Tech Support Forum - View Single Post - Prevented from running - Anti spyware, security webpages/downloads, regedit etc!

nettle · 03-21-2005, 04:59 PM

no further luck with TDS3 but finally here is my Hijack results:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 23:19:22, on 21/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\mcsv.com
C:\a disk\h\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bbc.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com
O1 - Hosts: 212.58.240.33 www.symantec.com
O1 - Hosts: 212.58.240.33 www.sophos.com
O1 - Hosts: 212.58.240.33 www.mcafee.com
O1 - Hosts: 212.58.240.33 www.viruslist.com
O1 - Hosts: 212.58.240.33 www.f-secure.com
O1 - Hosts: 212.58.240.33 www.avp.com
O1 - Hosts: 212.58.240.33 www.kaspersky.com
O1 - Hosts: 212.58.240.33 www.networkassociates.com
O1 - Hosts: 212.58.240.33 www.ca.com
O1 - Hosts: 212.58.240.33 www.my-etrust.com
O1 - Hosts: 212.58.240.33 www.nai.com
O1 - Hosts: 212.58.240.33 www.trendmicro.com
O1 - Hosts: 212.58.240.33 www.grisoft.com
O1 - Hosts: 212.58.240.33 securityresponse.symantec.com
O1 - Hosts: 212.58.240.33 symantec.com
O1 - Hosts: 212.58.240.33 sophos.com
O1 - Hosts: 212.58.240.33 mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantecliveupdate.com
O1 - Hosts: 212.58.240.33 viruslist.com
O1 - Hosts: 212.58.240.33 f-secure.com
O1 - Hosts: 212.58.240.33 kaspersky.com
O1 - Hosts: 212.58.240.33 kaspersky-labs.com
O1 - Hosts: 212.58.240.33 avp.com
O1 - Hosts: 212.58.240.33 networkassociates.com
O1 - Hosts: 212.58.240.33 ca.com
O1 - Hosts: 212.58.240.33 mast.mcafee.com
O1 - Hosts: 212.58.240.33 my-etrust.com
O1 - Hosts: 212.58.240.33 download.mcafee.com
O1 - Hosts: 212.58.240.33 dispatch.mcafee.com
O1 - Hosts: 212.58.240.33 secure.nai.com
O1 - Hosts: 212.58.240.33 nai.com
O1 - Hosts: 212.58.240.33 update.symantec.com
O1 - Hosts: 212.58.240.33 updates.symantec.com
O1 - Hosts: 212.58.240.33 us.mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantec.com
O1 - Hosts: 212.58.240.33 customer.symantec.com
O1 - Hosts: 212.58.240.33 rads.mcafee.com
O1 - Hosts: 212.58.240.33 trendmicro.com
O1 - Hosts: 212.58.240.33 grisoft.com
O1 - Hosts: 212.58.240.33 sandbox.norman.no
O1 - Hosts: 212.58.240.33 www.pandasoftware.com
O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing)
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O4 - HKLM\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe
O4 - HKLM\..\Run: [4LKS8AD2A8SRDC] C:\WINDOWS\System32\Rcj6KrN.exe
O4 - HKLM\..\Run: [xa] C:\documents and settings\denise nettleton\local settings\temp\xa.exe
O4 - HKLM\..\Run: [WZERGhd] C:\documents and settings\denise nettleton\local settings\temp\WZERGhd.exe
O4 - HKLM\..\Run: [uldEto] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\uldEto.exe
O4 - HKLM\..\Run: [pmzrlhwwxliai] C:\WINDOWS\System32\oiidofkx.exe
O4 - HKLM\..\Run: [nCN] C:\documents and settings\denise nettleton\local settings\temp\nCN.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [jrsTL] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\jrsTL.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [8n4v] C:\documents and settings\denise nettleton\local settings\temp\8n4v.exe
O4 - HKLM\..\Run: [6H] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\6H.exe
O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O4 - HKCU\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {C9147000-17E4-41E8-9089-A2A67DBCA22D} (IEUpdateOSR2 Control with Key) - https://client.virgin.net/assets/update.cab
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

End of KRC HijackThis Analyzer Log.
=================

Nice long list of host redirections and lots of other suspicious stuff? hope to hear from you soon with further instructions.

Thanks a lot.

03-21-2005, 04:59 PM	#10 (permalink)
nettle Registered User Join Date: Mar 2005 Posts: 10 OS: XP	no further luck with TDS3 but finally here is my Hijack results: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe" O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 23:19:22, on 21/03/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\system32\mcsv.com C:\a disk\h\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bbc.co.uk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com O1 - Hosts: 212.58.240.33 www.symantec.com O1 - Hosts: 212.58.240.33 www.sophos.com O1 - Hosts: 212.58.240.33 www.mcafee.com O1 - Hosts: 212.58.240.33 www.viruslist.com O1 - Hosts: 212.58.240.33 www.f-secure.com O1 - Hosts: 212.58.240.33 www.avp.com O1 - Hosts: 212.58.240.33 www.kaspersky.com O1 - Hosts: 212.58.240.33 www.networkassociates.com O1 - Hosts: 212.58.240.33 www.ca.com O1 - Hosts: 212.58.240.33 www.my-etrust.com O1 - Hosts: 212.58.240.33 www.nai.com O1 - Hosts: 212.58.240.33 www.trendmicro.com O1 - Hosts: 212.58.240.33 www.grisoft.com O1 - Hosts: 212.58.240.33 securityresponse.symantec.com O1 - Hosts: 212.58.240.33 symantec.com O1 - Hosts: 212.58.240.33 sophos.com O1 - Hosts: 212.58.240.33 mcafee.com O1 - Hosts: 212.58.240.33 liveupdate.symantecliveupdate.com O1 - Hosts: 212.58.240.33 viruslist.com O1 - Hosts: 212.58.240.33 f-secure.com O1 - Hosts: 212.58.240.33 kaspersky.com O1 - Hosts: 212.58.240.33 kaspersky-labs.com O1 - Hosts: 212.58.240.33 avp.com O1 - Hosts: 212.58.240.33 networkassociates.com O1 - Hosts: 212.58.240.33 ca.com O1 - Hosts: 212.58.240.33 mast.mcafee.com O1 - Hosts: 212.58.240.33 my-etrust.com O1 - Hosts: 212.58.240.33 download.mcafee.com O1 - Hosts: 212.58.240.33 dispatch.mcafee.com O1 - Hosts: 212.58.240.33 secure.nai.com O1 - Hosts: 212.58.240.33 nai.com O1 - Hosts: 212.58.240.33 update.symantec.com O1 - Hosts: 212.58.240.33 updates.symantec.com O1 - Hosts: 212.58.240.33 us.mcafee.com O1 - Hosts: 212.58.240.33 liveupdate.symantec.com O1 - Hosts: 212.58.240.33 customer.symantec.com O1 - Hosts: 212.58.240.33 rads.mcafee.com O1 - Hosts: 212.58.240.33 trendmicro.com O1 - Hosts: 212.58.240.33 grisoft.com O1 - Hosts: 212.58.240.33 sandbox.norman.no O1 - Hosts: 212.58.240.33 www.pandasoftware.com O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll (file missing) O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file) O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O4 - HKLM\..\Run: [SDAv] C:\WINDOWS\svhost.exe O4 - HKLM\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe O4 - HKLM\..\Run: [4LKS8AD2A8SRDC] C:\WINDOWS\System32\Rcj6KrN.exe O4 - HKLM\..\Run: [xa] C:\documents and settings\denise nettleton\local settings\temp\xa.exe O4 - HKLM\..\Run: [WZERGhd] C:\documents and settings\denise nettleton\local settings\temp\WZERGhd.exe O4 - HKLM\..\Run: [uldEto] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\uldEto.exe O4 - HKLM\..\Run: [pmzrlhwwxliai] C:\WINDOWS\System32\oiidofkx.exe O4 - HKLM\..\Run: [nCN] C:\documents and settings\denise nettleton\local settings\temp\nCN.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" O4 - HKLM\..\Run: [jrsTL] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\jrsTL.exe O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe O4 - HKLM\..\Run: [8n4v] C:\documents and settings\denise nettleton\local settings\temp\8n4v.exe O4 - HKLM\..\Run: [6H] C:\documents and settings\hayley nettleton.denise-xixop29g.000\local settings\temp\6H.exe O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe O4 - HKCU\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {C9147000-17E4-41E8-9089-A2A67DBCA22D} (IEUpdateOSR2 Control with Key) - https://client.virgin.net/assets/update.cab O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe End of KRC HijackThis Analyzer Log. ================= Nice long list of host redirections and lots of other suspicious stuff? hope to hear from you soon with further instructions. Thanks a lot.