Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/PSW.Maha.A trojan


  • Please log in to reply
1 reply to this topic

#1 sirkah

sirkah

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 31 December 2008 - 05:08 PM

It sends out links through MSN to this site where you get the trojan. Nod32 keeps catching it trying to create a new file, but doesn't actually get rid of the trojan. Any help would be greatly appreciated.

Antivirus message (Nod32)
Time Module Object Name Threat Action User Information
12/31/2008 12:50:24 PM AMON file C:\WINDOWS\sqlserver.dll Win32/PSW.Maha.A trojan quarantined - deleted Event occurred on a new file created by the application: C:\WINDOWS\service32.exe. The file was moved to quarantine. You may close this window.








DDS (Version 1.1.0) - NTFSx86
Run by .Mike at 17:00:17.60 on Wed 12/31/2008
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1170 [GMT -5:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\keyacc32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\LANDesk\LDClient\softmon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\mIRC 1\mIRC\mirc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\.Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar =
uDefault_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=6070713
mStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Connection Wizard,ShellNext =

hxxp://www.google.ca/ig/dell?hl=en&client=dell-row-rel&channel=ca&ibd=6070713
uInternet Settings,ProxyOverride = *.local
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup

utilities\winstyler\tu_logonui.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} -

c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program

files\java\jre1.5.0_12\bin\ssv.dll
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Liciaa] c:\windows\system32\Liciaa.exe
uRun: [System configuration backup]

c:\recycler\s-1-5-21-1696127283-9614048246-643674525-1394\sysdate.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application

Launcher.exe" /startoptions
mRun: [SDClientMonitor] "c:\program files\landesk\ldclient\webportal\sdclientmonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [KeyAccess] keyacc32.exe
mRun: [serviceload] c:\windows\service32.exe
StartupFolder: c:\docume~1\mike~1\startm~1\programs\startup\dropbox.lnk - c:\program

files\dropbox\dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital

line detect\DLG.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC} - c:\program

files\java\jre1.5.0_12\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
LSP: c:\windows\system32\biolsp.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -

c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: wxvault.dll KATRACK.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} -

c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike~1\applic~1\mozilla\firefox\profiles\diyhj6yj.default\
FF - prefs.js: browser.startup.homepage - hxxp://sympatico.msn.ca/
FF - plugin: c:\documents and settings\.mike\application

data\mozilla\firefox\profiles\diyhj6yj.default\extensions\moveplayer@movenetworks.com\platform\winnt_x8

6-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPOJI610.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: nglayout.initialpaint.delay - 300

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-11-11 15424]
R1 oreans32;oreans32;\??\c:\windows\system32\drivers\oreans32.sys [2008-1-26 33824]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-5-12

611664]
R2 KeyAccess;KeyAccess;c:\windows\keyacc32.exe [2007-8-1 753664]
R2 NOD32krn;NOD32 Kernel Service;"c:\program files\eset\nod32krn.exe" [2008-11-11 552064]
R2 Softmon;LANDeskŪ Software Monitoring Service;"c:\progra~1\landesk\ldclient\softmon.exe" [2008-9-2

266240]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe

/Processid:{BDFEFE06-0F3F-44F4-984D-3BF2A1CA8D75} [2004-8-11 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\NSDriver.sys

[2008-4-29 15648]
S4 CBA8;LANDeskŪ Management Agent;"c:\program files\landesk\shared files\residentagent.exe" []

=============== Created Last 30 ================

2008-12-31 16:54 <DIR> --d----- c:\program files\Trend Micro
2008-12-30 20:39 194,570 a------- c:\windows\service32.exe
2008-12-30 20:39 12,183 a------- c:\windows\system32\Liciaa.exe
2008-12-26 19:22 169,773 a------- c:\windows\system32\nvapps.nvb
2008-12-26 19:21 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-26 19:20 160,262 a------- c:\windows\system32\nvapps.xml
2008-12-26 19:19 360,448 a------- c:\windows\system32\nvudisp.exe
2008-12-26 19:19 17,848 a------- c:\windows\system32\nvdisp.nvu
2008-12-26 19:09 268 a---h--- C:\sqmdata02.sqm
2008-12-26 19:09 244 a---h--- C:\sqmnoopt02.sqm
2008-12-26 19:07 <DIR> --d----- c:\program files\Driver Sweeper
2008-12-25 18:47 <DIR> --d----- c:\program files\Western Digital
2008-12-25 17:54 1,126,400 a------- c:\windows\system32\nvcuda.dll
2008-12-25 17:54 1,069,056 a------- c:\windows\system32\nvcpluir.dll
2008-12-25 17:54 815,104 a------- c:\windows\system32\nvcplui.exe
2008-12-25 17:54 73,728 a------- c:\windows\system32\nvcpl.cpl
2008-12-25 17:54 147,456 a------- c:\windows\system32\nvcolor.exe
2008-12-25 17:54 425,984 a------- c:\windows\system32\keystone.exe
2008-12-17 15:40 <DIR> --d----- c:\docume~1\mike~1\applic~1\ImTOO Software Studio
2008-12-17 15:39 45,056 a------- c:\windows\system32\WNASPI32.DLL
2008-12-17 15:39 16,512 a------- c:\windows\system32\drivers\ASPI32.SYS
2008-12-17 15:38 <DIR> --d----- c:\program files\ImTOO
2008-12-02 10:12 <DIR> --d-h--- c:\windows\msdownld.tmp

==================== Find3M ====================

2008-12-26 15:02 20,153 a------- c:\windows\system32\nvModes.dat
2008-12-12 12:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 20:13 1,421 a------- c:\windows\fonts\templist.txt
2008-11-25 23:12 2,987 a------- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC

Codec.dat
2008-11-25 23:12 513,400 a------- c:\windows\system32\SpoonUninstall.exe
2008-11-25 23:11 3,625 a------- c:\windows\system32\SpoonUninstall-dBpoweramp m4a

Codec.dat
2008-11-25 23:10 13,785 a------- c:\windows\system32\SpoonUninstall-dBpoweramp Music

Converter.dat
2008-11-23 17:32 138,408 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-11-23 17:32 202,648 a------- c:\windows\system32\PnkBstrB.exe
2008-11-21 16:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 16:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 16:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 16:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-20 23:17 58,420 a---h--- c:\windows\system32\mlfcache.dat
2008-11-11 21:59 512,096 a------- c:\windows\system32\drivers\amon.sys
2008-11-11 21:59 298,104 a------- c:\windows\system32\imon.dll
2008-11-11 21:59 15,424 a------- c:\windows\system32\drivers\nod32drv.sys
2008-11-11 20:43 360,320 a------- c:\windows\system32\drivers\TCPIP.SYS
2008-11-11 20:43 360,320 a------- c:\windows\system32\dllcache\TCPIP.SYS
2008-11-11 20:41 360,320 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2008-10-29 20:24 42,320 a------- c:\windows\system32\xfcodec.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 04:45 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2008-10-10 04:52 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2008-10-10 04:52 452,440 a------- c:\windows\system32\d3dx10_40.dll
2008-10-03 05:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:15 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-03-19 07:49 24,192 a------- c:\documents and settings\.mike\usbsermptxp.sys
2008-03-19 07:49 22,768 a------- c:\documents and settings\.mike\usbsermpt.sys
2008-02-25 18:01 22,328 a------- c:\docume~1\mike~1\applic~1\PnkBstrK.sys
2007-08-26 09:44 87,608 a------- c:\docume~1\mike~1\applic~1\inst.exe
2007-08-26 09:44 47,360 a------- c:\docume~1\mike~1\applic~1\pcouffin.sys

============= FINISH: 17:01:42.85 ===============


Kaspersky scan


File name / Threat name / Threats count
C:\Program Files\mIRC 1\mIRC\mirc.exe/C:\Program Files\mIRC 1\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
C:\Program Files\ESET\infected\NXTCS1CA.NQF Infected: Trojan-PSW.Win32.Maha.h 1
C:\Program Files\ESET\infected\TO1XKCCA.NQF Infected: Trojan-Downloader.Win32.Agent.aoiv 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Program Files\mIRC 1\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
C:\Program Files\mIRC 2\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\WINDOWS\Resources\Themes\Luna\hfs.zip Infected: not-a-virus:Server-FTP.Win32.SFH.a 1
C:\WINDOWS\service32.exe Infected: Backdoor.Win32.Poison.pfy 1
C:\WINDOWS\system32\Liciaa.exe Infected: Backdoor.Win32.Poison.pfy 1

The selected area was scanned.


Thanks in advanced.

Attached Files


Edited by sirkah, 31 December 2008 - 10:05 PM.


BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:10:02 AM

Posted 10 January 2009 - 08:31 PM

Welcome to BC :thumbsup:

Please post fresh DDS logs.

Sorry for the delay.
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users