"System" process runs at 99% **Hijack This** log - Page 2

Zinferno · 04-15-2006, 08:09 AM

Here is the Kaspersky.. Doesn't look to good:

Kaspersky Anti-Virus database last update: 15/04/2006
Kaspersky Anti-Virus database records: 176833
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 81959
Number of viruses found: 1
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 2764 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP253\A0092152.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP254\A0092206.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP257\A0092276.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0092350.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP259\A0092416.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0092460.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0092661.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0093618.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP264\A0093640.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP267\A0093846.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP268\A0093919.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP269\A0093971.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP270\A0094012.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP280\A0094507.dll Infected: Trojan.Win32.Dialer.pc
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP326\A0117007.dll Infected: Trojan.Win32.Dialer.pc

Scan process completed.

sUBs · 04-15-2006, 08:28 AM

The Kaspersky scan report looks okay. Those are merely items in System Restore's cache. It wont do any harm unless you manually perform a System Restore. You may clear the cache by doing so...

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

Tick on the checkbox - Turn off System Restore on all drives
Click Apply

Turn it back 'On' by unticking the same checkbox & click OK

Quote:

The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.

Please tell me how long you have had McAfee & Panda. This error message pertains to McAfee. For the moment, I'm not ruling out the possibility of conflicts caused by the 2 antivirus programs.

For the moment, let's download this utility - Process Explorer
Launch the program by double-clicking procexp.exe
Take a peek at System & tell me which modules are causing the overruns.

Zinferno · 04-15-2006, 08:42 AM

Ok, I did the system restore off/on. Well, I'm unsure with McAfee, it came with our AOL subscription. I'm going to guess a few months with McAfee. Panda I had downloaded just a few days ago to try and figure out what was going on.

I'm in Process Explorer right now, and "System" is running between 50 and 65 % for the CPU. Deferred Procedure Calls are also taking up 20-50 % at any given time.

Hardware Interupts are running between 5 and 20% at any given time.

Also, I am concerned about a process called UAService.exe PID is 1724. This process has no description or company name. There is also a UAService7.exe, which is described as SECUrom from Sony DADC Austria AG.

Zinferno · 04-15-2006, 08:58 AM

Quote:

Originally Posted by sUBs

The Kaspersky scan report looks okay. Those are merely items in System Restore's cache. It wont do any harm unless you manually perform a System Restore. You may clear the cache by doing so...

How long do you think that has been there? About 5 days ago I tried system restore when things were bogging down. Could that Trojan have effected me then?

sUBs · 04-15-2006, 12:55 PM

Quote:

How long do you think that has been there? About 5 days ago I tried system restore when things were bogging down. Could that Trojan have effected me then?

The report doesn't list down any dates but judging by the numbers, I reckon it's been there for quite a while.

Quote:

concerned about a process called UAService.exe PID is 1724. This process has no description or company name. There is also a UAService7.exe, which is described as SECUrom from Sony DADC Austria AG.

These are processes belonging to the SecuROM User Access Service which is used to access disk images protected by SecureRom. It's a protective file most commonly used in game installations.

Quote:

"System" is running between 50 and 65 % for the CPU. Deferred Procedure Calls are also taking up 20-50 % at any given time.

Hardware Interupts are running between 5 and 20% at any given time.

This next bit is taken from the Help section for Process Explorer... I believe that these are symptoms of a failing hardware

Quote:

On Windows NT-based systems, Process Explorer shows two artificial processes: Interrupts and DPCs.

These processes reflect the amount of time the system spends servicing hardware interrupts and Deferred Procedure Calls (DPCs), respectively. High CPU consumption by these activities can indicate a hardware problem or device driver bug

Zinferno · 04-15-2006, 06:06 PM

Hardware as in the computer itself?

Should I just reformat my OS and harddrive and see if that fixes it?

sUBs · 04-15-2006, 07:14 PM

If it's a hardware issue, reformating may not help.

Here's what I suggest. Take note of all your add-on cards.
Then re-install the drivers for each of them. Hopefully, it's a driver issue & the problem goes away.

Zinferno · 04-16-2006, 12:20 PM

Sorry about the delay in posting back. What are add-on cards? And how can I find them?

Is there a diagnostic over the internet that can see what part of the PC itself is malfunctioning?

sUBs · 04-16-2006, 12:31 PM

Quote:

Sorry about the delay in posting back. What are add-on cards? And how can I find them?

Add-on cards are any PCI/ISA cards that you add on to the motherboard. They may be for sound, network, graphics, modem, additional usb ports , etc etc...

Quote:

Is there a diagnostic over the internet that can see what part of the PC itself is malfunctioning?

This question should be best answered by the guys at the hardware forum. Please start a thread there to enquire about it.

Please let me know how it turns out.

Regards,
sUBs

Zinferno · 04-16-2006, 04:39 PM

As of yet no reply on the Hardware board. But, I did restore BIOS settings to default, and that did nothing. I was looking through msconfig startup, and I found a startup item called mailskinner at C:\program files\mailskinner (unsure of the rest). I had looked this up before and had found that it was a Trojan. After I had deleted it, the pop ups on my computer stopped. Unsure of what to do about it.

sUBs · 04-16-2006, 05:04 PM

Sorry.. I wasn't aware that you were still having pop ups.

If you refer back to post #9, the BFU reported that MailSkinner wasn't present. I'm just wondering if you caught something new. Please post a fresh HJT log

Zinferno · 04-17-2006, 12:26 PM

No, I'm sorry.. I was referring to a previous experience of mine. I'm not having Pop-ups. But I did find mailskinner in startup and deleted it.

Thanks for all of your help though.

Zinferno · 04-17-2006, 12:59 PM

When I go to Startup under MSconfig sUBs, this is what it shows:

MailSkinner c:\program files\mailskinner\mailskinner.exe LOLA0023\Owner HKU\S-1-5-21-1930229694-2899428723-1229947496-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Unsure about whether its still active or not.

Here's a new Hijack This log just in case:

Logfile of HijackThis v1.99.1
Scan saved at 2:58:43 PM, on 4/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Verizon Online\Support Center\bin\mpbtn.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ntvdm.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer powered by Verizon Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Broadband Support Center.lnk = C:\Program Files\Verizon Online\Support Center\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1145216565671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145216200703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

sUBs · 04-17-2006, 02:56 PM

I see what you mean now. You previously disabled it using msconfig & would like to get rid of that entry.

That's easy ... simply re-enable the entry from msconfig & then have hijackthis fix it.

O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe

It's an orphaned entry which reference a non existant file.

Zinferno · 04-17-2006, 09:39 PM

Hey sUBs, this is Zin again. Thanks again for the help. I just reformatted my entire system. Turns out it was a driver issue. Everything is working fine now. Could you please recommend a reliable virus program for everyday use that is free? Thanks again.

sUBs · 04-18-2006, 12:34 AM

Hi Zin,

I'm glad to hear that your driver issues are resolved. Here's a free antivirus program for ya.. AVG Antivirus

If you have time, have a look at these other security tips ..

SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

Zinferno · 04-18-2006, 12:15 PM

Alrighty sUBs. Thanks alot for the help and suggestions. Case Closed.

04-15-2006, 08:42 AM	#23 (permalink)
Zinferno Registered User Join Date: Apr 2006 Posts: 32 OS: XP service pack 2	Ok, I did the system restore off/on. Well, I'm unsure with McAfee, it came with our AOL subscription. I'm going to guess a few months with McAfee. Panda I had downloaded just a few days ago to try and figure out what was going on. I'm in Process Explorer right now, and "System" is running between 50 and 65 % for the CPU. Deferred Procedure Calls are also taking up 20-50 % at any given time. Hardware Interupts are running between 5 and 20% at any given time. Also, I am concerned about a process called UAService.exe PID is 1724. This process has no description or company name. There is also a UAService7.exe, which is described as SECUrom from Sony DADC Austria AG. Last edited by Zinferno; 04-15-2006 at 08:43 AM.

04-15-2006, 06:06 PM	#26 (permalink)
Zinferno Registered User Join Date: Apr 2006 Posts: 32 OS: XP service pack 2	Hardware as in the computer itself? Should I just reformat my OS and harddrive and see if that fixes it? Last edited by Zinferno; 04-15-2006 at 06:09 PM.

04-15-2006, 07:14 PM	#27 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	If it's a hardware issue, reformating may not help. Here's what I suggest. Take note of all your add-on cards. Then re-install the drivers for each of them. Hopefully, it's a driver issue & the problem goes away. __________________ Question - what have you done for the community today?

04-16-2006, 05:04 PM	#31 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	Sorry.. I wasn't aware that you were still having pop ups. If you refer back to post #9, the BFU reported that MailSkinner wasn't present. I'm just wondering if you caught something new. Please post a fresh HJT log __________________ Question - what have you done for the community today?

04-17-2006, 02:56 PM	#34 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	I see what you mean now. You previously disabled it using msconfig & would like to get rid of that entry. That's easy ... simply re-enable the entry from msconfig & then have hijackthis fix it. O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe It's an orphaned entry which reference a non existant file. __________________ Question - what have you done for the community today?

04-15-2006, 08:09 AM	#21 (permalink)
Zinferno Registered User Join Date: Apr 2006 Posts: 32 OS: XP service pack 2	Here is the Kaspersky.. Doesn't look to good: Kaspersky Anti-Virus database last update: 15/04/2006 Kaspersky Anti-Virus database records: 176833 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ H:\ I:\ J:\ K:\ Scan Statistics: Total number of scanned objects: 81959 Number of viruses found: 1 Number of infected objects: 15 Number of suspicious objects: 0 Duration of the scan process: 2764 sec Infected Object Name - Virus Name C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP253\A0092152.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP254\A0092206.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP257\A0092276.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP258\A0092350.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP259\A0092416.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP260\A0092460.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP262\A0092661.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP263\A0093618.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP264\A0093640.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP267\A0093846.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP268\A0093919.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP269\A0093971.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP270\A0094012.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP280\A0094507.dll Infected: Trojan.Win32.Dialer.pc C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP326\A0117007.dll Infected: Trojan.Win32.Dialer.pc Scan process completed.

04-16-2006, 12:20 PM	#28 (permalink)
Zinferno Registered User Join Date: Apr 2006 Posts: 32 OS: XP service pack 2	Sorry about the delay in posting back. What are add-on cards? And how can I find them? Is there a diagnostic over the internet that can see what part of the PC itself is malfunctioning?

04-16-2006, 04:39 PM	#30 (permalink)
Zinferno Registered User Join Date: Apr 2006 Posts: 32 OS: XP service pack 2	As of yet no reply on the Hardware board. But, I did restore BIOS settings to default, and that did nothing. I was looking through msconfig startup, and I found a startup item called mailskinner at C:\program files\mailskinner (unsure of the rest). I had looked this up before and had found that it was a Trojan. After I had deleted it, the pop ups on my computer stopped. Unsure of what to do about it.

04-17-2006, 12:26 PM	#32 (permalink)
Zinferno Registered User Join Date: Apr 2006 Posts: 32 OS: XP service pack 2	No, I'm sorry.. I was referring to a previous experience of mine. I'm not having Pop-ups. But I did find mailskinner in startup and deleted it. Thanks for all of your help though.

04-17-2006, 12:59 PM	#33 (permalink)
Zinferno Registered User Join Date: Apr 2006 Posts: 32 OS: XP service pack 2	When I go to Startup under MSconfig sUBs, this is what it shows: MailSkinner c:\program files\mailskinner\mailskinner.exe LOLA0023\Owner HKU\S-1-5-21-1930229694-2899428723-1229947496-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Unsure about whether its still active or not. Here's a new Hijack This log just in case: Logfile of HijackThis v1.99.1 Scan saved at 2:58:43 PM, on 4/17/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\zHotkey.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\WINDOWS\ALCWZRD.EXE C:\Program Files\BigFix\BigFix.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Verizon Online\Support Center\bin\mpbtn.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\UAService.exe C:\WINDOWS\system32\UAService7.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ntvdm.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\Program Files\AOL Companion\companion.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer powered by Verizon Broadband R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: Broadband Support Center.lnk = C:\Program Files\Verizon Online\Support Center\bin\matcli.exe O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1145216565671 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145216200703 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

04-17-2006, 09:39 PM	#35 (permalink)
Zinferno Registered User Join Date: Apr 2006 Posts: 32 OS: XP service pack 2	Hey sUBs, this is Zin again. Thanks again for the help. I just reformatted my entire system. Turns out it was a driver issue. Everything is working fine now. Could you please recommend a reliable virus program for everyday use that is free? Thanks again.

04-18-2006, 12:34 AM	#36 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	Hi Zin, I'm glad to hear that your driver issues are resolved. Here's a free antivirus program for ya.. AVG Antivirus If you have time, have a look at these other security tips .. SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here. Microsoft Windows Update Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. Google Toolbar - Get the free google toolbar to help stop pop up windows. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein After doing all these, your system will be optimised against future threats. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?

04-18-2006, 12:15 PM	#37 (permalink)
Zinferno Registered User Join Date: Apr 2006 Posts: 32 OS: XP service pack 2	Alrighty sUBs. Thanks alot for the help and suggestions. Case Closed.