im gonna kill my housemates.

dunno what they were lookin at, but occasionally, and only occasionally, i get a linked to a casino website telling me i can 'play with nude girls' (much to my fiancés dismay :o ) and i also get a 'security warning' window popup (it looks quite official in its design) telling me that 'windows firewall is detecting suspicious activity' this is odd for one main reason- im not running windows firewall!

i've ran adaware, and spybot S&D, they both found a little bit of stuff, but none of it fixed this particular hijack. i've also taken heed of this occurance, and have downloaded and am now under spyware blasters' protection.

i've tried, and failed, to remove it myself.

any help would be greatly appreciated:

Logfile of HijackThis v1.98.2
Scan saved at 20:55:46, on 26/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINNT\system32\msswch.exe
C:\WINNT\system32\netddx.exe
C:\Program Files\Winamp\winampa.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Steam] "d:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk =

C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

im running windows 2kpro, SP4.

p.s. if the warning comes up, i'll post another log, with that warning still running. i guess it may help.

here it is

Logfile of HijackThis v1.98.2
Scan saved at 20:55:46, on 26/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINNT\system32\msswch.exe
C:\WINNT\system32\netddx.exe
C:\Program Files\Winamp\winampa.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Steam] "d:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk =

C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

All 5 Replies

i've done some research, after many more scans with many more programs, and found i have a problem

google yields very few results on this (less than 1 pages worth), but i will look through them and see if i can figure this out for myself :D

now, im not sure what creates it, but it didnt 'exist' on my PC in normal mode, so no anti-virus software could get rid of it, and i couldnt see it, so i couldnt delete it, also, renaming something to adsnp.dll makes that file disapear, so i cant even overwrite it, then delete that file.

i decided to go into safe mode, and sure enough, there it was, so i deleted it.
however, on restarting into normal mode, the DLL is still active, as my AV software is warning me of its existence every time i open a window, be it 'IE', or just 'my computer'

also, the "O15 - Trusted Zone: http://*.63.219.181.7" must have something to do with it, as every time i try to remove that, it reapears on the next scan, even if i do it right there and then.

feel free to give any suggestions, im gonna try and figure it out for myself, but hey, the more the merrier, right?

-G

mostly just to keep you all updated on my progress (gosh, im proud of myself for not just letting someone else do it for me :D ) i seem to have got rid of the adsnp.dll thing all together now, well, it doesnt give me any warnings when i open something to do with explorer, atleast. i will run ANOTHER virus check later on to be sure.

i got rid of it by: starting in safe mode, then deleting the dll itself, and going into regedit, and deleting every reference to it as well.

however, it seems that was totally (maybe) unrelated to my initial problem, as the '015 trusted zone' still reapears instantly on every re-scan with HJT.

havent seen the firewall warning in some time though, and, i havent recieved an offer to play with nude girls either for a while. i'll have to surf for a while to see if they crop up.

i'll keep ya'll posted :D

-G

Might i suggest ,This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Alo check this out ,,,
How I got infected in the first place .

i've done some research, after many more scans with many more programs, and found i have a problem

google yields very few results on this (less than 1 pages worth), but i will look through them and see if i can figure this out for myself :D

now, im not sure what creates it, but it didnt 'exist' on my PC in normal mode, so no anti-virus software could get rid of it, and i couldnt see it, so i couldnt delete it, also, renaming something to adsnp.dll makes that file disapear, so i cant even overwrite it, then delete that file.

i decided to go into safe mode, and sure enough, there it was, so i deleted it.
however, on restarting into normal mode, the DLL is still active, as my AV software is warning me of its existence every time i open a window, be it 'IE', or just 'my computer'

also, the "O15 - Trusted Zone: http://*.63.219.181.7" must have something to do with it, as every time i try to remove that, it reapears on the next scan, even if i do it right there and then.

feel free to give any suggestions, im gonna try and figure it out for myself, but hey, the more the merrier, right?

-G

Try running Hijackthis in safe mode and fix that 015

havent done either yet caper, i'll give them a go in a bit. its getting late (early?) now, so im gonna get some sleep.

but just to keep you all posted, the firewall message hasnt came up since, and my PC has been on the whole time, also, i havent had an offer to play with nude girls either. so it seems i managed to fix it my self... yay me!

i'll get the other stuff sorted in the morning, and let you know how i get on.

nn all

-G

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.