Pwstealer.287e7867 & Pwstealer.oe96bf1a

Files that are corrupted are:


Object Name Threat Name Final Status


[system]=]F:\WINDOWS\system32\svchost.exe (full dump) DeepScan:Generic.PWStealer.287E7867 Disinfect Failed


[system]=]F:\WINDOWS\system32\svchost.exe (memory dump) Generic.PWStealer.0E96BF1A Disinfect Failed


here's a hijack this report:


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 5:56:40 PM, on 8/15/2009


Platform: Windows XP SP3 (WinNT 5.01.2600)


MSIE: Internet Explorer v7.00 (7.00.6000.16791)


Boot mode: Normal


Running processes:


F:\WINDOWS\System32\smss.exe


F:\WINDOWS\system32\csrss.exe


F:\WINDOWS\system32\winlogon.exe


F:\WINDOWS\system32\services.exe


F:\WINDOWS\system32\lsass.exe


F:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe


F:\WINDOWS\system32\svchost.exe


F:\WINDOWS\system32\svchost.exe


F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


F:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


F:\WINDOWS\System32\svchost.exe


F:\WINDOWS\system32\svchost.exe


F:\WINDOWS\System32\svchost.exe


F:\WINDOWS\System32\svchost.exe


F:\WINDOWS\system32\spoolsv.exe


F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


F:\Program Files\Bonjour\mDNSResponder.exe


F:\WINDOWS\System32\CTsvcCDA.exe


F:\Program Files\Java\jre6\bin\jqs.exe


F:\Program Files\Common Files\Motive\McciCMService.exe


F:\WINDOWS\system32\nvsvc32.exe


F:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe


F:\WINDOWS\System32\svchost.exe


F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


F:\WINDOWS\System32\MsPMSPSv.exe


F:\WINDOWS\system32\SearchIndexer.exe


F:\WINDOWS\system32\ZuneBusEnum.exe


F:\WINDOWS\Explorer.EXE


F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe


F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe


F:\WINDOWS\BCMSMMSG.exe


F:\Program Files\BitDefender\BitDefender 2009\bdagent.exe


F:\Program Files\Java\jre6\bin\jusched.exe


F:\Program Files\BitDefender\BitDefender 2009\seccenter.exe


F:\Program Files\iTunes\iTunesHelper.exe


F:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe


F:\WINDOWS\system32\ctfmon.exe


F:\Program Files\Sticky Password\stpass.exe


F:\Program Files\iPod\bin\iPodService.exe


F:\Program Files\Windows Desktop Search\WindowsSearch.exe


F:\WINDOWS\system32\svchost.exe


F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe


F:\WINDOWS\System32\wbem\wmiprvse.exe


F:\Program Files\Webroot\Spy Sweeper\SSU.EXE


F:\Program Files\BitDefender\BitDefender 2009\uiscan.exe


F:\Program Files\Mozilla Firefox\firefox.exe


F:\WINDOWS\system32\taskmgr.exe


F:\Documents and Settings\Melanie\Desktop\KillBox.exe


F:\WINDOWS\system32\SearchProtocolHost.exe


F:\WINDOWS\system32\SearchFilterHost.exe


F:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)


O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - F:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll


O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - F:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll


O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll


O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll


O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - F:\Program Files\Windows Live\Toolbar\wltcore.dll


O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll


O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll


O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - F:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll


O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - F:\Program Files\Windows Live\Toolbar\wltcore.dll


O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" F:\WINDOWS\system32\NvCpl.dll,NvStartup


O4 - HKLM\..\Run: [updReg] "F:\WINDOWS\UpdReg.EXE"


O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"


O4 - HKLM\..\Run: [sSBkgdUpdate] "F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot


O4 - HKLM\..\Run: [OpwareSE4] "F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"


O4 - HKLM\..\Run: [bCMSMMSG] "BCMSMMSG.exe"


O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install


O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


O4 - HKLM\..\Run: [bDAgent] "F:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"


O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "F:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"


O4 - HKLM\..\Run: [AppleSyncNotifier] "F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"


O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"


O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


O4 - HKLM\..\Run: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k


O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime


O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"


O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "F:\Program Files\ATT-SST\McciTrayApp.exe"


O4 - HKLM\..\Run: [spySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray


O4 - HKCU\..\Run: [ctfmon.exe] "F:\WINDOWS\system32\ctfmon.exe"


O4 - HKCU\..\Run: [stickyPassword] "F:\Program Files\Sticky Password\stpass.exe"


O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE


O4 - Global Startup: Windows Search.lnk = F:\Program Files\Windows Desktop Search\WindowsSearch.exe


O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll


O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll


O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINDOWS\bdoscandel.exe


O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINDOWS\bdoscandel.exe


O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe


O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper.dll


O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab


O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab


O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab


O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238295835750


O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238295965093


O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - F:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe


O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe


O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\System32\CTsvcCDA.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe


O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe


O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe


O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


O23 - Service: McciCMService - Motive Communications, Inc. - F:\Program Files\Common Files\Motive\McciCMService.exe


O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe


O23 - Service: PWBXKFNV - Sysinternals - www.sysinternals.com - F:\DOCUME~1\Melanie\LOCALS~1\Temp\PWBXKFNV.exe


O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - F:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe


--


End of file - 10483 bytes


I need step by step instructions on how to remove the infected items. I have tried everything I know - including MANY types of malware software. Please help!


PS. I got these from an email I received on Facebook.

Comments

  • Hello emjaycee ,


    We would like you to go to the next link :http://kb.bitdefender.com/KB490 and run the Avis and the Gmer tools as described in the article . After you obtain these reports , you will need to upload them here then reply with the download links . My colleagues from the Virus Analysis team will analyze these files and we will contact you back with further instructions after the analysis is complete . Besides these reports , please run another Deep System Scan and then save the scan log. You can upload it here , when you will add your new post .


    Thank you .

  • emjaycee
    edited August 2009
    Hello emjaycee ,


    We would like you to go to the next link :http://kb.bitdefender.com/KB490 and run the Avis and the Gmer tools as described in the article . After you obtain these reports , you will need to upload them here then reply with the download links . My colleagues from the Virus Analysis team will analyze these files and we will contact you back with further instructions after the analysis is complete . Besides these reports , please run another Deep System Scan and then save the scan log. You can upload it here , when you will add your new post .


    Thank you .


    Hi Alex, and thank you for your reply. I will get these done and get them to you right away.


    Thank you,


    Melanie

  • Hello emjaycee ,


    We would like you to go to the next link :http://kb.bitdefender.com/KB490 and run the Avis and the Gmer tools as described in the article . After you obtain these reports , you will need to upload them here then reply with the download links . My colleagues from the Virus Analysis team will analyze these files and we will contact you back with further instructions after the analysis is complete . Besides these reports , please run another Deep System Scan and then save the scan log. You can upload it here , when you will add your new post .


    Thank you .


    Hi Alex, scans are done for Avis and Gmer. I have uploaded them to support@bitdefender.com at the link you provided and used my email address. I have updated bitdefender again and am deep system scanning yet again. I will post those results here very soon. Thank you for your help.

  • Hello emjaycee ,


    We would like you to go to the next link :http://kb.bitdefender.com/KB490 and run the Avis and the Gmer tools as described in the article . After you obtain these reports , you will need to upload them here then reply with the download links . My colleagues from the Virus Analysis team will analyze these files and we will contact you back with further instructions after the analysis is complete . Besides these reports , please run another Deep System Scan and then save the scan log. You can upload it here , when you will add your new post .


    Thank you .


    Hi Alex. Not sure how this happened but bitdefender didn't catch it this time. Therefore, I am posting both scans for you to see. Please keep in mind that I have done nothing to get rid of these items other than run Avis and Gmer for you here. I would very much still like advice on this issue, please. Is it possible the items are hidden now? Here is the one I took tonight:


    BitDefender Log File


    Product : BitDefender Total Security 2009


    Version : BitDefender UIScanner v.12


    Scanning task : Deep System Scan


    Log date : 8/17/2009 9:55:24 PM


    Log path : F:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1250564124_1_02.xml


    Scan Paths:Path 0000: F:\


    Path 0001: G:\


    Path 0002: H:\


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : Yes


    Target Selection Options:Scan registry keys : Yes


    Scan cookies : Yes


    Scan boot sectors : Yes


    Scan memory processes : Yes


    Scan archives : Yes


    Scan runtime packers : Yes


    Scan emails : No


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions :


    Excluded extensions :


    Target Processing:Default action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Default action for encrypted infected objects : None


    Default action for encrypted suspicious objects : None


    Default action for password-protected objects : Log as not scanned


    Scan engines summaryNumber of virus signatures : 3910010


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    System plugins : 5


    Unpack plugins : 7


    Overall scan summaryScanned items : 545165


    Infected items : 0


    Suspicious items : 0


    Resolved items : 0


    Unresolved items : 578


    Password-protected items : 578


    Overcompressed items : 0


    Individual viruses found : 0


    Scanned directories : 8924


    Scanned boot sectors : 6


    Scanned archives : 10124


    Input-output errors : 9


    Scan time : 01:48:15


    Files per second : 83


    Scanned processes summaryScanned : 44


    Infected : 0


    Scanned registry keys summaryScanned : 1093


    Infected : 0


    Scanned cookies summaryScanned : 23


    Infected : 0


    here is the one I took a couple of nights ago:


    BitDefender Log File


    Product : BitDefender Total Security 2009


    Version : BitDefender UIScanner v.12


    Scanning task : Full System Scan


    Log date : 8/14/2009 3:48:50 PM


    Log path : F:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\full_scan\1250282930_1_02.xml


    Scan Paths:Path 0000: F:\


    Path 0001: G:\


    Path 0002: H:\


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : Yes


    Target Selection Options:Scan registry keys : Yes


    Scan cookies : Yes


    Scan boot sectors : Yes


    Scan memory processes : Yes


    Scan archives : No


    Scan runtime packers : Yes


    Scan emails : No


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions :


    Excluded extensions :


    Target Processing:Default action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Default action for encrypted infected objects : None


    Default action for encrypted suspicious objects : None


    Default action for password-protected objects : Log as not scanned


    Scan engines summaryNumber of virus signatures : 3855088


    Archive plugins : 45


    Email plugins : 6


    Scan plugins : 13


    System plugins : 5


    Unpack plugins : 7


    Overall scan summaryScanned items : 79793


    Infected items : 2


    Suspicious items : 0


    Resolved items : 0


    Unresolved items : 2


    Password-protected items : 0


    Overcompressed items : 0


    Individual viruses found : 2


    Scanned directories : 8967


    Scanned boot sectors : 6


    Scanned archives : 7


    Input-output errors : 14


    Scan time : 00:43:08


    Files per second : 30


    Scanned processes summaryScanned : 45


    Infected : 1


    Scanned registry keys summaryScanned : 1101


    Infected : 0


    Scanned cookies summaryScanned : 6


    Infected : 0


    Remaining issues:Object Name Threat Name Final Status


    [system]=]F:\WINDOWS\system32\svchost.exe (full dump) DeepScan:Generic.PWStealer.0203FF31 Disinfect Failed


    [system]=]F:\WINDOWS\system32\svchost.exe (memory dump) Generic.PWStealer.0E96BF1A Disinfect Failed

  • Hello emjaycee ,


    Please have a look on the following BitDefender article:http://kb.bitdefender.com/KB490 . Run Avis and Gmer and after you obtain the reports generated by these tools , upload them on : http://www.sendspace.com/ and then post here the download links . We will tell you for sure if you have an infection after my colleagues from the Virus Analysis team will analyze these files.


    Thank you .

  • Hello emjaycee ,


    Please have a look on the following BitDefender article:http://kb.bitdefender.com/KB490 . Run Avis and Gmer and after you obtain the reports generated by these tools , upload them on : http://www.sendspace.com/ and then post here the download links . We will tell you for sure if you have an infection after my colleagues from the Virus Analysis team will analyze these files.


    Thank you .


    I did all of that last night. Please look up above this post and you will see. I also sent the files on sendspace to support@bitdfender.com

  • Hello emjaycee ,


    Unfortunately I could not find the email that had the Avis and the Gmer logs . I have sent you another reply to the support request that you have made . Try to reply to my email with these files attached.


    Thank you .

  • I noticed that my pc shutdown sequence is too long.


    I click Start-->Turn of Computer and it takes 4 minutes for the shut down interface to show. Once I select shutdown or restart the computer takes twenty minutes to carry out the task. Meanwhile the clean PC next to it can boot three times over in the same span of time.


    After a deep scan Bitdefender found the following:


    Deepscan:Generic.PWStealer.6CD319A5


    Generic.PWStealer.0E96BF1A


    c:windows\system32\svchost.exe 9full dump)


    Followed directions at: http://forum.bitdefender.com/index.php?showtopic=14084 but was told by avis that it 'failed to disinfect."


    Tried booting in safe mode to remove file but this did not work.


    Used Avis. Did not work.


    Please advise. <_<

  • Hello rustyDusty ,


    Please follow the steps from my first reply on this topic , upload the Avis and the Gmer reports and send us the download links .


    Thank you .