Got infected Can't locate it

Discussion in 'Trojan Defence Suite' started by tempnexus, Mar 5, 2004.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Ok somehow I got infected, the thing whatever it is has hijacked my explorer.exe but I can't find it. I run Nod32, KAV, Norton2004, TDS-3 and BoClean and everything comes up clean. But I know that I am infected since each time I want to browse my local settings or Windows folder (i.e. C:\Documents and Settings\Darius\Local Settings) I get this popup box...if I type in Junk my explorer.exe tries to communicate with the internet. c:\windows\explorer.exe Checked that file...it appears to be ok, the DLL's associated with it are what I am running...but I have soo many dll's that I don't know what's what.

    MY HIJACK THIS LOG.

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\aksrvnt.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\ProcessGuard Free\pg_msgprot.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Ad Muncher\AdMunch.exe
    C:\PROGRA~1\NSClean\BOClean\BOCSEC.EXE
    C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    C:\WINDOWS\System32\wlglupsb.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Documents and Settings\Darius\Start Menu\Programs\Startup\nstsr.exe
    C:\Program Files\NSClean\BOClean\BOClean.EXE
    C:\WINDOWS\System32\DllHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\APM\apm.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\PROGRA~1\TECHSM~1\SNAGIT~1\SnagIt32.exe
    C:\PROGRA~1\TECHSM~1\SNAGIT~1\TSCHelp.exe
    C:\APM\apm.exe
    C:\DOCUME~1\Darius\LOCALS~1\Temp\Rar$EX01.547\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [BOCleanautostart] C:\PROGRA~1\NSClean\BOClean\BOClean.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
    O4 - HKLM\..\Run: [SpyCop ScanCheck] C:\Program Files\Internet Explorer\setup.exe /LASTSCAN
    O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
    O4 - HKCU\..\Run: [Anti-keylogger check] C:\Program Files\Anti-keylogger\AntiKey.exe /checkautorun
    O4 - Startup: nstsr.exe
    O4 - Startup: Process Guard.lnk = C:\Program Files\ProcessGuard Free\procguard.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
    O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
    O8 - Extra context menu item: Add to &Exclude List... - C:\PROGRA~1\AdShield\AdShield\restrict.htm
    O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: AdShield (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix-eu.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37918.6831944444
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab




    Anyhow here is the picture of the popup.
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,435
    Location:
    Netherlands
    Hi tempnexus,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com <= leave one of these

    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

    Then reboot.

    Do you know what this is for:
    O4 - Startup: nstsr.exe

    Regards,

    Pieter
     
  3. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Updreg.exe is creative labs sound blaster thingy
    Nstsr.exe is NsClean
    Dcsresearch.com are private forums
    kdx.cab is gamespot software delivery module
     
  4. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    I dumped a packet that the thing was trying to send as soon as I input bogus username and password and here it is.

    STRANGE IT IS MICROSOFT...BUT WHY WOULD IT DO THAT? I WANT TO WATCH THE PACKETS NOW....what program can I use to do a complete packet sniffing?

    File Version :      6.00.2800.1106 (xpsp1.020828-1920)
    File Description :   Windows Explorer (explorer.exe)
    File Path :      C:\WINDOWS\explorer.exe
    Process ID :      0xF18 (Heximal) 3864 (Decimal)

    Connection origin :   local initiated
    Protocol :      TCP
    Local Address :    192.168.1.101
    Local Port :      3421
    Remote Name :      login.passport.com
    Remote Address :   65.54.231.240
    Remote Port :       443 (HTTPS - HTTP protocol over TLS/SSL)

    Ethernet packet details:
    Ethernet II (Packet Length: 80)
       Destination:    00-20-78-db-8c-65
       Source:    00-50-04-0f-00-c4
    Type: IP (0x0800)
    Internet Protocol
       Version: 4
       Header Length: 20 bytes
       Flags:
          .1.. = Don't fragment: Set
          ..0. = More fragments: Not set
       Fragment offset:0
       Time to live: 64
       Protocol: 0x6 (TCP - Transmission Control Protocol)
       Header checksum: 0x0 (Incorrect - Checksum should be 0x189f)
       Source: 192.168.1.101
       Destination: 65.54.231.240
    Transmission Control Protocol (TCP)
       Source port: 3421
       Destination port: 443
       Sequence number: 3777858265
       Acknowledgment number: 0
       Header length: 32
       Flags:
          0... .... = Congestion Window Reduce (CWR): Not set
          .0.. .... = ECN-Echo: Not set
          ..0. .... = Urgent: Not set
          ...0 .... = Acknowledgment: Not set
          .... 0... = Push: Not set
          .... .0.. = Reset: Not set
          .... ..1. = Syn: Set
          .... ...0 = Fin: Not set
       Checksum: 0x21d (Correct)
       Data (0 Bytes)

    Binary dump of the packet:
    0000: 00 20 78 DB 8C 65 00 50 : 04 0F 00 C4 08 00 45 00 | . x..e.P......E.
    0010: 00 34 B0 77 40 00 40 06 : 00 00 C0 A8 01 65 41 36 | .4.w@.@......eA6
    0020: E7 F0 0D 5D 01 BB E1 2D : 8A D9 00 00 00 00 80 02 | ...]...-........
    0030: EB C0 1D 02 00 00 02 04 : 05 B4 01 03 03 02 01 01 | ................
    0040: 04 02 4B B0 78 FD 3B F0 : E2 E4 5C 3B 50 09 0F C2 | ..K.x.;...\;P...
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    dcsresearch.com was the old forum address for the DCS forums; it is ok to have one in the HOSTS file for that, the 20... no longer exists and you had 3 times the current one, one time is sufficient.

    With what did you dump this packet? Does Port Explorer Socket Spy help a bit too?

    Maybe i don't get those things because i already have a hotmail account and probably some cookie for that.
    When you subscribe to any of MS newsletters like security updates you already have an account so i don't mind to have that hotmail account, which i read through my email client on my computer and can delete all the spam without opening -- only have to remember every 30 days to visit the page to keep the account. You will need it for support too, among others.
    But i made my account on the page i visited myself, not via such a popup thing.

    Wondering how they get that promotion to you, still coming after the fixes Pieter recommended?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.