Got infected Can't locate it

Discussion in 'Trojan Defence Suite' started by tempnexus, Mar 5, 2004.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Apr 16, 2003
    Ok somehow I got infected, the thing whatever it is has hijacked my explorer.exe but I can't find it. I run Nod32, KAV, Norton2004, TDS-3 and BoClean and everything comes up clean. But I know that I am infected since each time I want to browse my local settings or Windows folder (i.e. C:\Documents and Settings\Darius\Local Settings) I get this popup box...if I type in Junk my explorer.exe tries to communicate with the internet. c:\windows\explorer.exe Checked that appears to be ok, the DLL's associated with it are what I am running...but I have soo many dll's that I don't know what's what.


    Running processes:
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\ProcessGuard Free\pg_msgprot.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Ad Muncher\AdMunch.exe
    C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Documents and Settings\Darius\Start Menu\Programs\Startup\nstsr.exe
    C:\Program Files\NSClean\BOClean\BOClean.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O1 - Hosts:
    O1 - Hosts:
    O1 - Hosts:
    O1 - Hosts:
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [BOCleanautostart] C:\PROGRA~1\NSClean\BOClean\BOClean.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
    O4 - HKLM\..\Run: [SpyCop ScanCheck] C:\Program Files\Internet Explorer\setup.exe /LASTSCAN
    O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    O4 - HKCU\..\Run: [Anti-keylogger check] C:\Program Files\Anti-keylogger\AntiKey.exe /checkautorun
    O4 - Startup: nstsr.exe
    O4 - Startup: Process Guard.lnk = C:\Program Files\ProcessGuard Free\procguard.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
    O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\AdShield\AdShield\restrict.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) -
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) -
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -

    Anyhow here is the picture of the popup.

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Hi tempnexus,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O1 - Hosts:
    O1 - Hosts:
    O1 - Hosts: <= leave one of these

    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) -

    Then reboot.

    Do you know what this is for:
    O4 - Startup: nstsr.exe


  3. tempnexus

    tempnexus Registered Member

    Apr 16, 2003
    Updreg.exe is creative labs sound blaster thingy
    Nstsr.exe is NsClean are private forums is gamespot software delivery module
  4. tempnexus

    tempnexus Registered Member

    Apr 16, 2003
    I dumped a packet that the thing was trying to send as soon as I input bogus username and password and here it is.

    STRANGE IT IS MICROSOFT...BUT WHY WOULD IT DO THAT? I WANT TO WATCH THE PACKETS NOW....what program can I use to do a complete packet sniffing?

    File Version :      6.00.2800.1106 (xpsp1.020828-1920)
    File Description :   Windows Explorer (explorer.exe)
    File Path :      C:\WINDOWS\explorer.exe
    Process ID :      0xF18 (Heximal) 3864 (Decimal)

    Connection origin :   local initiated
    Protocol :      TCP
    Local Address :
    Local Port :      3421
    Remote Name :
    Remote Address :
    Remote Port :       443 (HTTPS - HTTP protocol over TLS/SSL)

    Ethernet packet details:
    Ethernet II (Packet Length: 80)
       Destination:    00-20-78-db-8c-65
       Source:    00-50-04-0f-00-c4
    Type: IP (0x0800)
    Internet Protocol
       Version: 4
       Header Length: 20 bytes
          .1.. = Don't fragment: Set
          ..0. = More fragments: Not set
       Fragment offset:0
       Time to live: 64
       Protocol: 0x6 (TCP - Transmission Control Protocol)
       Header checksum: 0x0 (Incorrect - Checksum should be 0x189f)
    Transmission Control Protocol (TCP)
       Source port: 3421
       Destination port: 443
       Sequence number: 3777858265
       Acknowledgment number: 0
       Header length: 32
          0... .... = Congestion Window Reduce (CWR): Not set
          .0.. .... = ECN-Echo: Not set
          ..0. .... = Urgent: Not set
          ...0 .... = Acknowledgment: Not set
          .... 0... = Push: Not set
          .... .0.. = Reset: Not set
          .... ..1. = Syn: Set
          .... ...0 = Fin: Not set
       Checksum: 0x21d (Correct)
       Data (0 Bytes)

    Binary dump of the packet:
    0000: 00 20 78 DB 8C 65 00 50 : 04 0F 00 C4 08 00 45 00 | . x..e.P......E.
    0010: 00 34 B0 77 40 00 40 06 : 00 00 C0 A8 01 65 41 36 | .4.w@.@......eA6
    0020: E7 F0 0D 5D 01 BB E1 2D : 8A D9 00 00 00 00 80 02 | ...]...-........
    0030: EB C0 1D 02 00 00 02 04 : 05 B4 01 03 03 02 01 01 | ................
    0040: 04 02 4B B0 78 FD 3B F0 : E2 E4 5C 3B 50 09 0F C2 | ..K.x.;...\;P...
  5. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea was the old forum address for the DCS forums; it is ok to have one in the HOSTS file for that, the 20... no longer exists and you had 3 times the current one, one time is sufficient.

    With what did you dump this packet? Does Port Explorer Socket Spy help a bit too?

    Maybe i don't get those things because i already have a hotmail account and probably some cookie for that.
    When you subscribe to any of MS newsletters like security updates you already have an account so i don't mind to have that hotmail account, which i read through my email client on my computer and can delete all the spam without opening -- only have to remember every 30 days to visit the page to keep the account. You will need it for support too, among others.
    But i made my account on the page i visited myself, not via such a popup thing.

    Wondering how they get that promotion to you, still coming after the fixes Pieter recommended?
Thread Status:
Not open for further replies.