We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
"Malware" Attack Win32/Daurso.A (password stealer)
Mary_Hartnell
Posts: 874 Forumite
Has anyone got any experience of an attack like this..........
Our PC was set up by my son; but he is away at college, so this situation looks like it is down to me.
Running Windows XP on a PC that is sort of partitioned in that the initial screen offers an opportunity for 6 users to sign on.
User one is "Admin". Four users are family members. User six is "Guest".
For what it is worth this set up uses Firefox as the browser and Windows Defender (1.75.924.0) as the fire wall and free AVG ( 8.5.435) for "malware" protection.
Last night the screen appeared to have frozen, as I tried to come out of Word, but I had a cup of tea brewing in the kitchen and by the time I got back it appeared to have unfrozen.
However what is this little gold window, in the programs shown as running in the bar at the bottom of the screen? :eek:
It is "Defender" saying it is not clear about the validity of
1. TWX Corp.
2. Red Hat Software.
TWX appears to be responsible for my partition's "Windows NT clip board viewer" but Windows Explorer claims it has been installed unchanged since 2006. I have no idea what it has been doing?
Red Hat Software appears to be a distributor of open source software (according to google); possibly used by my son for something to do with Linux.?
So I had a closer look in Defenders history log: at exactly the same time it had created a serious warning, telling me to delete the software stealer:
PWS:Win32/Daurso.A is a detection for a trojan that steals FTP credentials, which it then sends to a remote server.
Symptoms There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Technical Information (Analysis)
PWS:Win32/Daurso.A is a detection for a trojan that steals FTP credentials, which it then sends to a remote server.
Installation
When run, PWS:Win32/Daurso.A creates the following mutex to ensure that only one instance of itself is running:
mutex_io
Payload
Steals FTP credentials
When run, PWS:Win32/Daurso.A queries the registry and traverses folders and files found in the system to look for FTP-related information such as user names, passwords, host names, and ports that it later sends to a remote server located in '78.109.29.114'.
PWS:Win32/Daurso.A has been observed to target the following applications that may store FTP-related information in the system registry and files:
CoffeeCup Software
COREFTP
Far
Ghisler
FTP Control 4
CuteFTP
FileZilla
FlashFXP
SmartFTP
Analysis by Jireh Sanico
However when I try to do as instructed - go to "quarantined items" to zap the evil bit of code - there is nothing there.
I've turned the machine off and on again and run/rerun complete Defender & AVG scans and found nothing.
Everything seems to be running normally (infact as I've tidied up temp files and other redundant rubbish and the PC is running faster.
I've seen some suggestions about clearing down all sorts of stuff and reloading it all - but if I do I'm almost certain to mess up. (a little knowledge is a dangerous thing).
Do you think "Windows Defender" has seen off the malware and my PC is clean?
Should I run one of these fee scans offered by some of the other malware protection software offerings on the web?
Mary.
PS I do hate these attacks - makes me think the PC might be HIV positive:o
Our PC was set up by my son; but he is away at college, so this situation looks like it is down to me.
Running Windows XP on a PC that is sort of partitioned in that the initial screen offers an opportunity for 6 users to sign on.
User one is "Admin". Four users are family members. User six is "Guest".
For what it is worth this set up uses Firefox as the browser and Windows Defender (1.75.924.0) as the fire wall and free AVG ( 8.5.435) for "malware" protection.
Last night the screen appeared to have frozen, as I tried to come out of Word, but I had a cup of tea brewing in the kitchen and by the time I got back it appeared to have unfrozen.
However what is this little gold window, in the programs shown as running in the bar at the bottom of the screen? :eek:
It is "Defender" saying it is not clear about the validity of
1. TWX Corp.
2. Red Hat Software.
TWX appears to be responsible for my partition's "Windows NT clip board viewer" but Windows Explorer claims it has been installed unchanged since 2006. I have no idea what it has been doing?
Red Hat Software appears to be a distributor of open source software (according to google); possibly used by my son for something to do with Linux.?
So I had a closer look in Defenders history log: at exactly the same time it had created a serious warning, telling me to delete the software stealer:
PWS:Win32/Daurso.A is a detection for a trojan that steals FTP credentials, which it then sends to a remote server.
Symptoms There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Technical Information (Analysis)
PWS:Win32/Daurso.A is a detection for a trojan that steals FTP credentials, which it then sends to a remote server.
Installation
When run, PWS:Win32/Daurso.A creates the following mutex to ensure that only one instance of itself is running:
mutex_io
Payload
Steals FTP credentials
When run, PWS:Win32/Daurso.A queries the registry and traverses folders and files found in the system to look for FTP-related information such as user names, passwords, host names, and ports that it later sends to a remote server located in '78.109.29.114'.
PWS:Win32/Daurso.A has been observed to target the following applications that may store FTP-related information in the system registry and files:
CoffeeCup Software
COREFTP
Far
Ghisler
FTP Control 4
CuteFTP
FileZilla
FlashFXP
SmartFTP
Analysis by Jireh Sanico
However when I try to do as instructed - go to "quarantined items" to zap the evil bit of code - there is nothing there.
I've turned the machine off and on again and run/rerun complete Defender & AVG scans and found nothing.
Everything seems to be running normally (infact as I've tidied up temp files and other redundant rubbish and the PC is running faster.
I've seen some suggestions about clearing down all sorts of stuff and reloading it all - but if I do I'm almost certain to mess up. (a little knowledge is a dangerous thing).
Do you think "Windows Defender" has seen off the malware and my PC is clean?
Should I run one of these fee scans offered by some of the other malware protection software offerings on the web?
Mary.
PS I do hate these attacks - makes me think the PC might be HIV positive:o
0
Comments
-
Why?
Have you come up against it?0 -
No never heard of it,
Steals FTP credentials
When run, PWS:Win32/Daurso.A queries the registry and traverses folders and files found in the system to look for FTP-related information such as user names, passwords, host names, and ports that it later sends to a remote server located in '78.109.29.114'.
PWS:Win32/Daurso.A has been observed to target the following applications that may store FTP-related information in the system registry and files:
CoffeeCup Software
COREFTP
Far
Ghisler
FTP Control 4
CuteFTP
FileZilla
FlashFXP
SmartFTP
FROM : http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS:Win32/Daurso.ADisclaimer : Everything I write on this forum is my opinion. I try to be an even-handed poster and accept that you at times may not agree with these opinions or how I choose to express them, this is not my problem. The Disabled : If years cannot be added to their lives, at least life can be added to their years - Alf Morris - ℜ0 -
Hi Mary
Sorry, you hadn't added further details to your intial post when I saw it.
Have you scanned with Malwarebytes?
If not download the latest version of Malwarebytes from filehipo.com
Open Malwarebytes and update it first before running a scan
Delete any problems Malwarebytes finds and then post the Malwarebytes log file here.0 -
Open Malwarebytes and update it first before running a scan
Sorry to be thick but I.
1. Make sure nothing else is running on my PC.?
2. Log myself on as "Admin"?
3. Browse to Hippo and find Malwarebytes?
4. Where should I down load it to? What should I call it?
5. How do I then update it first. What would I update? Why would I update the standard Malwarebytes settings?
Hey ho ready to give it a bash.0 -
Download free version http://www.malwarebytes.org/
Open malwarebytes and go to UPDATE and click 'check for updates'. After its updated go to SCANNER and click PERFORM FULL SCAN then click SCAN
Post the COMPLETE log here AFTER youve deleted everything it finds0 -
Very confusing, I've just thanked a posting that has disappeared.:(
Ah its back.:D0 -
Sorry link was not working in last post.0
-
Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM FULL SCAN then click SCAN
Post the COMPLETE log here AFTER youve deleted everything it finds
reboot
Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_hijackthis/
Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log):idea:0 -
Sorry, that took a bit longer than I expected.
I thought I might have done the deletion/quarantine step incorrectly - so I ran another scan to be sure to be sure.
(Not sure where the extra 112 objects came from between Run1 and Run2.)
C:\Documents and Settings\Mary\Start Menu\Programs\Startup\
is the nasty malware program that triggered off Windows Defender, but it seems to have wriggled free of Windows Defender and was in the process of trying to start itself off again.. :mad:
I'm not sure what the other 3 were all about; I have a nasty feeling they could have been hanging about for years?
Run 1
Malwarebytes' Anti-Malware 1.44
Database version: 3761
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
19/02/2010 17:08:49
mbam-log-2010-02-19 (17-08-49).txt
Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 225846
Time elapsed: 43 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Mary\Local Settings\Temp\~TM70.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\ZQQBBUH0\load[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mary\Start Menu\Programs\Startup\monnid32.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mary\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully
Run 2
[FONT="]
[/FONT] Malwarebytes' Anti-Malware 1.44
Database version: 3761
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
19/02/2010 17:55:47
mbam-log-2010-02-19 (17-55-47).txt
Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 225958
Time elapsed: 44 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected).
Can I say many thanks to everyone who helped, or am I tempting fate?:j0 -
Looks like you've got rid of the malware, but you should also now do the second part of alienrik's post, ie download hijackthis, run it, and post the log on here. This is just to make sure that there are no other little nasties on your pc.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 354.1K Banking & Borrowing
- 254.3K Reduce Debt & Boost Income
- 455.3K Spending & Discounts
- 247.1K Work, Benefits & Business
- 603.7K Mortgages, Homes & Bills
- 178.3K Life & Family
- 261.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.7K Read-Only Boards