Pwstealer.287e7867 & Pwstealer.oe96bf1a
Files that are corrupted are:
Object Name Threat Name Final Status
[system]=]F:\WINDOWS\system32\svchost.exe (full dump) DeepScan:Generic.PWStealer.287E7867 Disinfect Failed
[system]=]F:\WINDOWS\system32\svchost.exe (memory dump) Generic.PWStealer.0E96BF1A Disinfect Failed
here's a hijack this report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:40 PM, on 8/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
F:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\WINDOWS\System32\CTsvcCDA.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Common Files\Motive\McciCMService.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\WINDOWS\System32\MsPMSPSv.exe
F:\WINDOWS\system32\SearchIndexer.exe
F:\WINDOWS\system32\ZuneBusEnum.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
F:\WINDOWS\BCMSMMSG.exe
F:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Sticky Password\stpass.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Windows Desktop Search\WindowsSearch.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
F:\WINDOWS\System32\wbem\wmiprvse.exe
F:\Program Files\Webroot\Spy Sweeper\SSU.EXE
F:\Program Files\BitDefender\BitDefender 2009\uiscan.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\WINDOWS\system32\taskmgr.exe
F:\Documents and Settings\Melanie\Desktop\KillBox.exe
F:\WINDOWS\system32\SearchProtocolHost.exe
F:\WINDOWS\system32\SearchFilterHost.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - F:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - F:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - F:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - F:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - F:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - F:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [updReg] "F:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [sSBkgdUpdate] "F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "F:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [bCMSMMSG] "BCMSMMSG.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [bDAgent] "F:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "F:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "F:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [spySweeper] "F:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "F:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [stickyPassword] "F:\Program Files\Sticky Password\stpass.exe"
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = F:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238295835750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238295965093
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - F:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - F:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: McciCMService - Motive Communications, Inc. - F:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PWBXKFNV - Sysinternals - www.sysinternals.com - F:\DOCUME~1\Melanie\LOCALS~1\Temp\PWBXKFNV.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - F:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - F:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
--
End of file - 10483 bytes
I need step by step instructions on how to remove the infected items. I have tried everything I know - including MANY types of malware software. Please help!
PS. I got these from an email I received on Facebook.
Comments
-
Hello emjaycee ,
We would like you to go to the next link :http://kb.bitdefender.com/KB490 and run the Avis and the Gmer tools as described in the article . After you obtain these reports , you will need to upload them here then reply with the download links . My colleagues from the Virus Analysis team will analyze these files and we will contact you back with further instructions after the analysis is complete . Besides these reports , please run another Deep System Scan and then save the scan log. You can upload it here , when you will add your new post .
Thank you .0 -
Hello emjaycee ,
We would like you to go to the next link :http://kb.bitdefender.com/KB490 and run the Avis and the Gmer tools as described in the article . After you obtain these reports , you will need to upload them here then reply with the download links . My colleagues from the Virus Analysis team will analyze these files and we will contact you back with further instructions after the analysis is complete . Besides these reports , please run another Deep System Scan and then save the scan log. You can upload it here , when you will add your new post .
Thank you .
Hi Alex, and thank you for your reply. I will get these done and get them to you right away.
Thank you,
Melanie0 -
Hello emjaycee ,
We would like you to go to the next link :http://kb.bitdefender.com/KB490 and run the Avis and the Gmer tools as described in the article . After you obtain these reports , you will need to upload them here then reply with the download links . My colleagues from the Virus Analysis team will analyze these files and we will contact you back with further instructions after the analysis is complete . Besides these reports , please run another Deep System Scan and then save the scan log. You can upload it here , when you will add your new post .
Thank you .
Hi Alex, scans are done for Avis and Gmer. I have uploaded them to support@bitdefender.com at the link you provided and used my email address. I have updated bitdefender again and am deep system scanning yet again. I will post those results here very soon. Thank you for your help.0 -
Hello emjaycee ,
We would like you to go to the next link :http://kb.bitdefender.com/KB490 and run the Avis and the Gmer tools as described in the article . After you obtain these reports , you will need to upload them here then reply with the download links . My colleagues from the Virus Analysis team will analyze these files and we will contact you back with further instructions after the analysis is complete . Besides these reports , please run another Deep System Scan and then save the scan log. You can upload it here , when you will add your new post .
Thank you .
Hi Alex. Not sure how this happened but bitdefender didn't catch it this time. Therefore, I am posting both scans for you to see. Please keep in mind that I have done nothing to get rid of these items other than run Avis and Gmer for you here. I would very much still like advice on this issue, please. Is it possible the items are hidden now? Here is the one I took tonight:
BitDefender Log File
Product : BitDefender Total Security 2009
Version : BitDefender UIScanner v.12
Scanning task : Deep System Scan
Log date : 8/17/2009 9:55:24 PM
Log path : F:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1250564124_1_02.xml
Scan Paths:Path 0000: F:\
Path 0001: G:\
Path 0002: H:\
Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes
Target Selection Options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : Yes
Scan runtime packers : Yes
Scan emails : No
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :
Target Processing:Default action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Default action for encrypted infected objects : None
Default action for encrypted suspicious objects : None
Default action for password-protected objects : Log as not scanned
Scan engines summaryNumber of virus signatures : 3910010
Archive plugins : 45
Email plugins : 6
Scan plugins : 13
System plugins : 5
Unpack plugins : 7
Overall scan summaryScanned items : 545165
Infected items : 0
Suspicious items : 0
Resolved items : 0
Unresolved items : 578
Password-protected items : 578
Overcompressed items : 0
Individual viruses found : 0
Scanned directories : 8924
Scanned boot sectors : 6
Scanned archives : 10124
Input-output errors : 9
Scan time : 01:48:15
Files per second : 83
Scanned processes summaryScanned : 44
Infected : 0
Scanned registry keys summaryScanned : 1093
Infected : 0
Scanned cookies summaryScanned : 23
Infected : 0
here is the one I took a couple of nights ago:
BitDefender Log File
Product : BitDefender Total Security 2009
Version : BitDefender UIScanner v.12
Scanning task : Full System Scan
Log date : 8/14/2009 3:48:50 PM
Log path : F:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\full_scan\1250282930_1_02.xml
Scan Paths:Path 0000: F:\
Path 0001: G:\
Path 0002: H:\
Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes
Target Selection Options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : No
Scan runtime packers : Yes
Scan emails : No
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :
Target Processing:Default action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Default action for encrypted infected objects : None
Default action for encrypted suspicious objects : None
Default action for password-protected objects : Log as not scanned
Scan engines summaryNumber of virus signatures : 3855088
Archive plugins : 45
Email plugins : 6
Scan plugins : 13
System plugins : 5
Unpack plugins : 7
Overall scan summaryScanned items : 79793
Infected items : 2
Suspicious items : 0
Resolved items : 0
Unresolved items : 2
Password-protected items : 0
Overcompressed items : 0
Individual viruses found : 2
Scanned directories : 8967
Scanned boot sectors : 6
Scanned archives : 7
Input-output errors : 14
Scan time : 00:43:08
Files per second : 30
Scanned processes summaryScanned : 45
Infected : 1
Scanned registry keys summaryScanned : 1101
Infected : 0
Scanned cookies summaryScanned : 6
Infected : 0
Remaining issues:Object Name Threat Name Final Status
[system]=]F:\WINDOWS\system32\svchost.exe (full dump) DeepScan:Generic.PWStealer.0203FF31 Disinfect Failed
[system]=]F:\WINDOWS\system32\svchost.exe (memory dump) Generic.PWStealer.0E96BF1A Disinfect Failed0 -
Hello emjaycee ,
Please have a look on the following BitDefender article:http://kb.bitdefender.com/KB490 . Run Avis and Gmer and after you obtain the reports generated by these tools , upload them on : http://www.sendspace.com/ and then post here the download links . We will tell you for sure if you have an infection after my colleagues from the Virus Analysis team will analyze these files.
Thank you .0 -
Hello emjaycee ,
Please have a look on the following BitDefender article:http://kb.bitdefender.com/KB490 . Run Avis and Gmer and after you obtain the reports generated by these tools , upload them on : http://www.sendspace.com/ and then post here the download links . We will tell you for sure if you have an infection after my colleagues from the Virus Analysis team will analyze these files.
Thank you .
I did all of that last night. Please look up above this post and you will see. I also sent the files on sendspace to support@bitdfender.com0 -
Hello emjaycee ,
Unfortunately I could not find the email that had the Avis and the Gmer logs . I have sent you another reply to the support request that you have made . Try to reply to my email with these files attached.
Thank you .0 -
I noticed that my pc shutdown sequence is too long.
I click Start-->Turn of Computer and it takes 4 minutes for the shut down interface to show. Once I select shutdown or restart the computer takes twenty minutes to carry out the task. Meanwhile the clean PC next to it can boot three times over in the same span of time.
After a deep scan Bitdefender found the following:
Deepscan:Generic.PWStealer.6CD319A5
Generic.PWStealer.0E96BF1A
c:windows\system32\svchost.exe 9full dump)
Followed directions at: http://forum.bitdefender.com/index.php?showtopic=14084 but was told by avis that it 'failed to disinfect."
Tried booting in safe mode to remove file but this did not work.
Used Avis. Did not work.
Please advise.0 -
Hello rustyDusty ,
Please follow the steps from my first reply on this topic , upload the Avis and the Gmer reports and send us the download links .
Thank you .0