_02.xml


Scan Paths:Path 0000: C:\


Path 0001: D:\


Path 0002: F:\


Scan Options:Scan for viruses : Yes


Scan for adware : Yes


Scan for spyware : Yes


Scan for applications : Yes


Scan for dialers : Yes


Scan for rootkits : Yes


Target Selection Options:Scan registry keys : Yes


Scan cookies : Yes


Scan boot sectors : Yes


Scan memory processes : Yes


Scan archives : Yes


Scan runtime packers : Yes


Scan emails : Yes


Scan all files : Yes


Heuristic Scan : Yes


Scanned extensions :


Excluded extensions :


Target Processing:Default action for infected objects : Disinfect


Default action for suspicious objects : None


Default action for hidden objects : None


Scan engines summaryNumber of virus signatures : 2815998


Archive plugins : 45


Email plugins : 6


Scan plugins : 13


System plugins : 5


Unpack plugins : 7


Overall scan summaryScanned items : 579525


Infected items : 10


Suspicious items : 0


Resolved items : 0


Unresolved items : 106


Password-protected items : 96


Individual viruses found : 2


Scanned directories : 11762


Scanned boot sectors : 4


Scanned archives : 12999


Input-output errors : 0


Scan time : 02:01:20


Files per second : 79


Scanned processes summaryScanned : 74


Infected : 0


Scanned registry keys summaryScanned : 1223


Infected : 0


Scanned cookies summaryScanned : 1223


Infected : 0


Remaining issues:Object Name Threat Name Final Status


C:\SWSetup\HPQPDP\data2.cab=](IShield Module 22)=](IShield Module 1607) Gen:Trojan.Heur.GM.8000016020 Infected (no action was possible, file was in an archive)


C:\SWSetup\HPQPDP\data2.cab=](IShield Module 22)=](IShield Module 1618) Gen:Trojan.Heur.GM.8000016020 Infected (no action was possible, file was in an archive)


C:\SWSetup\HPQPDP\data2.cab=](IShield Module 22)=](IShield Module 1627) Gen:Trojan.Heur.GM.8000016020 Infected (no action was possible, file was in an archive)


C:\SWSetup\QPW\data2.cab=](IShield Module 1604) Gen:Trojan.Heur.GM.8000016020 Delete Failed (file was in an archive)


C:\SWSetup\QPW\data2.cab=](IShield Module 1615) Gen:Trojan.Heur.GM.8000016020 Delete Failed (file was in an archive)


C:\SWSetup\QPW\data2.cab=](IShield Module 1624) Gen:Trojan.Heur.GM.8000016020 Delete Failed (file was in an archive)


C:\SWSetup\HPQPDP\data2.cab=](IShield Module 22)=](IShield Module 1628) Gen:Trojan.Heur.GM.8000036120 Infected (no action was possible, file was in an archive)


C:\SWSetup\HPQPDP\data2.cab=](IShield Module 22)=](IShield Module 1629) Gen:Trojan.Heur.GM.8000036120 Infected (no action was possible, file was in an archive)


C:\SWSetup\QPW\data2.cab=](IShield Module 1625) Gen:Trojan.Heur.GM.8000036120 Delete Failed (file was in an archive)


C:\SWSetup\QPW\data2.cab=](IShield Module 1626) Gen:Trojan.Heur.GM.8000036120 Delete Failed (file was in an archive)


Objects that were not scanned:Object Name Reason Final Status


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip=]sbRecovery.reg Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip=]sbRecovery.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip=]sbRecovery.reg Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip=]sbRecovery.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip=]sbRecovery.reg Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip=]sbRecovery.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip=]sbRecovery.reg Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip=]sbRecovery.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent1.zip=]sbRecovery.reg Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent1.zip=]sbRecovery.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/actorobject.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/dx5drv.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/dx7drv.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/objectbundle.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/sound.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/wdcaps.ded Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/wdengine.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/webdriver.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/wthost.exe Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/wthostctl.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/wtmulti.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/wtmulti.jar Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/wtwmplug.ax Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]4.1.1/wtwmplug.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]jdriver.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]rdriver.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]wildtangent.jar Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip=]sbRecovery.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent3.zip=]wcmdmgr.exe Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent3.zip=]wcmdmgrl.exe Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent3.zip=]wt.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent3.zip=]sbRecovery.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]DRM/3.2.0.19/files/controlpanel/index.html Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]DRM/3.2.0.19/files/DRM0302.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]DRM/3.2.0.19/files/DRM0302Java.jar Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]DRM/3.2.0.19/files/jDRM0302.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]DRM/3.2.0.19/files/rDRM0302.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]DRM/3.2.0.19/install/DRM0302.cdanfo Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]DRM/3.2.0.19/install/DRM0302_Uninstall.cdas Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/actorobject.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/controlpanel/index.html Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/dx5drv.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/dx7drv.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/jdriver.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/legacy/data.wts Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/legacy/webdriver.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/legacy/wt3d.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/npWTHost.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/nsIWTHostPlugin.xpt Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/ObjectBundle.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/rdriver.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/Sound.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/update_info/data.wts Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/wdcaps.ded Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/wdengine.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/Webd331.cdanfo Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/Webd331_fileList.cdas Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/Webd331_Uninstall.cdas Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/webdriver.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/wildtangent.jar Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/wt3d.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/WTHost.exe Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/WTHostCtl.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/wtmulti.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/wtmulti.jar Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/wtvh.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/wtwmplug.ax Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/files/wtwmplug.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/install/Webd4_1_1.cdanfo Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]webd/4.1.1/install/Webd4_1_1_Uninstall.cdas Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]WireControl/1.1.0.23/files/controlpanel/index.html Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]WireControl/1.1.0.23/files/install/WireControl.cdanfo Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]WireControl/1.1.0.23/files/install/WireControl_Uninstall.cdas Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]WireControl/1.1.0.23/files/WireControl.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]wtupdater/appinfo.dat Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]wtwebdriver/update_info/data.wts Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip=]sbRecovery.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent5.zip=]data.wts Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent5.zip=]wt3d.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent5.zip=]wt3d.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent5.zip=]wtvh.dll Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent5.zip=]sbRecovery.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent6.zip=]sbRecovery.reg Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent6.zip=]sbRecovery.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent7.zip=]sbRecovery.reg Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent7.zip=]sbRecovery.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent8.zip=]sbRecovery.reg Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent8.zip=]sbRecovery.ini Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent9.zip=]sbRecovery.reg Password-protected No action was possible


C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent9.zip=]sbRecovery.ini Password-protected No action was possible


C:\SWSetup\Adobe2\US\Adobe Reader 7.0.50.cab=]read0700win_ENUyhoo0010.pdf Password-protected No action was possible


C:\SWSetup\Adobe2\US\Adobe Reader 7.0.50.cab=]read0700win_ENUhpcq0700.pdf Password-protected No action was possible


C:\SWSetup\Adobe2\US\Data1.cab=]WebSearchENU.pdf Password-protected No action was possible


C:\SWSetup\Adobe2\US\Data1.cab=]RdrMsgENU.pdf Password-protected No action was possible


C:\SWSetup\Adobe2\US\Data1.cab=]read0600win_ENUyhoo0010.pdf Password-protected No action was possible


C:\SWSetup\Adobe2\US\Data1.cab=]RdrMsgSplash.pdf Password-protected No action was possible

Comments

  • Looks like Spybot allready detected them. You need to get them out of quarantaine there and than start a new BD scan

  • I really don't know what to do. I don't have Spybot on my machine anymore and had not used it in forever. I was getting clean scans with BD until the one I posted for you. I tried to delete any of the remaining Spybot files and that didn't seem to work in getting rid of the trojan. Is there something else I can do? I'm scared to log on to any of my accounts since I don't know if the trojan is active or not.


    Thanks so much. Here's the latest log.


    BitDefender Log File


    Product : BitDefender Antivirus 2009


    Version : BitDefender UIScanner v.12


    Scanning task : Deep System Scan


    Log date : 17:20:24 31/03/2009


    Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1238534424_1_02.xml


    Scan Paths:Path 0000: C:\


    Path 0001: D:\


    Path 0002: F:\


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : Yes


    Target Selection Options:Scan registry keys : Yes


    Scan cookies : Yes


    Scan boot sectors : Yes


    Scan memory processes : Yes


    Scan archives : Yes


    Scan runtime packers : Yes


    Scan emails : Yes


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions :


    Excluded extensions :


    Target Processing:Default action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Scan engines summaryNumber of virus signatures : 2816164


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    System plugins : 5


    Unpack plugins : 7


    Overall scan summaryScanned items : 576315


    Infected items : 10


    Suspicious items : 0


    Resolved items : 0


    Unresolved items : 10


    Password-protected items : 0


    Individual viruses found : 2


    Scanned directories : 11757


    Scanned boot sectors : 4


    Scanned archives : 12965


    Input-output errors : 0


    Scan time : 01:38:25


    Files per second : 97


    Scanned processes summaryScanned : 75


    Infected : 0


    Scanned registry keys summaryScanned : 1222


    Infected : 0


    Scanned cookies summaryScanned : 1222


    Infected : 0


    Remaining issues:Object Name Threat Name Final Status


    C:\SWSetup\HPQPDP\data2.cab=](IShield Module 22)=](IShield Module 1607) Gen:Trojan.Heur.GM.8000016020 Infected (no action was possible, file was in an archive)


    C:\SWSetup\HPQPDP\data2.cab=](IShield Module 22)=](IShield Module 1618) Gen:Trojan.Heur.GM.8000016020 Infected (no action was possible, file was in an archive)


    C:\SWSetup\HPQPDP\data2.cab=](IShield Module 22)=](IShield Module 1627) Gen:Trojan.Heur.GM.8000016020 Infected (no action was possible, file was in an archive)


    C:\SWSetup\QPW\data2.cab=](IShield Module 1604) Gen:Trojan.Heur.GM.8000016020 Delete Failed (file was in an archive)


    C:\SWSetup\QPW\data2.cab=](IShield Module 1615) Gen:Trojan.Heur.GM.8000016020 Delete Failed (file was in an archive)


    C:\SWSetup\QPW\data2.cab=](IShield Module 1624) Gen:Trojan.Heur.GM.8000016020 Delete Failed (file was in an archive)


    C:\SWSetup\HPQPDP\data2.cab=](IShield Module 22)=](IShield Module 1628) Gen:Trojan.Heur.GM.8000036120 Infected (no action was possible, file was in an archive)


    C:\SWSetup\HPQPDP\data2.cab=](IShield Module 22)=](IShield Module 1629) Gen:Trojan.Heur.GM.8000036120 Infected (no action was possible, file was in an archive)


    C:\SWSetup\QPW\data2.cab=](IShield Module 1625) Gen:Trojan.Heur.GM.8000036120 Delete Failed (file was in an archive)


    C:\SWSetup\QPW\data2.cab=](IShield Module 1626) Gen:Trojan.Heur.GM.8000036120 Delete Failed (file was in an archive)

  • Hello frmrswife,


    First of all, I want to tell you that, at least for the moment, you have nothing to worry about. Even if that detection is real, the detected files are archived (that's why they couldn't be cleaned automatically). And also because they're archived, it means that they are absolutely inactive, because for an application to be able to run it must be unarchived first, and there are no files detected that are not in an archive.


    Second of all this detection is based on heuristic scanning, which can produce false positives (clean files wrongly marked as infected). For this, you should submit the file for analysis, so that the clear state of the file can be decided.


    So please find this file:


    C:\SWSetup\HPQPDP\data2.cab

    put it in a password-protected arhive (ZIP file, with the password infected), upload it on a filesharing host and send me the download link through PM. I'll send it to analysis ASAP and give you the result. Also:


    - in case the file is clean, detection will be removed (so it won't be marked again as infected)


    - in case the file is infected, it will be given a more specific detection name + a removal method


    Cris.

  • Hello frmrswife,


    First of all, I want to tell you that, at least for the moment, you have nothing to worry about. Even if that detection is real, the detected files are archived (that's why they couldn't be cleaned automatically). And also because they're archived, it means that they are absolutely inactive, because for an application to be able to run it must be unarchived first, and there are no files detected that are not in an archive.


    Second of all this detection is based on heuristic scanning, which can produce false positives (clean files wrongly marked as infected). For this, you should submit the file for analysis, so that the clear state of the file can be decided.


    So please find this file:


    C:\SWSetup\HPQPDP\data2.cab

    put it in a password-protected arhive (ZIP file, with the password infected), upload it on a filesharing host and send me the download link through PM. I'll send it to analysis ASAP and give you the result. Also:


    - in case the file is clean, detection will be removed (so it won't be marked again as infected)


    - in case the file is infected, it will be given a more specific detection name + a removal method


    Cris.


    I had the exact same situation happen to me. I did a scan on my system the evening of 3/30/2009 and BitDefender reported that I had 2 issues:


    C:\SWSetup\HPQPDP\data2.cab


    C:\SWSetup\QPW\data2.cab


    I have never before received a "Positve" result from BitDefender on these files.


    I would be interested in the results of the analysis being performed by BitDefender. I can send my log file if that would help.


    Kate

  • alexcrist
    alexcrist
    edited April 2009

    Hello Kate,


    It's good that you pointed out that there are 2 files targeted. I didn't notice that (I thought there's just one CAB, with multiple detections).


    I have a question: does anyone of you know what are those files exactly? As I found out, the folder C:\SWSetup is like a temporary folder used by HP installers to temporary unpack some files (installation kits, maybe drivers or other HP specific software). So those files should be clean. However, if the files are too big, I might need the whole installer so I can extract the detected files. Could you tell me if HP provides those applications for download on their site? And a link to those downloads?


    Thank you.


    Cris.



    UPDATE:


    I found out that the two products are actually HP QuickPlay for Windows and HP QuickPlay Direct. However, the software is quite large on the HP download site and the speed is very slow.


    Please post you computer model and the OS you're using, if the software was downloaded from HP as a driver update, or the version of Quickplay that you use. This way, the files can be found and analyzed as soon as possible and a solution to this can be provided.


    Thank you.

  • I also did a scan of my computer last night and the scan came back with 3 problems, one of which was deleted, the other two would not.


    This is my scan log:


    BitDefender Log File !!!!!


    Product : BitDefender Antivirus 2008


    Version : BitDefender UIScanner v.11


    Log date : 18:49:11 31/03/2009


    Log path : C:\Users\Jenny\AppData\Roaming\BitDefender\Desktop\Profiles\Logs\manual_scan\1238539751_1_02.xml


    Scan Paths: Path0000: C:\


    Scan Options: Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : No


    Target selection options: Scan registry keys : No


    Scan cookies : No


    Scan boot sectors : No


    Scan memory processes : No


    Scan archives : No


    Scan runtime packers : No


    Scan emails : No


    Scan all files : No


    Heuristic Scan : No


    Scanned extensions :


    Excluded extensions :


    Target Processing Default action for infected objects : None


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Scan engines summary Number of virus signatures : 2816164


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    Archive plugins : 45


    System plugins : 5


    Unpack plugins : 7


    Overall scan summary Scanned items : 378522


    Infected items : 5


    Suspicious items : 0


    Resolved items : 1


    Individual viruses found : 3


    Scanned directories : 23099


    Scanned boot sectors : 0


    Scanned archives : 4924


    Input-output errors : 0


    Scan time : 00:01:53:58


    Files per second : 55


    Scanned processes summary Scanned : 0


    Infected : 0


    Scanned registry keys summary Scanned : 0


    Infected : 0


    Scanned cookies summary Scanned : 0


    Infected : 0


    Remaining issues: Object Name Threat Name Final Status


    C:\SwSetup\QPW\data2.cab=](IShield Module 2279) Gen:Trojan.Heur.GM.8000016020 Delete Failed (file was in an archive)


    C:\SwSetup\QPW\data2.cab=](IShield Module 2290) Gen:Trojan.Heur.GM.8000016020 Delete Failed (file was in an archive)


    C:\SwSetup\QPW\data2.cab=](IShield Module 2301) Gen:Trojan.Heur.GM.8000016020 Delete Failed (file was in an archive)


    C:\SwSetup \QPW\data2.cab=](IShield Module 2303) Gen:Trojan.Heur.GM.8000036120 Delete Failed (file was in an archive)


    Resolved issues: Object Name Threat Name Final Status


    C:\Program Files\Online Services\Vonage\smb\Xtras\regxtra121.x32 Backdoor.Generic.89850 Deleted


    Objects that were not scanned: Object Name Reason Final Status


    I'm using an HP computer, but I don't quite understand what you need me to do and send to you, I will try but I'm not very advanced with these type things.


    Thanks!

  • Hello js10053,


    We managed to get an installation kit for QPW which seems to have the same detections as posted here. The file has been sent for analysis and as soon as I get the result I will post here.


    So for the moment all we need is the answer to the question I posted above:


    Please post your computer model and the OS you're using, if the software was downloaded from HP as a driver update, or the version of Quickplay that you use.


    Cris.

  • Hello js10053,


    We managed to get an installation kit for QPW which seems to have the same detections as posted here. The file has been sent for analysis and as soon as I get the result I will post here.


    So for the moment all we need is the answer to the question I posted above:


    Cris.


    Okay... I'm using the HP Pavilion dv9000t notebook with Windows Vista Home. I'm not sure how the software was downloaded from HP or Quickplay. I generally just get the updates when available from HP, but I'm not 100% sure where it came from.


    Sorry I couldn't be of more help.

  • I have an HP Pavilion dv2000 with Windows XP Media Center Edition. I don't know when the software was downloaded either.

  • My Quickplay version: 2.3.0.3111

  • We have removed some detections from the QPW package. Unfortunatelly we have not yet obtained a copy of the other package. As versions 2.x of the standalone operating systems are a copy of windows xp embedded, I suspect some of the files are shared between the builds but I can't be certain. Please check if detections have been removed after an update. Thank you.

  • Hello Kate,


    It's good that you pointed out that there are 2 files targeted. I didn't notice that (I thought there's just one CAB, with multiple detections).


    I have a question: does anyone of you know what are those files exactly? As I found out, the folder C:\SWSetup is like a temporary folder used by HP installers to temporary unpack some files (installation kits, maybe drivers or other HP specific software). So those files should be clean. However, if the files are too big, I might need the whole installer so I can extract the detected files. Could you tell me if HP provides those applications for download on their site? And a link to those downloads?


    Thank you.


    Cris.



    UPDATE:


    I found out that the two products are actually HP QuickPlay for Windows and HP QuickPlay Direct. However, the software is quite large on the HP download site and the speed is very slow.


    Please post you computer model and the OS you're using, if the software was downloaded from HP as a driver update, or the version of Quickplay that you use. This way, the files can be found and analyzed as soon as possible and a solution to this can be provided.


    Thank you.


    Chris - I have an HP dv9000z. I figured the files were for the QuickPlay stuff, but don't want to delete it if not necessary (I don't trust that I can reinstall the applications and HP already messed that up once when I returned the laptop for service and it was quite a hassle to get it working. I'll continue to read this post for what I need to do.


    Thanks,


    Kate

  • Chris - I have an HP dv9000z. I figured the files were for the QuickPlay stuff, but don't want to delete it if not necessary (I don't trust that I can reinstall the applications and HP already messed that up once when I returned the laptop for service and it was quite a hassle to get it working. I'll continue to read this post for what I need to do.


    Thanks,


    Kate


    Forgot to include that I'm running XP SP2.

  • alexcrist
    alexcrist
    edited April 2009

    Right now I have a copy of data2.cab from HPQPDP 2.3.0.3111 (thanks to frmrswife) and QWP 3.0.


    I can confirm that neither of them is detected anymore. :)


    If anyone still has a problem, please post here the version of QuickPlay and Operating System.


    EDIT:


    Kate: There's no need to delete the files. They are clean. :)


    Thank you everyone for reporting this.


    Cris.

  • Thank you, again, Cris for helping!

  • aanaart1
    edited April 2009

    Hi, all. since 4/1/09 BD tells me repeatedly that an infected file is detected and cannot be removed. It is


    gen:trojan.heur.VB.0453acecece in my folder: C:\Program Files\Evidence Eliminator\EE.exe The program runs ok, but the warning pops up 2 or 3 times a session.


    any ideas?

  • Hello artsteele,


    Detection of EE.exe was a false alarm which has been removed from database a couple of days ago. Please update your virus signatures and rescan the file.


    Cris.

  • FDA
    FDA
    edited June 2009

    Hello Cris can you help me pleaaaase


    my system is Xp and is infected by Trojan.heur.Gm 100400082


    her is my log file (the part concerned with the failed to delete files):


    BitDefender Log File


    Product : BitDefender Total Security 2009


    Version : BitDefender UIScanner v.12


    Scanning task : Deep System Scan


    Log date : 6/12/2009 9:35:46 AM


    Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1244788546_1_02.xml


    Scan Paths:Path 0000: C:\


    Path 0001: D:\


    Path 0002: E:\


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : Yes


    Target Selection Options:Scan registry keys : Yes


    Scan cookies : Yes


    Scan boot sectors : Yes


    Scan memory processes : Yes


    Scan archives : Yes


    Scan runtime packers : Yes


    Scan emails : No


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions :


    Excluded extensions :


    Target Processing:Default action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Default action for encrypted infected objects : None


    Default action for encrypted suspicious objects : None


    Default action for password-protected objects : Log as not scanned


    Scan engines summaryNumber of virus signatures : 3347598


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    System plugins : 5


    Unpack plugins : 7


    Overall scan summaryScanned items : 281140


    Infected items : 34


    Suspicious items : 0


    Resolved items : 26


    Unresolved items : 217


    Password-protected items : 206


    Overcompressed items : 3


    Individual viruses found : 22


    Scanned directories : 5633


    Scanned boot sectors : 6


    Scanned archives : 3281


    Input-output errors : 25


    Scan time : 01:12:33


    Files per second : 64


    Scanned processes summaryScanned : 29


    Infected : 0


    Scanned registry keys summaryScanned : 1001


    Infected : 0


    Scanned cookies summaryScanned : 23


    Infected : 0


    Remaining issues:Object Name Threat Name Final Status


    C:\bdutils.dll.vcd Gen:Trojan.Heur.GM.1004000822 Delete Failed


    C:\livesrv.exe.vcd Gen:Trojan.Heur.GM.1004000822 Delete Failed


    C:\npcomm.dll.vcd Gen:Trojan.Heur.GM.1004000822 Delete Failed


    C:\txmlutil.dll.vcd Gen:Trojan.Heur.GM.1004000822 Delete Failed


    C:\wslib.dll.vcd Gen:Trojan.Heur.GM.1004000822 Delete Failed


    C:\wspack.dll.vcd Gen:Trojan.Heur.GM.1004000822 Delete Failed


    C:\wsutils.dll.vcd Gen:Trojan.Heur.GM.1004000822 Delete Failed


    E:\new withphotoshop\VerbAce-Pro V. 0.88.rar=]VerbAce-Pro V. 0.88\Patch\verbace-pro.v.0.88-patch.exe Trojan.Generic.1674101 Delete Failed (file was in an archive)


    please tell me Can I delete these files manually I'm afraid deleting them by myself would affect my system


    BD can not take any action :unsure:


    many thanks for your help in advance


    regards,


    FDA

  • alexcrist
    alexcrist
    edited June 2009

    Hello FDA,


    Please find these files:


    C:\bdutils.dll.vcd
    C:\livesrv.exe.vcd
    C:\npcomm.dll.vcd
    C:\txmlutil.dll.vcd
    C:\wslib.dll.vcd
    C:\wspack.dll.vcd
    C:\wsutils.dll.vcd
    E:\new withphotoshop\VerbAce-Pro V. 0.88.rar

    put them in an archive with the password infected, upload them on a file sharing server and send me the download link by PM. Details about password-protection and archive upload are in my signature.


    If BitDefender blocks access to those files, temporarily disable the Realtime Protection.


    Also, please download this tool: BitDefender AVIS


    Unpack all files from that archive into a new, empty folder.


    Then run avis.exe, go to System info and generate a complete system log, using the settings from this screenshot:


    avis.jpg


    The path where the log will be generated will automatically be set to your Desktop. In the screenshot, that path is just an example.


    After the scan is finished, the log will be placed on your desktop, named bd_sys_log.xml.zip. Please upload that file on a file-sharing server (like rapidshare) and send me a download link through PM. We will analyze the log and give you further information.


    Notice: Please do NOT make a system scan for malware with AVIS, unless specifically told so by one of the BitDefender Support Member or BitDefender Virus Analyst. Thank you.


    Cris.

  • This file:


    E:\new withphotoshop\VerbAce-Pro V. 0.88.rar

    is missing from the archive you've uploaded. Please find this file and send it to me.


    If you can't find the file, read here: http://forum.bitdefender.com/index.php?showtopic=3573


    Further more, the bd_sys_log archive is corrupted (it's empty, to be more exact). Please make a new log with AVIS (as written in the topic) and re-upload the archive.


    Cris.

  • Hello FDA,


    Please find these files:


    C:\bdutils.dll.vcd
    C:\livesrv.exe.vcd
    C:\npcomm.dll.vcd
    C:\txmlutil.dll.vcd
    C:\wslib.dll.vcd
    C:\wspack.dll.vcd
    C:\wsutils.dll.vcd
    E:\new withphotoshop\VerbAce-Pro V. 0.88.rar

    put them in an archive with the password infected, upload them on a file sharing server and send me the download link by PM. Details about password-protection and archive upload are in my signature.


    If BitDefender blocks access to those files, temporarily disable the Realtime Protection.


    Also, please download this tool: BitDefender AVIS


    Unpack all files from that archive into a new, empty folder.


    Then run avis.exe, go to System info and generate a complete system log, using the settings from this screenshot:


    avis.jpg


    The path where the log will be generated will automatically be set to your Desktop. In the screenshot, that path is just an example.


    After the scan is finished, the log will be placed on your desktop, named bd_sys_log.xml.zip. Please upload that file on a file-sharing server (like rapidshare) and send me a download link through PM. We will analyze the log and give you further information.


    Notice: Please do NOT make a system scan for malware with AVIS, unless specifically told so by one of the BitDefender Support Member or BitDefender Virus Analyst. Thank you.


    Cris.


    thanks a lot Cris I've sent you the infected files and the bd_sys_log.xml.zip by pm


    waiting for your help


    best regards


  • I can not update my bitdefender since a long time


    I tried many times, it wouldn't!:(

  • alexcrist
    alexcrist
    edited June 2009

    I got the log, I will check it as soon as I can.


    But please send me the other file also. I need it for analysis.


    Also, please use the default font color and size on this forum. Thank you.


    Cris.


    EDIT: Just a little thing: I took a closer look at the scanlog you posted in your first post here. That scanlog is not complete. Please attach here the full scanlog file.

  • After looking in the AVIS log you sent, I found that you might have multiple infections in your system. Some of them, as far as I can remember, should already by detected by BitDefender. So please post the whole scanlog (including the section of "Resolved items").


    Before proceeding, read (and apply) the steps presented here: How To Find Hidden Malware


    After that, find these files:


    c:\\windows\\ahnrpta.exe
    c:\\windows\\system32\\e8main0.dll
    c:\\windows\\system32\\olhrwef.exe
    c:\\autorun.inf
    c:\xdglur.bat
    f:\akish.exe
    c:\\windows\\system32\\ogaverify.exe
    c:\\windows\\system32\\kb905474\\wgasetup.exe
    c:\\windows\\system32\\nmdfgds0.dll
    c:\\windows\\system32\\nmdfgds1.dll

    All these files are currently present in your system. If you cannot find one (or more) of them, please tell me which one(s).


    One side question: is your F drive a HDD drive, or a CD/DVD drive?


    Pack all those files in an archive, with the password infected and upload the archive on a file-sharing service. Details about password-protected archives and archive uploading are in my signature.


    After upload, send me the download link by PM.


    I can not update my bitdefender since a long time


    I tried many times, it wouldn't!:(


    What error do you get exactly when you try to update BitDefender?


    Cris.

  • This file:


    E:\new withphotoshop\VerbAce-Pro V. 0.88.rar

    is missing from the archive you've uploaded. Please find this file and send it to me.


    Cris.


    good day Cris


    I sent the file in Link 2.


    Also, please use the default font color and size on this forum. Thank you.


    Cris.


    :rolleyes: well, thank you for this note, sorry for any inconvenience.


    After looking in the AVIS log you sent, I found that you might have multiple infections in your system. Some of them, as far as I can remember, should already by detected by BitDefender. So please post the whole scanlog (including the section of "Resolved items").


    I sent it to you Link3.


    It's the most recent one, yesterday the


    Bitdefender program quarantined some files by itself


    I'm sure they are in the C partition and the trojan name is Gen.trojan.heur.gm.1004000822


    but can't tell


    the files names now couldn't memorise them..


    I saw only more than a pop up messege telling they are


    quarantined.


    Before proceeding, read (and apply) the steps presented here: How To Find Hidden Malware


    I applied these steps very well, the hidden files shown, however could'n't find some of the wanted files


    When I go back to Tools>folder options..etc


    I see the options are turned back as before as if I made no changes to them. though I'm sure I press (apply) then (OK). -_-


    After that, find these files:


    c:\\windows\\ahnrpta.exe
    c:\\windows\\system32\\e8main0.dll
    c:\\windows\\system32\\olhrwef.exe
    c:\\autorun.inf
    c:\xdglur.bat
    f:\akish.exe
    c:\\windows\\system32\\ogaverify.exe
    c:\\windows\\system32\\kb905474\\wgasetup.exe
    c:\\windows\\system32\\nmdfgds0.dll
    c:\\windows\\system32\\nmdfgds1.dll

    All these files are currently present in your system. If you cannot find one (or more) of them, please tell me which one(s).


    One side question: is your F drive a HDD drive, or a CD/DVD drive?


    I sent them to you Link 1.


    included some notes regarding some files that could be located.


    The F drive is a CD drive (windows XP installation CD).


    What error do you get exactly when you try to update BitDefender?


    Cris.


    I see 1 critical issue need be fixed, when I press FIX the update screen shows but no progress :huh:


    I wait for more than an hour , no progress at all.


    I re-installed bitdefender twice, the same issue is still there.


    pictures:


    1bd.png


    12933381.png


    best regards Cris


    I appreciate your help and time


    FDA

  • alexcrist
    alexcrist
    edited June 2009
    I sent it to you Link3.


    Ok, I got that log.


    However, I would appreciate if you can find that particular scanlog, which you posted in your previous post.


    To be exact, find this file and attach it to your next post:


    C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1244788546_1_02.xml

    I need to see what that scan found in your system.


    I applied these steps very well, the hidden files shown, however could'n't find some of the wanted files


    When I go back to Tools>folder options..etc


    I see the options are turned back as before as if I made no changes to them. though I'm sure I press (apply) then (OK). -_-


    It seems that the infection you have in your system is preventing you from changing that option. I will tell you how to deal with it below.


    About the files you sent me:



    c:\\windows\\ahnrpta.exe - CLEAN
    c:\\windows\\system32\\e8main0.dll - INFECTED (already signed)
    c:\\windows\\system32\\olhrwef.exe - INFECTED (signed, pending update)
    c:\\autorun.inf - INFECTED (signed, pending update)
    c:\xdglur.bat - MISSING from archive
    f:\akish.exe - CLEAN
    c:\\windows\\system32\\ogaverify.exe - CLEAN
    c:\\windows\\system32\\kb905474\\wgasetup.exe - CLEAN
    c:\\windows\\system32\\nmdfgds0.dll - INFECTED (signed, pending update)
    c:\\windows\\system32\\nmdfgds1.dll - INFECTED (signed, pending update)


    About your update problem, it might also be caused by the infection.


    I will now describe some steps which you have to follow in order to disinfect your system. Normally, in a couple of hours, when the above signed files will enter BitDefender update, BitDefender should be able to clean your system. But because you cannot update it, you have to make a manual cleaning.


    First of all, a very important thing: do NOT double click on drives in Windows Explorer. You have a type of malware which will re-infect your system everytime you double click a drive. In order to avoid this and still be able to access your drives, please use this method to access them:


    • right click on the name of the drive you need to access
    • choose Explore (or similar, since you have Windows in a non-English language)
    • a new Windows Explorer window will open, showing the contents of that drive.
    You can double click folders to open them without problems. Just don't double click drives. :)


    Step 1:


    Go to http://www.gmer.net/ and download gmer. Scroll down on that page until you get to the Download section, then click the button Download EXE. It will download a file with a random name (which is normal) which you have to save somewhere.


    After you downloaded it, run it. If you have BitDefender Behavioral module enabled, BitDefender will react to gmer. Please allow any actions related to this tool.


    At start, gmer will make a quick scan of your system. If it asks you to do a complete scan, click No (we will get to that part later, if necessary).


    After the Quick Scan is done, click on the tab with the text "> > >" (without "). Multiple tabs will appear there. Choose the Files tab. There you will find an Explorer-like interface, with files and folders, where you will be able to see all files in your system (regardless to the hidden-files option).


    First of all, try to find this file, in the root of all drives:


    xdglur.bat***

    If you can find it, select it and click Copy. Choose a location to save the file, find it where you saved it, put it in an archive with a password and upload it (like you did with the rest of the files).


    There, find these files:


    c:\\windows\\system32\\e8main0.dll
    c:\\windows\\system32\\olhrwef.exe
    c:\\windows\\system32\\nmdfgds0.dll
    c:\\windows\\system32\\nmdfgds1.dll
    autorun.inf (in the root of all drives)
    xdglur.bat*** (in the root of all drives)

    select them, and click Delete.


    After you have done this, please restart your system.


    Step 2:


    After restart, try again to update BitDefender. If it still doesn't work:


    • generate a new AVIS log and send it to me (like you did before)
    • in addition, open gmer again. After the quick scan is finished, select all checkboxes on the right side of the gmer window (on the Files list, you can select only the drive C) and click Scan. It will take a while to scan. When the scan is done, click Save, save the scan log and send it to me (like the other files).
    If updating BitDefender is successful, then make a Deep Scan of your system and send me the scanlog, along with a fresh AVIS log.


    Remeber: don't double click drives until we know that your system is clean.


    Good luck.


    Cris.


    EDIT: The BAT file marked above with *** appears to have a random name. So instead of searching for that particular file, please search, in the root of all drives, all BAT files and send them to me. You have to look only in the root, not in the folders.


  • I deletd the files you specified


    the update doesn't start unfortunately


    before I move to step2, I have a question please


    regarding the your last editing note


    should I delete every bat file?


    or just find them ?


    ::


    I sent the bat files I found, they are three but have diffrent copies in every drive.


    I included some picture of the gmer explorer interface, I noticed there is a copy of every file with the an extention (Zone.identifier) is that related in any way to the infection?


    would you please have a look at the pictures there in the folder I sent?


    thank you so much

  • Hello FDA,


    It seems that your infection goes a little deeper than I expected. As shown in the scanlog you sent me, BitDefender already detected and deleted multiple files with random names from your drives. However, as shown in the screenshot you attached (which was a very good idea, by the way :) ), there are still some suspect files there:


    1f.bat
    6phx.com
    9dlvtiil.exe
    b.com
    fsaht.cmd
    sm.exe


    Find these files on all your drive roots and send them to me (like before).


    Also, in case new files were generated, please send any file with a random name, with the extension cmd, bat, exe, com, dll from the roots of the drives.


    Also, remember not to double click drives! (I keep repeating this, so you won't accidentally do it, cos you'll have to start over again).


    Question: did you delete the autorun.inf files before you restarted your computer? If you did, please tell me if those file re-appeared after the system restart. If you didn't, please delete them and restart your system.


    As for the rest of the files I asked now (these random-named files), don't delete them just yet. I need to get a confirmation from the analysis department first.


    I will also ask about Zone.Identifier. As far as I know, that is harmless, it's normal to appear in some conditions and they aren't connected to an infection. But I have to double check this.


    Also, use gmer to make a complete scan of your system, as I explained in my previous post, and send me the log. After you make a gmer log, please also make a new log with AVIS.


    Cris.

  • Hello Cris


    Question: did you delete the autorun.inf files before you restarted your computer? If you did, please tell me if those file re-appeared after the system restart. If you didn't, please delete them and restart your system.


    Yes I deleted that file and it re-appeared.


    I collected the random-named files you asked me to find and made the Gmer log ready


    BUT I thought of making a BD scan and as usual it detected the file Verbace file as a trojan but not in E , it detect it in C system files.


    I thought I should delete the verbace from the E drive, I did that .


    I went to check the startup manager and unfortunately I saw the olhrwef.exe in the autostart list, I deleted its entry.


    I restarted my system to prepare the avis and BD scan log for you, the system was working normally this morning.


    But now I cannot get access to the system, I use another computer to write this post.:(


    the Windows logo screen takes a long time to load and then restarts again; sometimes I could see the black screen with the choices (safe mode, safe with net working etc.)


    no choice works either it restarts again or the arrows have no actions to choose any.


    any idea


    please?

  • I'm sorry to hear this. :(


    Start your system and press F8 multiple times while it's starting (before it starts booting up Windows). You should get to the Boot Menu (that screen where you can select Safe Mode).


    There should be an option to Disable Automatic restart on system failure. Choose that option and start your system normally. In case you get a Blue Screen of Death (BSOD), please note what it's said in that screen (mainly the error code, the STOP code and any files that are referenced). Post here that info.


    Cris.


  • thanks Cris


    I'll do that if it happens again!


    ----


    Good news...Now it starts normally..I sent you the files and the scan logs you asked for:)


    million thanks

  • alexcrist
    alexcrist
    edited June 2009

    Hello FDA,



    I'm sorry for the late reply (I've been extremely busy the last few days).


    About the files you sent:


    All following files are CLEAN:



    all files found in the folder FoundinWindowsFolder are clean (mostly legit system files)
    3DMaker.8bf
    AUTOEXEC.BAT (this is a system file)
    avpagecurl20d.exe
    bitdefender_tsecurity.exe
    bittotal.exe
    boot.ini (this is a system file)
    cleaner5demo.exe
    monkeyking_chinese_105.exe
    NTDETECT.COM (this is a system file)


    The following file contains an adware (RelevantKnowledge):


    spac2001.exe


    The following files are infected:



    1f.bat (detected as Trojan.PWS.OnLineGames.KCMS)
    6phx.com (sent to labs)
    9dlvtiil.exe (detected as Trojan.PWS.OnLineGames.KCMS)
    b.com (sent to labs)
    sm.exe (sent to labs)
    sv8c2bjw.bat (detected as Trojan.PWS.OnLineGames.KCMW)
    xdglur.bat (detected as Trojan.PWS.OnLineGames.KCNA)


    The good news is that the logs you sent appear to be clean.


    BitDefender didn't show any detections.


    Gmer didn't detect anything suspicious.


    AVIS shows that the processes are clean, there aren't any other autorun.inf files, no hidden processes/files.


    Please delete the above files (the ones I said that are infected). Do NOT remove any files I marked as "system file" as deleting them might lead to system failure and failing to boot.


    After you remove those files, please tell me if you have other problems.


    Cris.

  • I am not sure if this is where I should inquire about this or not...


    My BitDefender 2008 Antivirus has recently started finding numerous Trojan.heur.######## threats.


    Several of them have been in old archived emails, but with a deep scan yesterday, I am also seeing them in C:\Windows\assembly\ directory tree.


    All of these threats show up as "no action is possible".


    I am not sure what to do...


    Thanks in advance for any help.

  • I am not sure if this is where I should inquire about this or not...


    My BitDefender 2008 Antivirus has recently started finding numerous Trojan.heur.######## threats.


    Several of them have been in old archived emails, but with a deep scan yesterday, I am also seeing them in C:\Windows\assembly\ directory tree.


    All of these threats show up as "no action is possible".


    I am not sure what to do...


    Thanks in advance for any help.


    Hello Soulsong ,


    Please save the latest Deep System Scan log on your system , go to http://www.sendspace.com/ , upload it and then reply with the download link .


    Thank you .

  • Hello Soulsong ,


    Please save the latest Deep System Scan log on your system , go to http://www.sendspace.com/ , upload it and then reply with the download link .


    Thank you .


    I did another Deep Scan and now no threats are being detected.


    Is there any way that I can verify that BitDefender itself hasn't been infected/compromised to mask other viruses?


    thanks,


    jw

  • I did another Deep Scan and now no threats are being detected.


    Is there any way that I can verify that BitDefender itself hasn't been infected/compromised to mask other viruses?


    thanks,


    jw


    Hello Soulsong ,


    Usually , if a BitDefender file or driver becomes infected , the program stops responding . That is why we usually ask our clients to run some diagnostic tools and send us back the resulting reports . If your system still acts as being infected , please let us know and we will further investigate this issue through the email .


    Thank you .

  • Hello Soulsong ,


    Usually , if a BitDefender file or driver becomes infected , the program stops responding . That is why we usually ask our clients to run some diagnostic tools and send us back the resulting reports . If your system still acts as being infected , please let us know and we will further investigate this issue through the email .


    Thank you .


    I guess I will assume my system is clean and just cautiously monitor it.


    thanks

  • Hi, i have a few computers that are infected.


    Below is the log from one of the computer. I tried to quarantine the files and restart the computer and did another deep scanning and there are still 2 files being infected.


    Is there anyway to remove virus so i will stop infecting other files? How can i be removed?


    BitDefender Log File !!!!!


    Product : BitDefender Internet Security 2008


    Version : BitDefender UIScanner v.11


    Log date : 15:52:42 07/07/2009


    Log path : C:\ProgramData\BitDefender\Desktop\Profiles\Logs\deep_scan\1246953162_1_02.xml


    Scan Paths:Path0000: C:\


    Path0001: D:\


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : Yes


    Target selection options:Scan registry keys : Yes


    Scan cookies : Yes


    Scan boot sectors : Yes


    Scan memory processes : Yes


    Scan archives : Yes


    Scan runtime packers : Yes


    Scan emails : Yes


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions :


    Excluded extensions :


    Target ProcessingDefault action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Scan engines summaryNumber of virus signatures : 3654532


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    Archive plugins : 45


    System plugins : 5


    Unpack plugins : 7


    Overall scan summaryScanned items : 262048


    Infected items : 6


    Suspicious items : 0


    Resolved items : 4


    Individual viruses found : 2


    Scanned directories : 20554


    Scanned boot sectors : 3


    Scanned archives : 9753


    Input-output errors : 0


    Scan time : 00:00:44:28


    Files per second : 97


    Scanned processes summaryScanned : 57


    Infected : 0


    Scanned registry keys summaryScanned : 945


    Infected : 0


    Scanned cookies summaryScanned : 10


    Infected : 0


    Remaining issues:Object Name Threat Name Final Status


    C:\WINDOWS\System32\spool\drivers\w32x86\PCC\es3cx2.inf_f07d5554.cab=]eS3cx3.dll Gen:Trojan.Heur.Hype.114DB2B2B2 Delete Failed (file was in an archive)


    C:\WINDOWS\System32\spool\drivers\w32x86\PCC\es3cp2.inf_f215c200.cab=]eS3cp3.dll Gen:Trojan.Heur.Hype.316D929292 Delete Failed (file was in an archive)


    Resolved issues:Object Name Threat Name Final Status


    C:\WINDOWS\System32\DriverStore\FileRepository\es3cx2.inf_f07d5554\eS3cx3.dll Gen:Trojan.Heur.Hype.114DB2B2B2 Moved to Quarantine


    C:\WINDOWS\System32\spool\drivers\w32x86\3\eS3cx3.dll Gen:Trojan.Heur.Hype.114DB2B2B2 Moved to Quarantine


    C:\WINDOWS\System32\DriverStore\FileRepository\es3cp2.inf_f215c200\eS3cp3.dll Gen:Trojan.Heur.Hype.316D929292 Moved to Quarantine


    C:\WINDOWS\System32\spool\drivers\w32x86\3\eS3cp3.dll Gen:Trojan.Heur.Hype.316D929292 Moved to Quarantine


    Objects that were not scanned:Object Name Reason Final Status

  • Hi, this is log from another computer.


    Apparently, i think the virus infected my printer driver. I can't print anything now. I can't even reinstall the driver.


    Please help me!


    Product : BitDefender Internet Security 2008


    Version : BitDefender UIScanner v.11


    Log date : 15:38:00 07/07/2009


    Log path : C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\full_scan\1246952280_1_02.xml


    Scan Paths:Path0000: C:\


    Path0001: E:\


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : Yes


    Target selection options:Scan registry keys : Yes


    Scan cookies : Yes


    Scan boot sectors : Yes


    Scan memory processes : Yes


    Scan archives : No


    Scan runtime packers : Yes


    Scan emails : Yes


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions :


    Excluded extensions :


    Target ProcessingDefault action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Scan engines summaryNumber of virus signatures : 3654532


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    Archive plugins : 45


    System plugins : 5


    Unpack plugins : 7


    Overall scan summaryScanned items : 81859


    Infected items : 6


    Suspicious items : 0


    Resolved items : 6


    Individual viruses found : 2


    Scanned directories : 4216


    Scanned boot sectors : 3


    Scanned archives : 7790


    Input-output errors : 0


    Scan time : 00:00:28:25


    Files per second : 47


    Scanned processes summaryScanned : 42


    Infected : 0


    Scanned registry keys summaryScanned : 777


    Infected : 0


    Scanned cookies summaryScanned : 439


    Infected : 0


    Remaining issues:Object Name Threat Name Final Status


    Resolved issues:Object Name Threat Name Final Status


    C:\System Volume Information\_restore{77F51192-6135-4F11-A8E0-5A9194FE0C11}\RP343\A0053581.dll Gen:Trojan.Heur.Hype.114DB2B2B2 Moved to Quarantine


    C:\WINDOWS\system32\spool\drivers\w32x86\3\eS4cfx.dll Gen:Trojan.Heur.Hype.114DB2B2B2 Moved to Quarantine


    C:\WINDOWS\system32\spool\drivers\w32x86\toshibae_studio2500cca81\eS3cx3.dll Gen:Trojan.Heur.Hype.114DB2B2B2 Moved to Quarantine


    C:\WINDOWS\system32\spool\drivers\w32x86\toshibae_studio3511eebb\eS4cfx.dll Gen:Trojan.Heur.Hype.114DB2B2B2 Moved to Quarantine


    C:\System Volume Information\_restore{77F51192-6135-4F11-A8E0-5A9194FE0C11}\RP344\A0056227.dll Gen:Trojan.Heur.Hype.316D929292 Moved to Quarantine


    C:\WINDOWS\system32\spool\drivers\w32x86\toshibae_studio2500cca81\eS3cp3.dll Gen:Trojan.Heur.Hype.316D929292 Moved to Quarantine


    Objects that were not scanned:


    Object Name Reason Final Status


    BitDefender Log File !!!!!


    Product : BitDefender Internet Security 2008


    Version : BitDefender UIScanner v.11


    Log date : 16:20:12 07/07/2009


    Log path : C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1246954812_1_01.xml


    Scan Paths:Path0000: C:\


    Path0001: E:\


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : Yes


    Target selection options:Scan registry keys : Yes


    Scan cookies : Yes


    Scan boot sectors : Yes


    Scan memory processes : Yes


    Scan archives : Yes


    Scan runtime packers : Yes


    Scan emails : Yes


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions :


    Excluded extensions :


    Target ProcessingDefault action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Scan engines summaryNumber of virus signatures : 3654532


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    Archive plugins : 45


    System plugins : 5


    Unpack plugins : 7


    Overall scan summaryScanned items : 96920


    Infected items : 4


    Suspicious items : 0


    Resolved items : 4


    Individual viruses found : 2


    Scanned directories : 4216


    Scanned boot sectors : 3


    Scanned archives : 1146


    Input-output errors : 0


    Scan time : 00:00:24:03


    Files per second : 66


    Scanned processes summaryScanned : 40


    Infected : 0


    Scanned registry keys summaryScanned : 777


    Infected : 0


    Scanned cookies summaryScanned : 442


    Infected : 0


    Remaining issues:Object Name Threat Name Final Status


    Resolved issues:Object Name Threat Name Final Status


    C:\System Volume Information\_restore{77F51192-6135-4F11-A8E0-5A9194FE0C11}\RP344\A0057409.dll Gen:Trojan.Heur.Hype.114DB2B2B2 Moved to Quarantine


    C:\System Volume Information\_restore{77F51192-6135-4F11-A8E0-5A9194FE0C11}\RP344\A0057411.dll Gen:Trojan.Heur.Hype.114DB2B2B2 Moved to Quarantine


    C:\System Volume Information\_restore{77F51192-6135-4F11-A8E0-5A9194FE0C11}\RP344\A0057412.dll Gen:Trojan.Heur.Hype.114DB2B2B2 Moved to Quarantine


    C:\System Volume Information\_restore{77F51192-6135-4F11-A8E0-5A9194FE0C11}\RP344\A0057410.dll Gen:Trojan.Heur.Hype.316D929292 Moved to Quarantine


    Objects that were not scanned:Object Name Reason Final Status

  • Hello mclarensquall ,


    Please go to the next link:http://kb.bitdefender.com/KB490-br--The-sy...s-infected.html , run the Avis and the Gmer tools and after you obtain the reports , upload them here : http://sendspace.com/ and post here the download links.


    Thank you .

  • Hello mclarensquall ,


    Please go to the next link:http://kb.bitdefender.com/KB490-br--The-sy...s-infected.html , run the Avis and the Gmer tools and after you obtain the reports , upload them here : http://sendspace.com/ and post here the download links.


    Thank you .


    Hi Alex,


    I can't download the files from the website. The link appears to be broken.

  • mclarensquall
    edited July 2009
    Hi Alex, ignore my previous post. I can download the files and PM you the LOGS. Thanks.
  • hadidarwiche
    edited July 2009

    HELP... PLEASE ANYONE..I CANT REMOVE MY INFECTED FILES...THEY ARE IN MY BITDEFENDER UPDATE FILES


    BELOW IS THE LOG FILE..



    BitDefender Log File


    Product : BitDefender Total Security 2009


    Version : BitDefender UIScanner v.12


    Scanning task : Quick System Scan


    Log date : 07/22/2009 1:21:46 PM


    Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\quick_scan\1248258106_1_02.xml


    Scan Paths:Path 0000: C:\WINDOWS


    Path 0001: C:\Program Files


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : No


    Target Selection Options:Scan registry keys : No


    Scan cookies : No


    Scan boot sectors : No


    Scan memory processes : No


    Scan archives : No


    Scan runtime packers : Yes


    Scan emails : No


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions : ;exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;p


    pt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;c


    h


    m;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;bat;drv;cpl;swf;pl;


    Excluded extensions :


    Target Processing:Default action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Default action for encrypted infected objects : None


    Default action for encrypted suspicious objects : None


    Default action for password-protected objects : Log as not scanned


    Scan engines summaryNumber of virus signatures : 2979879


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    System plugins : 5


    Unpack plugins : 7


    Overall scan summaryScanned items : 13298


    Infected items : 7


    Suspicious items : 0


    Resolved items : 0


    Unresolved items : 7


    Password-protected items : 0


    Overcompressed items : 0


    Individual viruses found : 1


    Scanned directories : 5250


    Scanned boot sectors : 0


    Scanned archives : 0


    Input-output errors : 1


    Scan time : 00:09:30


    Files per second : 23


    Scanned processes summaryScanned : 0


    Infected : 0


    Scanned registry keys summaryScanned : 0


    Infected : 0


    Scanned cookies summaryScanned : 0


    Infected : 0


    Remaining issues:Object Name Threat Name Final Status


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\BDUtils.dll Gen:Trojan.Heur.GM.1004000822 Move to Quarantine Failed


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe Gen:Trojan.Heur.GM.1004000822 Move to Quarantine Failed


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\npcomm.dll Gen:Trojan.Heur.GM.1004000822 Move to Quarantine Failed


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\txmlutil.dll Gen:Trojan.Heur.GM.1004000822 Move to Quarantine Failed


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\WSLib.dll Gen:Trojan.Heur.GM.1004000822 Move to Quarantine Failed


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\WSPack.dll Gen:Trojan.Heur.GM.1004000822 Move to Quarantine Failed


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\WSUtils.dll Gen:Trojan.Heur.GM.1004000822 Move to Quarantine Failed

  • Hello Hadi Darwiche ,


    Unfortunately the BitDefender files that were detected as infected cannot be disinfected and that is why , as a first steps , we need to remove them . After that you will have to perform a repair in order to replace them . Here is what you have to do :


    1. Open BitDefender and click on Switch to Advanced View . Select Antivirus then click on the Quarantine tab .


    2. Select all the files that you will find there , right click on them and choose Delete .


    3. Click on Start from Windows and choose All Programs and then choose BitDefender 2009 .


    4. Select Repair or Remove , choose Next when the new window will appear and then choose Repair .


    5. Reboot your computer when prompted and proceed with the repair process of BitDefender.


    If you could not repair BitDefender following these steps , you can download the BitDefender installation kit from the next link:http://download.bitdefender.com/windows/de...ty_2009_32b.exe . After you do this , run it , click on Next on the first window that will be displayed and then choose Repair .


    Thank you .

  • Hi Alex


    Thank you for the reply. I tried everything you told me, but nothing worked. Every time i delete and install or repair the installation hangs forever on the part of "Copying new files" to the system on ONE certain file named "Bdfndisf.sys", and eventually(after one hour of waiting), i get frustrated and cancel that part.


    I don't know if you have a solution for that. I can't seem to think of something. I tried deleting everything manually and reinstalling, but still the same problem.


    Would really appreciate a solution. THX


    Hello Hadi Darwiche ,


    Unfortunately the BitDefender files that were detected as infected cannot be disinfected and that is why , as a first steps , we need to remove them . After that you will have to perform a repair in order to replace them . Here is what you have to do :


    1. Open BitDefender and click on Switch to Advanced View . Select Antivirus then click on the Quarantine tab .


    2. Select all the files that you will find there , right click on them and choose Delete .


    3. Click on Start from Windows and choose All Programs and then choose BitDefender 2009 .


    4. Select Repair or Remove , choose Next when the new window will appear and then choose Repair .


    5. Reboot your computer when prompted and proceed with the repair process of BitDefender.


    If you could not repair BitDefender following these steps , you can download the BitDefender installation kit from the next link:http://download.bitdefender.com/windows/de...ty_2009_32b.exe . After you do this , run it , click on Next on the first window that will be displayed and then choose Repair .


    Thank you .

  • Hello Hadi Darwiche ,


    Please try reinstalling BitDefender following the steps bellow :


    1. Save and run first the uninstall tool from the next link and then reboot the PC:


    http://www.bitdefender.com/uninstall


    2. Download and install BitDefender from one of the following links :


    BitDefender Antivirus 2009


    http://download.bitdefender.com/windows/de...us_2009_32b.exe


    BitDefender Internet Security 2009


    http://download.bitdefender.com/windows/de...ty_2009_32b.exe


    BitDefender Total Security 2009


    http://download.bitdefender.com/windows/de...ty_2009_32b.exe


    3. Register it with you license .


    Please let us know what happened .


    Thank you .

  • Hello Hadi Darwiche ,


    Please try reinstalling BitDefender following the steps bellow :


    1. Save and run first the uninstall tool from the next link and then reboot the PC:


    http://www.bitdefender.com/uninstall


    2. Download and install BitDefender from one of the following links :


    BitDefender Antivirus 2009


    http://download.bitdefender.com/windows/de...us_2009_32b.exe


    BitDefender Internet Security 2009


    http://download.bitdefender.com/windows/de...ty_2009_32b.exe


    BitDefender Total Security 2009


    http://download.bitdefender.com/windows/de...ty_2009_32b.exe


    3. Register it with you license .


    Please let us know what happened .


    Thank you .


    Thank you..IT WORKED FINALLY... I think i had a corrupt installation kit or something.


    BUT after installation and registration, i go through the 9 step process, and when i'm on step 8 and it finishes updating Bitdefender virus alert pops up with the following virus Trojan.heur.gm like six or seven of them either denied or quarantined (just like the previous times).


    i haven't done anything, what should i do. How do i get rid of this virus?