|
|
#1
March 5th, 2004, 10:31 AM
|
||||
|
||||
Got infected Can't locate it
Ok somehow I got infected, the thing whatever it is has hijacked my explorer.exe but I can't find it. I run Nod32, KAV, Norton2004, TDS-3 and BoClean and everything comes up clean. But I know that I am infected since each time I want to browse my local settings or Windows folder (i.e. C:\Documents and Settings\Darius\Local Settings) I get this popup box...if I type in Junk my explorer.exe tries to communicate with the internet. c:\windows\explorer.exe Checked that file...it appears to be ok, the DLL's associated with it are what I am running...but I have soo many dll's that I don't know what's what.
MY HIJACK THIS LOG. Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\aksrvnt.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\ProcessGuard Free\pg_msgprot.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\taskswitch.exe C:\Program Files\Ad Muncher\AdMunch.exe C:\PROGRA~1\NSClean\BOClean\BOCSEC.EXE C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe C:\WINDOWS\System32\wlglupsb.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Documents and Settings\Darius\Start Menu\Programs\Startup\nstsr.exe C:\Program Files\NSClean\BOClean\BOClean.EXE C:\WINDOWS\System32\DllHost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\APM\apm.exe C:\WINDOWS\System32\taskmgr.exe C:\PROGRA~1\TECHSM~1\SNAGIT~1\SnagIt32.exe C:\PROGRA~1\TECHSM~1\SNAGIT~1\TSCHelp.exe C:\APM\apm.exe C:\DOCUME~1\Darius\LOCALS~1\Temp\Rar$EX01.547\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O1 - Hosts: 203.161.127.141 www.dcsresearch.com O1 - Hosts: 64.91.255.87 www.dcsresearch.com O1 - Hosts: 64.91.255.87 www.dcsresearch.com O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [BOCleanautostart] C:\PROGRA~1\NSClean\BOClean\BOClean.exe O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt O4 - HKLM\..\Run: [SpyCop ScanCheck] C:\Program Files\Internet Explorer\setup.exe /LASTSCAN O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe O4 - HKCU\..\Run: [Anti-keylogger check] C:\Program Files\Anti-keylogger\AntiKey.exe /checkautorun O4 - Startup: nstsr.exe O4 - Startup: Process Guard.lnk = C:\Program Files\ProcessGuard Free\procguard.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\AdShield\AdShield\restrict.htm O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: AdShield (HKCU) O10 - Broken Internet access because of LSP provider 'imon.dll' missing O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix-eu.com/viewers/ipixx.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37918.6831944444 O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab Anyhow here is the picture of the popup.
__________________
I have a computer and my browser tries to make me fat by feeding me cookies. "You need to delete your video card and format your modem, and install AOL on your motherboard" |
|
#2
March 5th, 2004, 10:57 AM
|
||||
|
||||
|
Re:Got infected Can't locate it
Hi tempnexus,
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked: O1 - Hosts: 203.161.127.141 www.dcsresearch.com O1 - Hosts: 64.91.255.87 www.dcsresearch.com O1 - Hosts: 64.91.255.87 www.dcsresearch.com <= leave one of these O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file) O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab Then reboot. Do you know what this is for: O4 - Startup: nstsr.exe Regards, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#3
March 5th, 2004, 01:29 PM
|
||||
|
||||
|
Re:Got infected Can't locate it
Updreg.exe is creative labs sound blaster thingy
Nstsr.exe is NsClean Dcsresearch.com are private forums kdx.cab is gamespot software delivery module
__________________
I have a computer and my browser tries to make me fat by feeding me cookies. "You need to delete your video card and format your modem, and install AOL on your motherboard" |
|
#4
March 5th, 2004, 05:36 PM
|
||||
|
||||
|
Re:Got infected Can't locate it
I dumped a packet that the thing was trying to send as soon as I input bogus username and password and here it is.
STRANGE IT IS MICROSOFT...BUT WHY WOULD IT DO THAT? I WANT TO WATCH THE PACKETS NOW....what program can I use to do a complete packet sniffing? File Version :******6.00.2800.1106 (xpsp1.020828-1920) File Description :***Windows Explorer (explorer.exe) File Path :******C:\WINDOWS\explorer.exe Process ID :******0xF18 (Heximal) 3864 (Decimal) Connection origin :***local initiated Protocol :******TCP Local Address : ***192.168.1.101 Local Port :******3421 Remote Name :******login.passport.com Remote Address :***65.54.231.240 Remote Port : ******443 (HTTPS - HTTP protocol over TLS/SSL) Ethernet packet details: Ethernet II (Packet Length: 80) ***Destination: ***00-20-78-db-8c-65 ***Source: ***00-50-04-0f-00-c4 Type: IP (0x0800) Internet Protocol ***Version: 4 ***Header Length: 20 bytes ***Flags: ******.1.. = Don't fragment: Set ******..0. = More fragments: Not set ***Fragment offset:0 ***Time to live: 64 ***Protocol: 0x6 (TCP - Transmission Control Protocol) ***Header checksum: 0x0 (Incorrect - Checksum should be 0x189f) ***Source: 192.168.1.101 ***Destination: 65.54.231.240 Transmission Control Protocol (TCP) ***Source port: 3421 ***Destination port: 443 ***Sequence number: 3777858265 ***Acknowledgment number: 0 ***Header length: 32 ***Flags: ******0... .... = Congestion Window Reduce (CWR): Not set ******.0.. .... = ECN-Echo: Not set ******..0. .... = Urgent: Not set ******...0 .... = Acknowledgment: Not set ******.... 0... = Push: Not set ******.... .0.. = Reset: Not set ******.... ..1. = Syn: Set ******.... ...0 = Fin: Not set ***Checksum: 0x21d (Correct) ***Data (0 Bytes) Binary dump of the packet: 0000: 00 20 78 DB 8C 65 00 50 : 04 0F 00 C4 08 00 45 00 | . x..e.P......E. 0010: 00 34 B0 77 40 00 40 06 : 00 00 C0 A8 01 65 41 36 | .4.w@.@......eA6 0020: E7 F0 0D 5D 01 BB E1 2D : 8A D9 00 00 00 00 80 02 | ...]...-........ 0030: EB C0 1D 02 00 00 02 04 : 05 B4 01 03 03 02 01 01 | ................ 0040: 04 02 4B B0 78 FD 3B F0 : E2 E4 5C 3B 50 09 0F C2 | ..K.x.;...\;P...
__________________
I have a computer and my browser tries to make me fat by feeding me cookies. "You need to delete your video card and format your modem, and install AOL on your motherboard" |
|
#5
March 6th, 2004, 03:53 AM
|
||||
|
||||
|
Re:Got infected Can't locate it
dcsresearch.com was the old forum address for the DCS forums; it is ok to have one in the HOSTS file for that, the 20... no longer exists and you had 3 times the current one, one time is sufficient.
With what did you dump this packet? Does Port Explorer Socket Spy help a bit too? Maybe i don't get those things because i already have a hotmail account and probably some cookie for that. When you subscribe to any of MS newsletters like security updates you already have an account so i don't mind to have that hotmail account, which i read through my email client on my computer and can delete all the spam without opening -- only have to remember every 30 days to visit the page to keep the account. You will need it for support too, among others. But i made my account on the page i visited myself, not via such a popup thing. Wondering how they get that promotion to you, still coming after the fixes Pieter recommended?
__________________
Jooske "o_o" |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
