Generic.pwstealer

Hi,


I'm a webdeveloper. Today I've found out that some of my websites have been edited against my will and without my knowledge. Always the same technique: injection of an iframe at the top or bottom of and index.php or index.html file. Very, very strange, because I'm very strict about Internet safety, I scan regularly and always keep my sites up to date (Wordpress, etc).


I ran some scans while being out the house, and apparently Bitdefender Antivirus has found some problems. Two problems it cannot delete / quarantaine / solved. I've changed all passwords and put back-ups in place, but I'm scared that I'm not protected anymore.


Bitdefender finds two things:


<ScanDetails>


<AffectedItem itemType ="File" path="[system]=]C:\WINDOWS\system32\svchost.exe (full dump)" threatType="virus" threatName="DeepScan:Generic.PWStealer.4C44AE17" action="disinfect" finalStatus= "infected" error= "no action possible"/>


<AffectedItem itemType ="Process" path="[system]=]C:\WINDOWS\system32\svchost.exe (memory dump)" threatType="virus" threatName="Generic.PWStealer.0E96BF1A" action="disinfect" finalStatus= "infected" error= "no action possible"/>


</ScanDetails>


When I reboot, I get a pop-up message saying that the system will be shut down due to an error with services.exe. It gives the error code: 1073741819


I've read the forums here, and saw a similar case. I ran Avis, made a log. Tried to reboot but it doesn't work. It gives me the shutdown symptoms I described. I included some logs: scanlog, avis log, hijack this log...


Basically, I can't do anything. I've tried to run Bitdefender Antivirus 2008 in Safe Mode, but it doesn't seem to be working. Apparently, in Safe Mode there's a permissions problem.


I run a legitimate version of Windows XP, service pack 3. I have a legitimate version of Bitdefender Antivirus 2008.


Can someone please help me? I cannot lose any of my data... I'm starting to panic.


Thanks in advance.

Comments

  • alexcrist
    alexcrist
    edited June 2009

    Hello speshdiv,


    First of all, I'd like to ask you to never post unprotected AVIS logs. In AVIS there's an option to Compress log, which will also protect it with a password. The log contains a lot of your system's info and you might not want all that info to be publicly available.


    About your problem, the only suspect application I can find in these logs is:


    c:\\documents and settings\\<username>\\menu start\\programma's\\opstarten\\rncsys32.exe

    Please find this file, put it in a password-protected archive (with the password infected), upload it on a file-sharing server and send me the download link by PM.


    Also, in that archive add an infected HTML or PHP file (a file that contains the malicious iframe).


    Cris.

  • speshdiv
    edited June 2009

    Hi Cris,


    Thanks for your reply.


    I've searched for the file you said (rncsys32.exe) but I don't seem to find it anywhere. I think it might have been removed in all the scans. So I'm sorry, but I can't put it in the archive.


    Several deep scans later, I still get the same virus warnings. Every time I get the same message it cannot be removed.


    I've cleaned up most of my current sites, but I've still found some infected index files for you. The virus targets all files with "index" in it, regardless of suffix or extention. Also, I've seen the malicious code in some files with "admin" in the filename.


    Here is the archive:


    <removed>


    I understand, concerning the logs, thank you for the heads up. Can you please remove them for me? I don't see the option to remove them myself.


    What's our next move? Is it safe to format only the C: partition, since no virus warnings have been found on other partitions? Or is this not necessary?


    Thanks for your speedy response.

  • alexcrist
    alexcrist
    edited June 2009

    The file might be hidden.


    Go to http://www.gmer.net/ and download gmer. Scroll down on that page until you get to the Download section, then click the button Download EXE. It will download a file with a random name (which is normal) which you have to save somewhere.


    At start, gmer will make a quick scan of your system. If it asks you to do a complete scan, click No (we will get to that part later, if necessary).


    After the Quick Scan is done, click on the tab with the text "> > >" (without "). Multiple tabs will appear there. Choose the Files tab. There you will find an Explorer-like interface, with files and folders, where you will be able to see all files in your system.


    There try to find the file I asked for above. If you find it, select it and click Copy. Save it somewhere else in your system, archive it with a password and send it to me (like I said above).


    Also, please don't post links to infected files on the forum. Send them to me by PM, as other users might click on those links and get infected. Thank you.


    Cris.


    EDIT: Looking again in your BD log, I noticed this file:


    C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5\8XHQR7WN\readme[1].pdf

    detected as infected in your temporary Internet Files. Please manually delete this file (you can do it using gmer).

  • Hi Cris,


    Sorry for not being able to reply sooner. I was at work.


    I did a quick scan with Gmer as you said.


    When the scan finishes, it says:


    Gmer has found system modification which might have been caused by rootkit activity.


    In red, I see


    Service - System32\drivers\d3006573.sys (*** hidden ***) [sYSTEM d3006573]


    It asks to do a full scan, which I declined, since I want to wait for your further instructions.


    I searched for the file you mentioned before, using the file browser of Gmer, but it doesn't seem to be there. I cannot find it. Maybe it got removed in all the scanning.


    Please find attached a log of Gmer's quick scan (it doesn't contain any personal information).


    I await your further instructions. Thanks for your speedy response.

  • First of all, please use gmer to find the file it specified:


    C:\windows\System32\drivers\d3006573.sys

    Find it, put it in a password-protected archive and send it to me (as I said above).


    Also, make a complete scan with gmer and attach the log. I will take a look at the log you already attached tomorrow (it's very late now, I don't quite have time for it, unfortunately).


    Cris.

  • Hi Cris,


    Thanks for your response.


    Well, although Gmer found d3006573.sys to be a threat, it cannot locate the physical file. I've tried finding it using the built-in file explorer, even tried to filter on hidden instances, but it doesn't find the file anymore.


    I remember that Hitman Pro (cloud computing antimalware software: http://www.surfright.nl/en/) ran at startup today and found d3006573.sys to be a threat. It removed it immediately and rebooted the computer.


    Afterwards, I looked at your reply and ran the Gmer quickscan. It still recognized d3006573.sys to be a threat, even though it could not locate the physical file.


    I then ran a BitDefender deep scan, and Bitdefender did not find any threats anymore (whereas it used to always find the two instances I said before).


    I rebooted, ran a Gmer quick scan, which showed no threats. I then ran a full system scan with Gmer, as you said, and Gmer found one (seemingly) infected file (Xenocode.Sandbox.exe), leading it to believe I have a rootkit on my computer.


    The thing is that I know Xenocode Sandbox. I recently installed it. It is software for webdesigners to cross-browser-test their applications. It can generate (among others) an instance of Internet Explorer 6, inside a browser of choice. It is well known and respected software (www.xenocode.com).


    I'll send you an archive with the infected file immediately, password protected with "infected". Also, I attached the log for you.


    Basically we're at a point where no threats are detected anymore, except by Gmer full scan, but I think this is a false positive (although, I'm no expert).


    Thanks for your response.

  • Gmer and AVIS are not malware scanning tools. They do not show items that represent threats, based on certain scanning rules/definitions. These tools just scan the system in certain points (processes, system hooks, registry, etc...) and they generate a report. That report should be analyzed by a person (not by an automated system) which knows what to look for.


    So what shows up in those reports are not necessarily malware or threats. Since Xenocode Sandbox is a trusted application (and since no antivirus engine detects anything suspicious about it), then my guess is that it's clean.


    However, it would have been important for us to get that other file, which obviously was a threat. In case any problems re-appear, please post here.


    I'm not saying that it's a bad thing that you cleaned your system. But if the BitDefender Analysis Department gets a sample of that malware, other future infections with the same malware can be detected and prevented. :)


    Cris.

  • You're completely right, it would have been better if I could have sent you the infected file. I didn't scan on purpose, Hitman just found the threat (at startup) and immediately removed it. If you need any additional information, maybe in case of a future similar case, please let me know, I'd be happy to give it.


    If I see any strange behaviour or the file pops up again, I'll immediately send it to you. I'll do a quick scan with Gmer on all my workstations during next week.


    I guess my system is clean then. Could you answer me these last questions?


    1. Do you think it is necessary to upgrade from BitDefender Antivirus to BitDefender Internet Security, or do you think that with common sense, being behind a router and regular scans this is overkill? Am I right to assume an Internet Security pack slows down your computer a lot (important, since I have an older computer)? Is there any way to upgrade from my version to an Internet Security suite?


    2. My system is clean, though I would like to do a complete format of my drive. All this talk about rootkits has made me a little nervous. Could you point me to a resource where I can learn about Low Level formatting? Or what do you advise, to be absolutely sure everything is gone? Any tips? Should I take into account the possibility of an infected BIOS or something (don't know anything about this topic)?


    3. In your view, do you think that KeePassX (http://www.keepassx.org/) is a safe way of storing passwords?


    Thanks for your kind help.

  • I am also a webdesigner, and had the same exact thing happen to me today - iframes injected into the php files of 4 of my WP websites - but only my WP sites, not any static sites.


    I ran bitdefender - came up with several items that could not be deleted, disinfected, or quarantined.


    svchost.exe - Generic.PWStealer


    podmena.dll - Trojan.spy.YAM


    trojan.dropper.cutwail.dd


    I am running 2009 Bit Defender Security. I've changed my passwords, and backed up my files just in case.


    I am scared to login to my websites, FTP, or even go on the internet for fear that these will cause more damage more of my websites or steal more of my passwords. I am using roboform to manage my passwords.


    I am also getting a strange redirect when I go to google or yahoo - it appears that it is redirecting me to advertisements and pop-ups when I use the search engines.


    Please advise - I want to get this cleaned up asap.


    Thanks for all your help in advance.


    Adam

  • alexcrist
    alexcrist
    edited June 2009
    1. Do you think it is necessary to upgrade from BitDefender Antivirus to BitDefender Internet Security, or do you think that with common sense, being behind a router and regular scans this is overkill? Am I right to assume an Internet Security pack slows down your computer a lot (important, since I have an older computer)? Is there any way to upgrade from my version to an Internet Security suite?


    As far as I know, all BitDefender versions (AV, IS, TS) are basically the same. There isn't much performance difference between them, but you can always just download a trial and test them.


    As overkill... I'd never say that. However you look at it, you still need a software firewall, not just the router. The router provides basic inbound protection (filters connections on certain ports, filters some types of attacks...). But you need a software firewall to filter outbound connections (in case you get some undetected keylogger, or downloader, or anything...it's better to have a local per/application filtering method, not just to rely on you router), or even inbound connections, because the router won't filter everything.


    So one way or another, I suggest to take a firewall.


    As far as upgrading goes, I don't know. I'm not really familiar with the upgrading methods. You should contact Customer Support about this (or I can ask someone to answer you in this topic).


    2. My system is clean, though I would like to do a complete format of my drive. All this talk about rootkits has made me a little nervous. Could you point me to a resource where I can learn about Low Level formatting? Or what do you advise, to be absolutely sure everything is gone? Any tips? Should I take into account the possibility of an infected BIOS or something (don't know anything about this topic)?


    I see no point in formatting your system because of this. If your system is clean, then it's OK.


    As I said, you should install a firewall, to see if there are any unknown connections in/out of your system. Also, if you want more protection, you can enable BitDefender Behavioral Scanner (on the Antivirus section, click Scanner settings). Also, if you choose BD Internet Security, you will have an option in the firewall to enable Intrusion Detection System (somehow the same as Behavioral Scanner, but a little oriented on the firewall and network protection side).


    Or you can choose a 3rd party Host Intrusion Protection System (HIPS) or Behavioral Blocker software.


    As for low level format... that's absolutely unnecessary. A Quick Format will erase the MFT (Master File Table) of your partition. The actual files and data will be left intact (until phisically overwritten), but there will be no way to access them. If you reinstall your OS after a Quick Format, the MFT is erased and re-created, and the old files will be un-accessible.


    Of course, there are some software tools that can help you recover files after format, but I assure you that malware don't use this method, because it's simply inefficient. It's more efficient to just re-infect your system from scratch. :P


    Leaving the joke aside: a simple Quick Format will remove all infections from your partition. A low level format, or a Full Format is used only when you suspect that your HDD has bad sectors, and such methods of formatting also scan for and isolate bad sectors.


    BIOS malware doesn't exist anymore. As far as I know, BIOS malware existed a long time ago, when the BIOS didn't have protection systems.


    What could still be active after a HDD format is a Master Boot Record malware. But that won't be cleaned whatever format method you use, because the format doesn't touch the MBR sections. BitDefender is able to detect MBR malware, so if you didn't get any alerts about this, you're probably safe.


    3. In your view, do you think that KeePassX (http://www.keepassx.org/) is a safe way of storing passwords?


    I don't know, because I never used/heard about this service.


    @Adonline: I will take a look at the files you attached as soon as I can.I'm sorry, but I cannot do it at the moment (maybe later today, or tomorrow).


    Cris.

  • Thank you Chris, for your extensive reply.


    I will contact customer support about upgrading to an Internet Security package, since I only have the standard Windows XP firewall.


    I will do a simple format then, I see that a low level format is not necessary. I didn't know BIOS threats didn't exist anymore.


    Owkay, everywhere people say KeePassX is secure, so I guess I'll follow their advice.


    That covers my case completely.


    To other infected people:


    Make sure to check EVERY server you have sites on, even some older servers of mine were infected. Change all your FTP-passwords but from a different, verified uninfected computer! (I recommend changing domain passwords too, since apparently someone physically logged into my Plesk account and removed the a-record of my e-mail address). To make sure all exploits are gone, download all your websites to one big folder (with subfolders off course) and define this big folder as your local root folder in Dreamweaver. Then, use find and replace using the string "<iframe src=" or another construction, to find every infected file. Clean every file manually, check and double check.


    As for Wordpress: remove the exploits and upgrade to the latest version ASAP. Here are some tips on how to secure your Wordpress more: http://eepurl.com/bPW_ even though I think the virus didn't came in via Wordpress.


    I'm hearing a lot of other cases. Apparently they're targetting webmasters, because they know they'll infect more sites this way.


    If anyone needs more information or something, don't hesitate to send me a PM.

  • Ah, and by the way, maybe it's a good idea to block your credit card. I'm thinking that if it's an actual keylogger, they probably got hold of all necessary credit card information needed to do purchases. My bank doesn't notice any abuse though. Let's hope the virus just gathers FTP-passwords.

  • alexcrist
    alexcrist
    edited June 2009

    @Adonline: Please update BitDefender and make a new Deep Scan of your system, then attach the scanlog in this topic.


    Also, please download this tool: BitDefender AVIS


    Unpack all files from that archive into a new, empty folder.


    Then run avis.exe, go to System info and generate a complete system log, using the settings from this screenshot:


    avis.jpg


    The path where the log will be generated will automatically be set to your Desktop. In the screenshot, that path is just an example.


    After the scan is finished, the log will be placed on your desktop, named bd_sys_log.xml.zip. Please upload that file on a file-sharing server (like rapidshare) and send me a download link through PM. We will analyze the log and give you further information.


    Notice: Please do NOT make a system scan for malware with AVIS, unless specifically told so by one of the BitDefender Support Member or BitDefender Virus Analyst. Thank you.


    Cris.

  • Hello,


    My computer and website (wordpress blog with iFrame injected in php files) are also infected and BitDefender canno't remove the following virus :


    Problèmes non résolus :Nom de l'objet Nom de la menace Etat final


    [system]=]C:\WINDOWS\system32\svchost.exe (full dump) DeepScan:Generic.PWStealer.4E50FA9A Aucune action possible


    [system]=]C:\WINDOWS\system32\svchost.exe (memory dump) Generic.PWStealer.0E96BF1A Aucune action possible


    I found the file mentionned above in this discussion: C:\Documents and Settings\Valérie\Menu Démarrer\Programmes\Démarrage\rncsys32.exe


    So, I downloaded at rapidshare this file and an infected php file in a 7-zip as required: http://rapidshare.com/files/246590815/virus.7z.html


    Help ! Please !

  • Hi Cris,


    As promised, I'm giving you a report. Last followup before format:


    I booted my computer up again today and Hitman Pro ran at start-up. Suddenly it recognizes to threats that BitDefender didn't:


    nmsaccessu.exe (in the folder Burnaware, CD burning software) => Trojan


    motu113.exe (in the c:\windows folder) => High Risk Worm Infection


    I ran a scan with BitDefender, but it doesn't find anything (nor does Gmer or Malwarebytes).


    I'm sending you a link to an archive with both infected files and also a log from Avis. Maybe there's a connection, but let's hope not.


    I'm guessing these are false positives... I hope so, because I haven't really done anything with the computer since it was infected, didn't want to risk it.


    OK, now I'm going to format.


    Could you please let me know if there's a connection between the infections and how to avoid getting these in future?


    Thanks

  • Hi Cris ,


    Thanks for ur answer..after posting here i run malwarebytes and it found 2 trojan and qurantine them....then i again deep scan with Bit defender..it doesnt find anything...i am not sure whether the virus found by bit defender and qurantined by malwarebytes are same ..as you suggested i am posting the avis log here..


    Thanks for ur help again and waiting for ur answer

  • speshdiv:


    nmsaccessu.exe: legit file belonging to CD BurnerXP, used to grant access to CD burning features for limited account users


    motu113.exe: I didn't find any references to this file anywhere. I tested it a little but I cannot tell anything about it. I will send it to the analysis lab as soon as possible to get more info about it.


    As far as I can see in your AVIS log, there isn't anything suspicious present there. I'll wait for the reply from the analysis lab and post back.


    Hunter007 and valvec: I will take a look at your logs as soon as possible. However, since analyzing AVIS logs takes a quite long time (they contain a lot of information), I cannot take care of multiple cases in the same time. So you will have to wait your turn, unfortunately.


    As a side note: please do NOT use other 3rd party software for scanning (for instance, Malware Bytes), because I'm not familiar with the log structure. BitDefender Forum cannot and will not offer support related to 3rd party products that are not produced or directly recommended by BitDefender Support or BitDefender Virus Labs. Thank you.


    Cris.

  • Hi Cris, thanks for your reply. I'll await the response you'll get from the analysis lab, though I'm pretty sure they're false positives.

  • speshdiv, the other file is clean. I got the reply a few days ago, but I've not been able to post it here.


    Cris.

  • Adonline: Please update BitDefender, reboot your system, make a new DeepScan and attach the scanlog.


    Also, download gmer (as presented in Post #4) and make a system scan with it. Save the log, and attach it.


    Hunter007:


    Use gmer (as presented in Post #4) to find and copy the following files:


    c:\\windows\\system32\\nticdmk7.dll
    c:\\windows\\system32\\ntimp3.dll
    c:\\windows\\system32\\ntimpeg2.dll
    c:\\windows\\system32\\ntifcd3.dll
    c:\\windows\\system32\\ntibun4.dll

    Put them in an archive with the password infected, upload it somewhere and send me the download link.


    Also, please make a system scan with gmer, save the log and attach it here.


    Also, please update BitDefender, make a new DeepScan and attach the log here.


    valvec: Please use AVIS and gmer (as presented above) and generate system logs. Attach the logs here. The file you attached is already detected by BitDefender.


    Cris.

  • Chris


    Thanks for ur gr8 effort..how do i make a log of gmer scan i tried to save it but not able to save....and when i tired to copy the file u mention on previous post i am able to save only ntibun4.dll..i select all the files copy and save but shows only ntibun4.dll plz help

  • alexcrist
    alexcrist
    edited June 2009

    After the scan is finished, click Save on the lower-right corner. You will be able to choose a name and a location for the gmer log.


    About the files, just copy them one by one, not all of them at once.


    @everyone: Please don't send me anything on PM from now on. Instead, post the links to the files on this topic, because from tomorrow I won't be available anymore, so any PMs that I receive will remain un-read for a few months (till I get back). However, I'll ask someone else to take a look on this topic, so any files posted will be analyzed.


    Cris.

  • Cris ,


    i tried to archive the files and gmer log..i dont know whether i have done it correctly or not?waiting for ur reply and once again thanx a lot for ur help