Good site to ask for general PC help related to spyware? Or help?

[GTHK]

I'm normally not one to ask for help, really because I know what the hell I'm doing. I think one of my first posts was just informative about an issue I had about related to an AV, but I didn't make a troubleshooting topic like I was told to (I think by Firon), and soon after fixed my own problem, which is what I do .

Now my grandmas computers on the other hand, which didn't have anti-virus till I put something on it, and is used by my Myspace and AIM loving cousin, has some real trouble. One thing I did was bring drives from both computers home, connected it externally, scanned it, found and removed some crap, and did a little internal house keeping. Both computers ran a lot faster right after that. Still, the built by one of my relatives machine is having issues, and I REALLY HATE THAT COMPUTER NOW. I think it's malware, because pctools.com failed to load on that machine (first sponsored Google result after running a search for HijackThis).

But I digress, if someone could direct me to a good site to search for information, the information I need, or point out something I should look into, it would be helpful. Just before I left I ran HijackThis and saved the file to one of my USB drives, maybe someone will recognize something. Also, Spybot S&D is detecting 3 registry entries for something called "Command Service", from what I read in the immediate Google results it appears to be both malware and anti-malware related, and was said to be a false positive in some cases that was fixed, but those posts are 2005-2006.

Just to note in case someone looks at this for me, I'll be removing the resident spyware scanners I tried as I slowly grew tired with the system, also, avasts "Standard" and "E-mail" shields are the only shields running, no P2P an' stuff. I believe a few things were reported from that scanner

----------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:59:45 PM, on 3/2/2008

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\oodtray.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Lexmark 7100 Series\lxbxmon.exe

C:\Program Files\Lexmark 7100 Series\ezprint.exe

C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe

C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\oodag.exe

C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\System32\lxbxcoms.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: (no name) - {52750014-98F1-9A06-F613-E81C84EEEBCE} - C:\WINDOWS\System32\qjmxfl.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ipWins] C:\Program Files\ipwins\ipwins.exe

O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\System32\oodtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"

O4 - HKLM\..\Run: [LXBXCATS] rundll32 øT÷wÿÿÿÿõw!çw\3\LXBXtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [sBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe

O4 - HKUS\S-1-5-18\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [okru] C:\PROGRA~1\COMMON~1\okru\okrum.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Dctu] "C:\PROGRA~1\ICROSO~1\lsass.exe" -vt yazb (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Nav] C:\Program Files\s?curity\?serinit.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150061746388

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbxcoms.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe

O23 - Service: Windows XP-SP2 FW (REMWIN) - Unknown owner - C:\WINDOWS\logonw.exe (file missing)

O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--

End of file - 4955 bytes

----------------------------------------------------------------------------------------

Things that jump out at me are "O4 - HKLM\..\Run: [LXBXCATS] rundll32 øT÷wÿÿÿÿõw!çw\3\LXBXtime.dll,_RunDLLEntry@16", that may be new as I only recently started getting a error about it being missing or something, name is similar to the Lexmark printer scanner faxer software, "tclock_install.exe", CounterSpy mentioned tclock, and maybe okrum.exe? And obvious loose ends like the missing Yahoo toolbar.

If someone helps out, thanks in advance. I know it's not related to µTorrent, other then me using the WebUI on that computer which I don't trust anymore .

[jewelisheaven]

Yea, all look injected. To avoid rebooting, try killing handles with process explorer for :

O4 - HKUS\S-1-5-18\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [okru] C:\PROGRA~1\COMMON~1\okru\okrum.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Dctu] "C:\PROGRA~1\ICROSO~1\lsass.exe" -vt yazb (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Nav] C:\Program Files\s?curity\?serinit.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

Additionally if you didn't notice C:\WINDOWS\System32\lxbxcoms.exe <-p--- same prefix for that garbage entry.

Suspect services:

O23 - Service: Windows XP-SP2 FW (REMWIN) - Unknown owner - C:\WINDOWS\logonw.exe (file missing)

O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

I'd also be wary of your REAL lexmark printer drivers.. since they appear to be the source of the spoofed filenames.

[GTHK]

Thanks jewelisheaven, I've found you to be one of the more helpful members of the site .

The computer is running better now, but it looks like it also has some hardware issues, I hate helping a family member by fixing up a computer made by another family member . On the plus side, I'm getting a widescreen DVI LCD monitor .

[jewelisheaven]

I must correct myself TClock by itself isn't bad. And I was even scolded by someone I respect by targetting it as bad-ware. This person uses it as a pesudo-WoW-HUD-like display of the date/time as a widget on his desktop.

The others however... especially the run and runonce keys under SYSTEM appear to be injected mal/bad-ware... I always find things suspect in \system32 and ESPECIALLY \windows when hooked as services. Since it's stuck itself in there.. I'd be sure you run something thorough like rootkit revealer prevx and spyboy S&D in safemode after updating your antivirus defs.... after removing all the injected run keys. After you clean it in safemode nothing should be left, but it's still a good idea to run them again in normal mode