Got infected Can't locate it

Ok somehow I got infected, the thing whatever it is has hijacked my explorer.exe but I can't find it. I run Nod32, KAV, Norton2004, TDS-3 and BoClean and everything comes up clean. But I know that I am infected since each time I want to browse my local settings or Windows folder (i.e. C:\Documents and Settings\Darius\Local Settings) I get this popup box...if I type in Junk my explorer.exe tries to communicate with the internet. c:\windows\explorer.exe Checked that file...it appears to be ok, the DLL's associated with it are what I am running...but I have soo many dll's that I don't know what's what.

MY HIJACK THIS LOG.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\aksrvnt.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\ProcessGuard Free\pg_msgprot.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\PROGRA~1\NSClean\BOClean\BOCSEC.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\System32\wlglupsb.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Documents and Settings\Darius\Start Menu\Programs\Startup\nstsr.exe
C:\Program Files\NSClean\BOClean\BOClean.EXE
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\APM\apm.exe
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\TECHSM~1\SNAGIT~1\SnagIt32.exe
C:\PROGRA~1\TECHSM~1\SNAGIT~1\TSCHelp.exe
C:\APM\apm.exe
C:\DOCUME~1\Darius\LOCALS~1\Temp\Rar$EX01.547\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BOCleanautostart] C:\PROGRA~1\NSClean\BOClean\BOClean.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [SpyCop ScanCheck] C:\Program Files\Internet Explorer\setup.exe /LASTSCAN
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Anti-keylogger check] C:\Program Files\Anti-keylogger\AntiKey.exe /checkautorun
O4 - Startup: nstsr.exe
O4 - Startup: Process Guard.lnk = C:\Program Files\ProcessGuard Free\procguard.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\AdShield\AdShield\restrict.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: AdShield (HKCU)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix-eu.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37918.6831944444
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab




Anyhow here is the picture of the popup.

 

Hi tempnexus,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com <= leave one of these

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

Then reboot.

Do you know what this is for:
O4 - Startup: nstsr.exe

Regards,

Pieter

 

Updreg.exe is creative labs sound blaster thingy
Nstsr.exe is NsClean
Dcsresearch.com are private forums
kdx.cab is gamespot software delivery module

 

I dumped a packet that the thing was trying to send as soon as I input bogus username and password and here it is.

STRANGE IT IS MICROSOFT...BUT WHY WOULD IT DO THAT? I WANT TO WATCH THE PACKETS NOW....what program can I use to do a complete packet sniffing?

File Version :      6.00.2800.1106 (xpsp1.020828-1920)
File Description :   Windows Explorer (explorer.exe)
File Path :      C:\WINDOWS\explorer.exe
Process ID :      0xF18 (Heximal) 3864 (Decimal)

Connection origin :   local initiated
Protocol :      TCP
Local Address :    192.168.1.101
Local Port :      3421
Remote Name :      login.passport.com
Remote Address :   65.54.231.240
Remote Port :       443 (HTTPS - HTTP protocol over TLS/SSL)

Ethernet packet details:
Ethernet II (Packet Length: 80)
   Destination:    00-20-78-db-8c-65
   Source:    00-50-04-0f-00-c4
Type: IP (0x0800)
Internet Protocol
   Version: 4
   Header Length: 20 bytes
   Flags:
      .1.. = Don't fragment: Set
      ..0. = More fragments: Not set
   Fragment offset:0
   Time to live: 64
   Protocol: 0x6 (TCP - Transmission Control Protocol)
   Header checksum: 0x0 (Incorrect - Checksum should be 0x189f)
   Source: 192.168.1.101
   Destination: 65.54.231.240
Transmission Control Protocol (TCP)
   Source port: 3421
   Destination port: 443
   Sequence number: 3777858265
   Acknowledgment number: 0
   Header length: 32
   Flags:
      0... .... = Congestion Window Reduce (CWR): Not set
      .0.. .... = ECN-Echo: Not set
      ..0. .... = Urgent: Not set
      ...0 .... = Acknowledgment: Not set
      .... 0... = Push: Not set
      .... .0.. = Reset: Not set
      .... ..1. = Syn: Set
      .... ...0 = Fin: Not set
   Checksum: 0x21d (Correct)
   Data (0 Bytes)

Binary dump of the packet:
0000: 00 20 78 DB 8C 65 00 50 : 04 0F 00 C4 08 00 45 00 | . x..e.P......E.
0010: 00 34 B0 77 40 00 40 06 : 00 00 C0 A8 01 65 41 36 | .4.w@.@......eA6
0020: E7 F0 0D 5D 01 BB E1 2D : 8A D9 00 00 00 00 80 02 | ...]...-........
0030: EB C0 1D 02 00 00 02 04 : 05 B4 01 03 03 02 01 01 | ................
0040: 04 02 4B B0 78 FD 3B F0 : E2 E4 5C 3B 50 09 0F C2 | ..K.x.;...\;P...

 

dcsresearch.com was the old forum address for the DCS forums; it is ok to have one in the HOSTS file for that, the 20... no longer exists and you had 3 times the current one, one time is sufficient.

With what did you dump this packet? Does Port Explorer Socket Spy help a bit too?

Maybe i don't get those things because i already have a hotmail account and probably some cookie for that.
When you subscribe to any of MS newsletters like security updates you already have an account so i don't mind to have that hotmail account, which i read through my email client on my computer and can delete all the spam without opening -- only have to remember every 30 days to visit the page to keep the account. You will need it for support too, among others.
But i made my account on the page i visited myself, not via such a popup thing.

Wondering how they get that promotion to you, still coming after the fixes Pieter recommended?