944,082 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > browser hijack
Ad:
Permalink
Nov 26th, 2004
0

browser hijack

Expand Post »
im gonna kill my housemates.

dunno what they were lookin at, but occasionally, and only occasionally, i get a linked to a casino website telling me i can 'play with nude girls' (much to my fiancés dismay :o ) and i also get a 'security warning' window popup (it looks quite official in its design) telling me that 'windows firewall is detecting suspicious activity' this is odd for one main reason- im not running windows firewall!

i've ran adaware, and spybot S&D, they both found a little bit of stuff, but none of it fixed this particular hijack. i've also taken heed of this occurance, and have downloaded and am now under spyware blasters' protection.

i've tried, and failed, to remove it myself.

any help would be greatly appreciated:

Logfile of HijackThis v1.98.2
Scan saved at 20:55:46, on 26/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINNT\system32\msswch.exe
C:\WINNT\system32\netddx.exe
C:\Program Files\Winamp\winampa.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Steam] "d:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk =

C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary...t.cab31267.cab

im running windows 2kpro, SP4.

p.s. if the warning comes up, i'll post another log, with that warning still running. i guess it may help.



here it is


Logfile of HijackThis v1.98.2
Scan saved at 20:55:46, on 26/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINNT\system32\msswch.exe
C:\WINNT\system32\netddx.exe
C:\Program Files\Winamp\winampa.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Steam] "d:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk =

C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary...t.cab31267.cab
Last edited by crunchie; Nov 27th, 2004 at 2:04 am.
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
gecko614 is offline Offline
19 posts
since Jun 2004
Permalink
Nov 26th, 2004
0

Re: browser hijack

i've done some research, after many more scans with many more programs, and found i have a problem


its called adsnp.dll

google yields very few results on this (less than 1 pages worth), but i will look through them and see if i can figure this out for myself

now, im not sure what creates it, but it didnt 'exist' on my PC in normal mode, so no anti-virus software could get rid of it, and i couldnt see it, so i couldnt delete it, also, renaming something to adsnp.dll makes that file disapear, so i cant even overwrite it, then delete that file.

i decided to go into safe mode, and sure enough, there it was, so i deleted it.
however, on restarting into normal mode, the DLL is still active, as my AV software is warning me of its existence every time i open a window, be it 'IE', or just 'my computer'

also, the "O15 - Trusted Zone: http://*.63.219.181.7" must have something to do with it, as every time i try to remove that, it reapears on the next scan, even if i do it right there and then.

feel free to give any suggestions, im gonna try and figure it out for myself, but hey, the more the merrier, right?

-G
Reputation Points: 10
Solved Threads: 0
Newbie Poster
gecko614 is offline Offline
19 posts
since Jun 2004
Permalink
Nov 26th, 2004
0

Re: browser hijack

mostly just to keep you all updated on my progress (gosh, im proud of myself for not just letting someone else do it for me ) i seem to have got rid of the adsnp.dll thing all together now, well, it doesnt give me any warnings when i open something to do with explorer, atleast. i will run ANOTHER virus check later on to be sure.

i got rid of it by: starting in safe mode, then deleting the dll itself, and going into regedit, and deleting every reference to it as well.

however, it seems that was totally (maybe) unrelated to my initial problem, as the '015 trusted zone' still reapears instantly on every re-scan with HJT.

havent seen the firewall warning in some time though, and, i havent recieved an offer to play with nude girls either for a while. i'll have to surf for a while to see if they crop up.

i'll keep ya'll posted

-G
Reputation Points: 10
Solved Threads: 0
Newbie Poster
gecko614 is offline Offline
19 posts
since Jun 2004
Permalink
Nov 26th, 2004
0

Re: browser hijack

Might i suggest ,This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1elete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Alo check this out ,,,
How I got infected in the first place .
Team Colleague
Reputation Points: 1056
Solved Threads: 792
I hate 20 Questions
caperjack is offline Offline
12,730 posts
since Aug 2003
Permalink
Nov 26th, 2004
0

Re: browser hijack

Quote originally posted by gecko614 ...
i've done some research, after many more scans with many more programs, and found i have a problem


its called adsnp.dll

google yields very few results on this (less than 1 pages worth), but i will look through them and see if i can figure this out for myself

now, im not sure what creates it, but it didnt 'exist' on my PC in normal mode, so no anti-virus software could get rid of it, and i couldnt see it, so i couldnt delete it, also, renaming something to adsnp.dll makes that file disapear, so i cant even overwrite it, then delete that file.

i decided to go into safe mode, and sure enough, there it was, so i deleted it.
however, on restarting into normal mode, the DLL is still active, as my AV software is warning me of its existence every time i open a window, be it 'IE', or just 'my computer'

also, the "O15 - Trusted Zone: http://*.63.219.181.7" must have something to do with it, as every time i try to remove that, it reapears on the next scan, even if i do it right there and then.

feel free to give any suggestions, im gonna try and figure it out for myself, but hey, the more the merrier, right?

-G
Try running Hijackthis in safe mode and fix that 015
Team Colleague
Reputation Points: 1056
Solved Threads: 792
I hate 20 Questions
caperjack is offline Offline
12,730 posts
since Aug 2003
Permalink
Nov 27th, 2004
0

Re: browser hijack

havent done either yet caper, i'll give them a go in a bit. its getting late (early?) now, so im gonna get some sleep.

but just to keep you all posted, the firewall message hasnt came up since, and my PC has been on the whole time, also, i havent had an offer to play with nude girls either. so it seems i managed to fix it my self... yay me!

i'll get the other stuff sorted in the morning, and let you know how i get on.

nn all

-G
Reputation Points: 10
Solved Threads: 0
Newbie Poster
gecko614 is offline Offline
19 posts
since Jun 2004

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Adware/Spyware/ Virus help!
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Possible ISTbar problem - Hijack This log.





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC