I need to get rid of Trojan.Spy.SSKC.20

Discussion in 'malware problems & news' started by dlevere, Jan 10, 2003.

Thread Status:
Not open for further replies.
  1. dlevere

    dlevere Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    15
    Location:
    Philadelphia, PA
    I recently ran X-Cleaner, and have found this Trojan.Spy.SSKC.20 on 2 different occasions. How do I get rid of it? o_O

    I did a Google search on the subject, and this is what I found, but I have no idea on how to get started. :'(

    <link removed>

    the pack contains..
    * SSKC v2.0.exe --- this is the keylogger ( don't run this first )
    * TweakSSKC.exe --- use this to configure SSKC v2.0.exe
    * autoexec.bat --- for uninstallation
    * ReadMe.TxT --- this file :)


    SSKC v2.0, is a keylogger with SMTP support. Its logs key typed in all
    windows ( not in DOS shell ) to a file you specify.. this file gets
    mailed to the address you specify... in order to prevent file from
    getting too bulky... it gets truncated when it reaches 64KB....
    other features include.. killing of popular AV & FW.. this option can
    be turned on or off using TweakSSKC..

    SSKC isn't super stealth yet.. i hope to achive it someday..

    whats new from SSKC v1.0
    * SMTP support ( the subject contains the username of the victim )
    * logfile logs SSKC startup time & the window titles ( eg:- @@Notepad )
    more beautification in the log file as compared to SSKC v1.0
    * Checks for the OS.. and the processes according to it
    ( for eg:- SSKC v1.0 used to crash in WinNT based OS, since
    RegisterServiceProcess wasn't available on it, so i fixed it )
    * SSKC v1.0 used a lame method for installing itself, v2.0 has a better
    method
    * Killing AntiVirus, FireWalls etc.. can be killed... this is useful
    against a ordinary windoze user.
    * and lots of other tweaks!

    -----------------------------
    on using TweakSSKC..
    -----------------------------
    i guess its self explanatory... anyway i'll just give a small
    explantion...

    select sskc2 : this is the file ( sskc ) you want to edit. please make
    sure that its sskc v2.0 itself.. no checking is done!
    from_email : this isn't actually required.. so just fill it up with
    any valid e-mail address
    to_email : this is the address when the file is to be mailed to.ie.
    your e-mail address
    smtp_server : specify the smtp server thru which the log file should
    be mailed. ( i'll implement an inbuilt SMTP server in
    the next verson )
    log_file : this is the file to which the key strokes will be logged
    make sure this file can exist.. or else it'll be a waste
    of time :)
    the last option is to add "Killing AV & FW" feature, just check/uncheck
    if you wanna turn if on/off :))..
    --------------------------------

    ------------------------
    how to install SSKC v2.0
    ------------------------
    after configuring SSKC v2.0.exe using TweakSSKC.. just run the file
    it automatically installs itself.. i haven't implemented melting..
    btw.. you can rename SSKC v2.0.exe to anything you like
    ------------------------

    --------------------------
    how to uninstall SSKC v2.0
    --------------------------
    for the elite, i needn't write a note on how to do so.. but for other
    here is a simple procedure.. copy the contents of autoexec.bat @ the
    end of your c:\autoexec.bat and reboot your computer.. the keylogger
    and the dll should get deleted.
    now.. another procedure is to use a Process Viewer, and kill the
    process named MsgSvr32.exe ( c:\windows\msgsvr32.exe ).. and go
    to the registry key \Software\Microsoft\Windows\Current Version\Run
    and delete the registry key named 'MsgSvr32'.


    Note:
    AV/FW will be killed every second... it might create a problem in slow
    computer.. with may cause lots of hdd activity.. but i love that noise.

    PS:
    i've successfully tested in Win98SE & WinXP ( admin priv ).

    please feel free to drop in your comments or bug reports :)

    and ofcourse, i'm really sorry for my bad & senseless english

    jC


    Server:
    c:\WINDOWS\msgsvr32.exe

    size: 19.488 bytes

    startup:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "MsgSvr32"

    added:
    c:\WINDOWS\KeyLog.TxT
    c:\WINDOWS\SYSTEM\SSKC2.DLL
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    Finding it's startup location(s) shouldn't be hard.

    Do this:

    Go to http://www.spywareinfoforum.com/downloads.php#startup , and download 'Startuplist'.

    Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and post the contents here.

    Someone here will be happy to assist you in pinpointiing it.
     
  3. dlevere

    dlevere Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    15
    Location:
    Philadelphia, PA
    :D O.K., Will do. Thanks for the prompt response! :D
     
  4. dlevere

    dlevere Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    15
    Location:
    Philadelphia, PA
    StartupList report, 1/10/03, 3:15:23 AM
    StartupList version: 1.50
    Started from : C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISSERV.EXE
    C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\NISUM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\IAMAPP.EXE
    C:\PROGRAM FILES\VERIZONONLINEDSL\WINPOET\WINPPPOVERETHERNET.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\SYMPXSVC.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY PROFESSIONAL\ATRACK.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\SPYWATCH.EXE
    C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\26331369.DLL
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = c:\windows\scanregw.exe /autorun
    TaskMonitor = c:\windows\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    Microsoft IntelliType Pro = "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    NAV Agent = c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    iamapp = c:\Program Files\Norton Internet Security Professional\IAMAPP.EXE
    WinPoET = C:\Program Files\VerizonOnlineDSL\WinPoET\WinPPPoverEthernet.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    nisserv = c:\Program Files\Norton Internet Security Professional\NISSERV.EXE
    CSINJECT.EXE = C:\Program Files\Norton CleanSweep\CSINJECT.EXE

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

    [>PerUser_MSN_Clean] *
    StubPath = c:\windows\msnmgsr1.exe

    [PerUser_LinkBar_URLs] *
    StubPath = c:\windows\COMMAND\sulfnbk.exe /L

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

    [{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exeadvpack.dll

    [>IEPerUser] *
    StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 10/1/2003, 2:20:20)

    [Rename]
    NUL=c:\WINDOWS\TEMP\F35EF0.DLL

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    CLS
    @ECHO LOADING ALL WINDOWS DRIVERS..........
    @ECHO OFF
    C:\essolo.com

    --------------------------------------------------

    C:\CONFIG.SYS listing:

    DEVICE=C:\essolo.sys

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    @echo off
    REM
    REM
    C:\essolo.com

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    NAV Helper - c:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job
    Norton AntiVirus - Scan my computer.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1041998696330

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------
    End of report, 7,085 bytes
    Report generated in 4.505 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  5. dlevere

    dlevere Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    15
    Location:
    Philadelphia, PA
    I also noticed that ever since this happened, the sound is off on my computer.
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    Not a trojan in sight, as far as I can tell.

    It could be a false positive.

    Did you find any of the files as mentioned in the article?

    And what is the name of the file that X-Cleaner identified as Spy.SSKC.20?
     
  7. dlevere

    dlevere Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    15
    Location:
    Philadelphia, PA
    It just said SSKC, I did the search on Google and found that out. I think that X-Cleaner removed it, but it happened twice, so I'm thinking that it's connected to one of the webpages that I'm visiting, most likely my E-mail.
     
  8. dlevere

    dlevere Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    15
    Location:
    Philadelphia, PA
    And no, I couldn't find any of the files.
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    You must have downloaded something or opened an attachment for you to get infected, if indeed you were.

    If it should happen again, just shut down your internet connection, and establish what files X-Cleaner idetifies as this trojan. That ought to enable you/us to determine whether it's the real thing.

    For the moment you certainly don't appear to have a trojan, however.

    Happy surfing! :)
     
  10. dlevere

    dlevere Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    15
    Location:
    Philadelphia, PA
    O.K., Thanks! Great work, as always! :D
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,347
    Location:
    The Netherlands
    You're welcome! :)
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Maybe a dumb idea: reinstall the drivers for your sound-card and let X-Cleaner have a go.
    I am not a firm believer in coincidence ;)

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.