MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Possible Malware, HJT Log provided, please help
November 15, 2019, 07:58:07 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 15, 2019, 07:58:07 PM

Login with username, password and session length
 Featured Sites:
News
New  Looking for cheap hardware and/or software?
Visit our new Online Store where you will be able to purchase from a reputable vendor by country.
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2 3 Go Down Print
Author Topic: Possible Malware, HJT Log provided, please help  (Read 6229 times)
Wannabe
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 63



Bookmark and Share

View Profile
« on: March 23, 2005, 05:46:29 PM »

OS Version: Windows XP Home Edition

I noticed my computer started running slowly all of a sudden. I opened the Task Manager that explorer was bouncing back and forth between 0 and 99 system usage. At first I tried running Spybot, Ad-Aware, and AVG Free; all with the newest updates. It found nothing. I checked the Task Manager again and noticed an unfamiliar program. The program that appeared was UAService7. I did a search and saw that it was in the system32 folder, so I decided to do a HJT log and ask you guys for your opinion/assistance. Thank you in advance. Here's the log.


Logfile of HijackThis v1.99.1
Scan saved at 12:38:12 PM, on 3/23/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Documents and Settings\Owner\Desktop\HJT\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe



« Last Edit: March 23, 2005, 07:40:36 PM by Wannabe » Logged
redaxe
Supreme Loonie
Global Moderator
Hero Member
*****

Karma: +16/-0
Offline Offline

Gender: Male
Posts: 1276


Bookmark and Share

View Profile
« Reply #1 on: March 23, 2005, 11:46:14 PM »

From what I can determine, UAService7 is a SecuROM program. It's full name is SecuROM User Access Service (V7)
I have the feeling that it's down to user preference, whether it should start or not.

Did you install anything prior to noticing it's appearance?

The only entry I see a reason to remove is:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Apart from that the log looks clean.

Just to be on the safe side, fire up Internet Explorer (I know it sounds daft) and head over to Panda Activescan and let that engine scan your PC.

Make a point of noting down anything that it can't clean/disinfect.

To stop UAService7.exe from ever stopping again, do the following:

Click Start -> Run and at the prompt type services.msc and then click OK.

Scroll down the list until you come across this service: SecuROM User Access Service (V7)
Double click it and click the STOP button. Then from the dropdown menu above the button, select Disabled.

Good luck Smiley
Logged

Wannabe
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 63



Bookmark and Share

View Profile
« Reply #2 on: March 24, 2005, 04:06:08 PM »

It may just be my paranoia, but it's something I've never seen before and I've had this computer for at least two years now. I went ahead stopped the UAService7 since I just don't know what it is and I've never seen it before. I also got rid of the qttask from the HJT log. The Panda ActiveScan is working right now, about halfway done scanning. I'll post up again when it's finished saying what, if anything, it couldn't take care of and also I'll do a new HJT log.

Thanks for your help redaxe.
Logged
Wannabe
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 63



Bookmark and Share

View Profile
« Reply #3 on: March 24, 2005, 04:10:03 PM »

Sorry, I forgot to answer your question.

I don't think I installed anything before it seemed to have appeared.
Logged
redaxe
Supreme Loonie
Global Moderator
Hero Member
*****

Karma: +16/-0
Offline Offline

Gender: Male
Posts: 1276


Bookmark and Share

View Profile
« Reply #4 on: March 24, 2005, 04:10:04 PM »

If you want to get rid of the service in question, try searching for it in Add/Remove Programs. Uninstall it from there.

Just remember that it may possibly have an affect on some software you have installed. But let's just cross that bridge when we come to it Smiley
Logged

Wannabe
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 63



Bookmark and Share

View Profile
« Reply #5 on: March 24, 2005, 04:13:18 PM »

The thing is, it isn't in the Add/Remove Programs list. I checked there when I saw it running and didn't know what it was. I just checked again to make sure and it definately wasn't in there.
Logged
redaxe
Supreme Loonie
Global Moderator
Hero Member
*****

Karma: +16/-0
Offline Offline

Gender: Male
Posts: 1276


Bookmark and Share

View Profile
« Reply #6 on: March 24, 2005, 04:26:35 PM »

Ok, to get rid of it for good, do the following:

Click Start->Run and type services.msc like before.
Make sure the service has been disabled.

Then fire up HJT again, but instead of running a scan, click a button in the bottom right corner of the HJT pane that says Config.
Then click the Misc Tools button at the top and then the Delete an NT service button on the left.

In the box that pops up, enter UserAccess7 and click OK

See how HJT reacts to that command and report back Smiley
Logged

Wannabe
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 63



Bookmark and Share

View Profile
« Reply #7 on: March 24, 2005, 04:34:57 PM »

I restarted my computer after the Panda ActiveScan and the UserAccess7 started up again. I disabled it again and then went into the HJT to delete it and it tells me it's still enabled or running and I must disable it first. When I go back to the services.msc it says it is disabled.


The Panda ActiveScan found three things, none of which it got rid of. Here's the log from that:


Incident                      Status                        Location                                                                                                                                                                                                                                                        

Adware:Adware/SaveNow         No disinfected                Windows Registry                                                                                                                                                                                                                                                
Adware:Adware/Minibug.A       No disinfected                C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll                                                                                                                                                                                                          
Adware:Adware/nCase           No disinfected                C:\WINDOWS\Downloaded Program Files\ZangoLib.dll
Logged
redaxe
Supreme Loonie
Global Moderator
Hero Member
*****

Karma: +16/-0
Offline Offline

Gender: Male
Posts: 1276


Bookmark and Share

View Profile
« Reply #8 on: March 24, 2005, 05:11:20 PM »

Post a new log now.
This has gone beyond annoying Lips Sealed
Logged

Wannabe
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 63



Bookmark and Share

View Profile
« Reply #9 on: March 24, 2005, 05:41:40 PM »

You're telling me. Here's the log.


Logfile of HijackThis v1.99.1
Scan saved at 12:38:13 PM, on 3/24/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HJT\HijackThis.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

Logged
redaxe
Supreme Loonie
Global Moderator
Hero Member
*****

Karma: +16/-0
Offline Offline

Gender: Male
Posts: 1276


Bookmark and Share

View Profile
« Reply #10 on: March 24, 2005, 08:28:16 PM »

Go back to the services.msc console and double click that annoying service. Click the STOP button, if available.

If it isn't, try ending the task in Task Manager. (Right click your taskbar and select the Task Manager from there).

Then locate the file in C:\Windows\System32\ and delete the damn thing manually.
If you can't do it, then try letting HJT set it up to be deleted on the next boot.

This is how to do it:

Start up HJT, don't bother with a scan.
In the bottom right corner there's the Config button, click it, and then click the Misc Tools button in the following pane.

In there, click a button that's marked Delete a file on reboot.
Navigate your way to that offending file and select and click open. That way HJT prompts Windows to get rid of the file on your next reboot.

Then post back and tell me how you did.
Good luck Smiley
Logged

Wannabe
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 63



Bookmark and Share

View Profile
« Reply #11 on: March 24, 2005, 09:28:42 PM »

I stopped it in the service.msc console again and then went to the system32 folder and deleted it. That seemed to work, but I haven't done a reboot yet.
Logged
redaxe
Supreme Loonie
Global Moderator
Hero Member
*****

Karma: +16/-0
Offline Offline

Gender: Male
Posts: 1276


Bookmark and Share

View Profile
« Reply #12 on: March 24, 2005, 10:55:38 PM »

Now reboot and see if it works.
We need to get rid of this damn pest Cool
Logged

Wannabe
Full Member
***

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 63



Bookmark and Share

View Profile
« Reply #13 on: March 25, 2005, 02:33:31 PM »

It is gone now as far as I can tell. It's still on the services list, but it's not active there.

When I did a search on my C:\ for UAService it didn't come up, but it did show this file:

UASERVICE7.EXE-1C95D616.pf in the folder C:\WINDOWS\Prefetch
« Last Edit: March 25, 2005, 02:37:30 PM by Wannabe » Logged
redaxe
Supreme Loonie
Global Moderator
Hero Member
*****

Karma: +16/-0
Offline Offline

Gender: Male
Posts: 1276


Bookmark and Share

View Profile
« Reply #14 on: March 25, 2005, 03:10:52 PM »

Now what is the current status of the UAService in services.msc?
If it's disabled, try using HJT again to get rid of it from the service list.
Logged

Pages: [1] 2 3 Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page April 02, 2017, 12:53:48 PM