Got infected Can't locate it

Discussion in 'Trojan Defence Suite' started by tempnexus, Mar 5, 2004.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Ok somehow I got infected, the thing whatever it is has hijacked my explorer.exe but I can't find it. I run Nod32, KAV, Norton2004, TDS-3 and BoClean and everything comes up clean. But I know that I am infected since each time I want to browse my local settings or Windows folder (i.e. C:\Documents and Settings\Darius\Local Settings) I get this popup box...if I type in Junk my explorer.exe tries to communicate with the internet. c:\windows\explorer.exe Checked that file...it appears to be ok, the DLL's associated with it are what I am running...but I have soo many dll's that I don't know what's what.

    MY HIJACK THIS LOG.

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\aksrvnt.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\ProcessGuard Free\pg_msgprot.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Ad Muncher\AdMunch.exe
    C:\PROGRA~1\NSClean\BOClean\BOCSEC.EXE
    C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    C:\WINDOWS\System32\wlglupsb.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Documents and Settings\Darius\Start Menu\Programs\Startup\nstsr.exe
    C:\Program Files\NSClean\BOClean\BOClean.EXE
    C:\WINDOWS\System32\DllHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\APM\apm.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\PROGRA~1\TECHSM~1\SNAGIT~1\SnagIt32.exe
    C:\PROGRA~1\TECHSM~1\SNAGIT~1\TSCHelp.exe
    C:\APM\apm.exe
    C:\DOCUME~1\Darius\LOCALS~1\Temp\Rar$EX01.547\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [BOCleanautostart] C:\PROGRA~1\NSClean\BOClean\BOClean.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
    O4 - HKLM\..\Run: [SpyCop ScanCheck] C:\Program Files\Internet Explorer\setup.exe /LASTSCAN
    O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    O4 - HKCU\..\Run: [Anti-keylogger check] C:\Program Files\Anti-keylogger\AntiKey.exe /checkautorun
    O4 - Startup: nstsr.exe
    O4 - Startup: Process Guard.lnk = C:\Program Files\ProcessGuard Free\procguard.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
    O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\AdShield\AdShield\restrict.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix-eu.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37918.6831944444
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab




    Anyhow here is the picture of the popup.
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi tempnexus,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com <= leave one of these

    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

    Then reboot.

    Do you know what this is for:
    O4 - Startup: nstsr.exe

    Regards,

    Pieter
     
  3. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Updreg.exe is creative labs sound blaster thingy
    Nstsr.exe is NsClean
    Dcsresearch.com are private forums
    kdx.cab is gamespot software delivery module
     
  4. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    I dumped a packet that the thing was trying to send as soon as I input bogus username and password and here it is.

    STRANGE IT IS MICROSOFT...BUT WHY WOULD IT DO THAT? I WANT TO WATCH THE PACKETS NOW....what program can I use to do a complete packet sniffing?

    File Version :      6.00.2800.1106 (xpsp1.020828-1920)
    File Description :   Windows Explorer (explorer.exe)
    File Path :      C:\WINDOWS\explorer.exe
    Process ID :      0xF18 (Heximal) 3864 (Decimal)

    Connection origin :   local initiated
    Protocol :      TCP
    Local Address :    192.168.1.101
    Local Port :      3421
    Remote Name :      login.passport.com
    Remote Address :   65.54.231.240
    Remote Port :       443 (HTTPS - HTTP protocol over TLS/SSL)

    Ethernet packet details:
    Ethernet II (Packet Length: 80)
       Destination:    00-20-78-db-8c-65
       Source:    00-50-04-0f-00-c4
    Type: IP (0x0800)
    Internet Protocol
       Version: 4
       Header Length: 20 bytes
       Flags:
          .1.. = Don't fragment: Set
          ..0. = More fragments: Not set
       Fragment offset:0
       Time to live: 64
       Protocol: 0x6 (TCP - Transmission Control Protocol)
       Header checksum: 0x0 (Incorrect - Checksum should be 0x189f)
       Source: 192.168.1.101
       Destination: 65.54.231.240
    Transmission Control Protocol (TCP)
       Source port: 3421
       Destination port: 443
       Sequence number: 3777858265
       Acknowledgment number: 0
       Header length: 32
       Flags:
          0... .... = Congestion Window Reduce (CWR): Not set
          .0.. .... = ECN-Echo: Not set
          ..0. .... = Urgent: Not set
          ...0 .... = Acknowledgment: Not set
          .... 0... = Push: Not set
          .... .0.. = Reset: Not set
          .... ..1. = Syn: Set
          .... ...0 = Fin: Not set
       Checksum: 0x21d (Correct)
       Data (0 Bytes)

    Binary dump of the packet:
    0000: 00 20 78 DB 8C 65 00 50 : 04 0F 00 C4 08 00 45 00 | . x..e.P......E.
    0010: 00 34 B0 77 40 00 40 06 : 00 00 C0 A8 01 65 41 36 | .4.w@.@......eA6
    0020: E7 F0 0D 5D 01 BB E1 2D : 8A D9 00 00 00 00 80 02 | ...]...-........
    0030: EB C0 1D 02 00 00 02 04 : 05 B4 01 03 03 02 01 01 | ................
    0040: 04 02 4B B0 78 FD 3B F0 : E2 E4 5C 3B 50 09 0F C2 | ..K.x.;...\;P...
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    dcsresearch.com was the old forum address for the DCS forums; it is ok to have one in the HOSTS file for that, the 20... no longer exists and you had 3 times the current one, one time is sufficient.

    With what did you dump this packet? Does Port Explorer Socket Spy help a bit too?

    Maybe i don't get those things because i already have a hotmail account and probably some cookie for that.
    When you subscribe to any of MS newsletters like security updates you already have an account so i don't mind to have that hotmail account, which i read through my email client on my computer and can delete all the spam without opening -- only have to remember every 30 days to visit the page to keep the account. You will need it for support too, among others.
    But i made my account on the page i visited myself, not via such a popup thing.

    Wondering how they get that promotion to you, still coming after the fixes Pieter recommended?
     
Thread Status:
Not open for further replies.