trojanw32.loskey problem [Archive] - The PC Guide Discussion Forums

View Full Version : trojanw32.loskey problem

marydiv

09-02-2007, 10:22 PM

I was having the same problem as "there's a devil on my desktop" thread. I did the 2 scans are following are the logs. Problem appears to be gone but can you please advise me further.
SmitFraudFix v2.219

Scan done at 9:26:27.25, Sun 09/02/2007
Run from C:\Documents and Settings\myname\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{40345D15-52F0-4B1C-B39C-D642BE64CA26}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5648739D-CBB6-4BBA-A10E-E99130D6D539}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{40345D15-52F0-4B1C-B39C-D642BE64CA26}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{40345D15-52F0-4B1C-B39C-D642BE64CA26}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

marydiv

09-02-2007, 10:29 PM

SmitFraudFix v2.219

Scan done at 9:24:40.96, Sun 09/02/2007
Run from C:\Documents and Settings\myname\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Desktop Search\wds_sl.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\myname

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\myname\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\myname\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:home"
"SubscribedURL"="about:home"
"FriendlyName"="my current home page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{40345D15-52F0-4B1C-B39C-D642BE64CA26}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5648739D-CBB6-4BBA-A10E-E99130D6D539}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{40345D15-52F0-4B1C-B39C-D642BE64CA26}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{40345D15-52F0-4B1C-B39C-D642BE64CA26}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

marydiv

09-02-2007, 10:38 PM

Sorry the first two should have been switched in order. This is the other one.

ComboFix 07-08-30.3 - "myname" 2007-09-02 9:34:05.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.752 [GMT -4:00]

((((((((((((((((((((((((( Files Created from 2007-08-02 to 2007-09-02 )))))))))))))))))))))))))))))))

2007-09-02 08:30 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-01 23:47 5,400 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-01 23:46 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-01 23:46 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-01 23:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-01 23:30 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-08-22 17:59 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-08-22 17:57 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-08-22 17:57 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-15 12:06 <DIR> d-------- C:\Program Files\iPod
2007-08-12 20:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-08-12 20:26 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-08-12 20:23 <DIR> d-------- C:\Program Files\MSBuild
2007-08-12 20:14 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-08-12 20:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-12 20:11 <DIR> dr-h----- C:\MSOCache

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2007-09-02 08:57 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-09-01 23:04 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-29 16:25 --------- d-------- C:\Program Files\RocketDock
2007-08-22 18:02 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-08-22 18:02 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-08-22 18:02 --------- d-------- C:\Program Files\Symantec
2007-08-20 11:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI MMC
2007-08-20 11:45 --------- d-------- C:\DOCUME~1\myname\APPLIC~1\ATI MMC
2007-08-18 16:11 --------- d-------- C:\Program Files\Opera
2007-08-15 12:06 --------- d-------- C:\Program Files\iTunes
2007-08-15 11:57 --------- d-------- C:\Program Files\QuickTime
2007-08-14 21:48 --------- d-------- C:\DOCUME~1\myname\APPLIC~1\Apple Computer
2007-08-12 20:23 --------- d-------- C:\Program Files\Microsoft Works
2007-08-11 21:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-07-30 22:32 --------- d-------- C:\Program Files\Winamp
2007-07-02 20:33 --------- d-------- C:\Program Files\Common Files\Apple
2007-07-02 20:33 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-13 18:54 218624 --a------ C:\WINDOWS\system32\uxtheme.dll
2004-03-11 13:27 40960 --a------ C:\Program Files\Uninstall_CDS.exe
2004-10-13 16:24:37 1,694,208 --sha-w C:\WINDOWS\FlyakiteOSX\Backup\msmsgs.exe
2007-06-01 01:25:49 80 --sh--r C:\WINDOWS\system32\5CEBDF2339.dll
2006-12-24 00:45:36 952 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

((((((((((((((((((((((((((((( snapshot_2007-09-02_ 83715.67 )))))))))))))))))))))))))))))))))))))))))

----atw 16,384 2007-09-02 11:14:31 C:\WINDOWS\Temp\Perflib_Perfdata_82c.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Amazing3DAquariumWallpaper"="" []
"EPSON Stylus CX7800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA FA.exe" [2005-04-07 00:00]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32]
"\\familypc\EPSON Stylus CX7800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA FA.exe" [2005-04-07 00:00]
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-11-01 01:04]
"Auto EPSON Stylus CX7800 Series on familypc"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIA FA.exe" [2005-04-07 00:00]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"System Files Updater"="C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe" [2006-02-25 19:41]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 00:41]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-04 15:09]
"POINTER"="point32.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 04:34]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 15:21]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 22:05]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-26 01:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"PowerBar"="" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-07-14 21:35]
"ATI Scheduler"="C:\Program Files\ATI Multimedia\MAIN\ATISched.EXE" [2005-12-23 01:21]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\LaunchPd.exe" [2005-12-23 01:23]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2005-12-23 01:20]
"WebCamRT.exe"="" []
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 15:44]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"UberIcon"="C:\Program Files\UberIcon\UberIcon Manager.exe" [2006-07-17 23:16]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-03-19 00:05]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

C:\DOCUME~1\myname\STARTM~1\Programs\Startup\
PowerReg Scheduler.exe [2007-04-05 17:34:03]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoRecentDocsMenu"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 14:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo Task Agent]
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
"C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
"C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"

R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R1 SSHDRV85;SSHDRV85;\??\C:\WINDOWS\system32\drivers\ SSHDRV85.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\expo rtit.sys
S2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
S2 pnarp;Network Magic Device Discovery Driver;C:\WINDOWS\system32\DRIVERS\pnarp.sys
S2 purendis;Network Magic Wireless Driver;C:\WINDOWS\system32\DRIVERS\purendis.sys
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
S3 ATITUNEP;ATI WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\atineuxx.sys
S3 ativraxx;ATI WDM Rage Theater Audio;C:\WINDOWS\system32\DRIVERS\atinraxx.sys
S3 ATIXSAudio;ATI WDM TV Audio Crossbar;C:\WINDOWS\system32\DRIVERS\atinesxx.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFp oint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
S3 PCDCODEC;ATI WDM Specialized PCD Codec;C:\WINDOWS\system32\DRIVERS\atinpdxx.sys

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{173cbfc2-1892-11da-8b4e-806d6172696f}]
AutoRun\command- E:\Setup.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - DCFS2K

marydiv

09-02-2007, 10:38 PM

above continued:

Contents of the 'Scheduled Tasks' folder
2007-08-28 00:31:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-28 19:21:44 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - myname.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
2007-09-02 13:15:31 C:\WINDOWS\Tasks\User_Feed_Synchronization-{B417F97C-5066-4403-8FBE-A62D318F185D}.job - C:\WINDOWS\system32\msfeedssync.exe

************************************************** ************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-02 09:35:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????<???D??sh??????w????h???Z??w(???*??wt?@?l?@???d???? ????????????????????????????????????????????w????g ??w0??w????*??w???w????D??s???????????w????l?@???? ????w????t?@?0?`?????????l?@?l?@????????w????t?@?? ???l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@ ?8?@

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"\\\\familypc\\EPSON Stylus CX7800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\ E_FATIAFA.EXE /P37 \"\\\\familypc\\EPSON Stylus CX7800 Series\" /O6 \"USB001\" /M \"Stylus CX7800\""

Completion time: 2007-09-02 9:36:06
C:\ComboFix-quarantined-files.txt ... 2007-09-02 09:35
C:\ComboFix2.txt ... 2007-09-02 08:38

--- E O F ---

marydiv

09-02-2007, 10:39 PM

Last but not least, when this is resolved i just have a couple of other q's about this pc....can i continue here?

classicsoftware

09-02-2007, 11:44 PM

You need to post a hijackthis log.