Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Concerned about ENLOCSTR.EXE, possible infection?


  • Please log in to reply
8 replies to this topic

#1 Tetranitrocubane

Tetranitrocubane

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 01 August 2009 - 09:05 PM

Recently I have had reason to believe that there might be an infection on my computer. The reasoning is subtle: Only once, I received a 'runtime error 216 @ address' message while doing routine system maintenance (weekly spybot scan). According to google, this is the sign of an infection by a trojan. I've not seen any other strange activity, or any evidence of a trojan, but I am wary. In order to address the issue, I have taken the following steps: 1.) Full system scan with updated NOD32. Twice. 2.) Full system scan with fully updated MalwareBytes Antimalware. Once normally, once in safemode to be sure. 3.) Full system scan with SpyBot S&D 1.6.2, twice.

All of these scans brought back no problems at all. In order to dig deeper, I began to look through my system32 folder for unfamiliar files. Within it, I found ENLOCSTR.EXE (yes, all caps as I've typed). This is an unfamiliar file to me, for certain, and Google doesn't help much except for a few worrisome threads about this being a potential trojan. If I scan this file directly with NOD32, it comes up clean. If I submit it to Virustotal, only one of 41 scanners detects it as a threat. Afterward, I scanned it directly with Spybot, using the context-menu right-click option in explorer. When I did this, it suddenly came up as a smitfraud.c variant. I've not seen it detected as one in any other way beyond this specific right-click method.

Since I have tried MBAM, NOD, and Spybot fully and come back with nothing, I'm uncertain as to how to proceed. Any help would be appreciated to ensure that my system is safe and uninfected. In terms of background information, I am running XP SP3, I am fully patched, and I browse using Opera. Thank you!

BC AdBot (Login to Remove)

 


m

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:52 PM

Posted 01 August 2009 - 11:11 PM

Is the file 5 KB?

What's your sound card, chipset?
Chewy

No. Try not. Do... or do not. There is no try.

#3 Tetranitrocubane

Tetranitrocubane
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 01 August 2009 - 11:29 PM

Is the file 5 KB?

What's your sound card, chipset?


The file is actually 4 KB. The virus total report is here.

The sound card is a Creative X-Fi.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:52 PM

Posted 01 August 2009 - 11:40 PM

Correlate the date with other files from the sound drivers
Chewy

No. Try not. Do... or do not. There is no try.

#5 Tetranitrocubane

Tetranitrocubane
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 01 August 2009 - 11:48 PM

Correlate the date with other files from the sound drivers


Dang. Nice thinking!

The date on the ENLOCSTR.EXE for creation is 8/17/2006. I didn't know what files were associated with the sound drivers, so I pulled up a dxdiag printout and looked at the sound driver portion. Most of the relevent files have an 8/17/2006 creation date, within minutes of the ENLOCSTR.EXE creation date. However, I don't see ENLOCSTR.EXE on this list, itself! What's your opinion on the matter?

Name: Creative SB X-Fi
Device ID: PCI\VEN_1102&DEV_0005&SUBSYS_00311102&REV_00\4&19ABE7DE&0&10F0
Driver: C:\WINDOWS\system32\ksuser.dll, 5.03.2600.5512 (English), 4/13/2008 17:11:56, 4096 bytes
Driver: C:\WINDOWS\system32\ksproxy.ax, 5.03.2600.5512 (English), 4/13/2008 17:12:42, 129536 bytes
Driver: C:\WINDOWS\system32\drivers\ks.sys, 5.03.2600.5512 (English), 4/13/2008 12:16:36, 141056 bytes
Driver: C:\WINDOWS\system32\drivers\drmk.sys, 5.01.2600.5512 (English), 4/13/2008 11:45:14, 60160 bytes
Driver: C:\WINDOWS\system32\drivers\portcls.sys, 5.01.2600.5512 (English), 4/13/2008 12:19:41, 146048 bytes
Driver: C:\WINDOWS\system32\drivers\stream.sys, 5.03.2600.5512 (English), 4/13/2008 11:45:15, 49408 bytes
Driver: C:\WINDOWS\system32\wdmaud.drv, 5.01.2600.5512 (English), 4/13/2008 17:12:45, 23552 bytes
Driver: C:\WINDOWS\system32\drivers\ctac32k.sys, 5.12.0001.1187 (English), 8/17/2006 11:14:24, 502272 bytes
Driver: C:\WINDOWS\system32\drivers\ctaud2k.sys, 5.12.0001.1187 (English), 8/17/2006 11:17:10, 500480 bytes
Driver: C:\WINDOWS\system32\drivers\ctoss2k.sys, 5.12.0001.1187 (English), 8/17/2006 11:15:00, 116224 bytes
Driver: C:\WINDOWS\system32\drivers\ctprxy2k.sys, 5.12.0001.1187 (English), 8/17/2006 11:17:12, 7168 bytes
Driver: C:\WINDOWS\system32\drivers\ctsfm2k.sys, 5.12.0001.1187 (English), 8/17/2006 11:14:42, 143872 bytes
Driver: C:\WINDOWS\system32\drivers\emupia2k.sys, 5.12.0001.1187 (English), 8/17/2006 11:14:38, 78336 bytes
Driver: C:\WINDOWS\system32\drivers\ha10kx2k.sys, 5.12.0001.1187 (English), 8/17/2006 11:15:24, 765952 bytes
Driver: C:\WINDOWS\system32\drivers\haP16v2k.sys, 5.12.0001.1187 (English), 8/17/2006 11:15:32, 154112 bytes
Driver: C:\WINDOWS\system32\drivers\haP17v2k.sys, 5.12.0001.1187 (English), 8/17/2006 11:15:38, 180224 bytes
Driver: C:\WINDOWS\system32\drivers\ha20x2k.sys, 5.12.0001.1187 (English), 8/17/2006 11:16:32, 1110528 bytes
Driver: C:\WINDOWS\system32\drivers\pfmodnt.sys, 3.00.0000.0012 (English), 8/17/2006 11:32:56, 8192 bytes
Driver: C:\WINDOWS\system32\ctdlang.dat, 8/17/2006 11:22:58, 323640 bytes
Driver: C:\WINDOWS\system32\ctdnlstr.dat, 8/17/2006 11:22:58, 44567 bytes
Driver: C:\WINDOWS\system32\ctstatic.dat, 8/17/2006 11:11:10, 313207 bytes
Driver: C:\WINDOWS\system32\ctdaught.dat, 8/17/2006 11:11:10, 53932 bytes
Driver: C:\WINDOWS\system32\a3d.dll, 80.00.0000.0003 (English), 8/17/2006 11:32:46, 33792 bytes
Driver: C:\WINDOWS\system32\commonfx.dll, 5.12.0001.1187 (English), 8/17/2006 11:20:36, 87552 bytes
Driver: C:\WINDOWS\system32\ctaudfx.dll, 5.12.0001.1187 (English), 8/17/2006 11:20:48, 536576 bytes
Driver: C:\WINDOWS\system32\ctsblfx.dll, 5.12.0001.1187 (English), 8/17/2006 11:21:30, 548352 bytes
Driver: C:\WINDOWS\system32\cteapsfx.dll, 5.12.0001.1187 (English), 8/17/2006 11:21:12, 160768 bytes
Driver: C:\WINDOWS\system32\CTEXFIFX.dll, 5.12.0001.1187 (English), 8/17/2006 11:21:44, 1170432 bytes
Driver: C:\WINDOWS\system32\CTHWIUT.DLL, 5.12.0001.1187 (English), 8/17/2006 11:22:02, 61952 bytes
Driver: C:\WINDOWS\system32\CT20XUT.DLL, 5.12.0001.1187 (English), 8/17/2006 11:22:00, 158720 bytes
Driver: C:\WINDOWS\system32\ctemupia.dll, 5.12.0001.1187 (English), 8/17/2006 11:22:02, 108032 bytes
Driver: C:\WINDOWS\system32\piaproxy.dll, 5.12.0001.1187 (English), 8/17/2006 11:14:28, 73728 bytes
Driver: C:\WINDOWS\system32\ctdproxy.dll, 5.12.0001.1187 (English), 8/17/2006 11:16:38, 71680 bytes
Driver: C:\WINDOWS\system32\sfman32.dll, 5.12.0001.0130 (English), 8/17/2006 11:14:50, 21504 bytes
Driver: C:\WINDOWS\system32\data\cts20x.dat, 8/17/2006 11:11:10, 2091 bytes
Driver: C:\WINDOWS\system32\data\ctd20x.dat, 8/17/2006 11:11:10, 15899 bytes
Driver: C:\WINDOWS\system32\SBXFi.ico, 2/7/2005 17:45:22, 766 bytes
Driver: C:\WINDOWS\system32\XFi.bmp, 2/7/2005 17:45:22, 3128 bytes
Driver: C:\WINDOWS\system32\ctcoinst.dll, 3.00.0002.0036 (English), 8/17/2006 11:33:36, 81920 bytes
Driver: C:\WINDOWS\system32\ctdvinst.dll, 0.04.0000.0036 (English), 8/17/2006 11:33:36, 146432 bytes
Driver: C:\WINDOWS\system32\drivers\ctdvda2k.sys, 5.13.0001.0461 (English), 8/17/2006 11:23:00, 340176 bytes

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:52 PM

Posted 02 August 2009 - 12:03 AM

the paranoid view

http://forums.spybot.info/showthread.php?t=35758

No other clues, the all caps is worrisome
Chewy

No. Try not. Do... or do not. There is no try.

#7 Tetranitrocubane

Tetranitrocubane
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 02 August 2009 - 12:08 AM

the paranoid view

http://forums.spybot.info/showthread.php?t=35758

No other clues, the all caps is worrisome


I'd seen that thread and been quite worried about it. Between the all caps, the file size difference, and the lack of this driver being listed in the dxdiag listing, I'm very hestitant to consider it safe. I've not found any of the other infections mentioned there, but I'm not sure what the next steps to take might be.

Anyhow, thank you very much. I appreciate the rapid and helpful assistance.

EDIT: I will add, this certainly doesn't seem much like a smitfraud infection. I've not even seen a single popup or irregularity I might normally attribute to smit.

Edited by Tetranitrocubane, 02 August 2009 - 12:09 AM.


#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:52 PM

Posted 02 August 2009 - 12:52 AM

I suspect there have been several versions of that sound driver, I found a few instances in dxdiag logs, but they were all small letters. Sizes varied.

There may have even been special versions for certain games?
Chewy

No. Try not. Do... or do not. There is no try.

#9 Tetranitrocubane

Tetranitrocubane
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 02 August 2009 - 01:14 AM

I suspect there have been several versions of that sound driver, I found a few instances in dxdiag logs, but they were all small letters. Sizes varied.

There may have even been special versions for certain games?


In one other thread I've seen, the file was all caps - the only mention of it was an instruction to submit it to a similar VirusTotal site, and then submit it for analysis. I'm pretty sure that there probably are multiple versions of the legit file, but I'm unsure of what this one is - particularly with the all caps.

I've submitted samples to NOD and Spybot, and additionally quaratined the file and deleted it for the time being. I figure, if the file isn't being used as a driver, there's no reason to take the risk. Unfortunately, beyond rescanning over and over, I'm not sure there's much more I can do but wait for viral symptoms to crop up in order to figure out if I am infected.

Thanks again for the guidance and input on this matter. I do appreciate it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users