GTHK Posted March 3, 2008 Report Share Posted March 3, 2008 I'm normally not one to ask for help, really because I know what the hell I'm doing. I think one of my first posts was just informative about an issue I had about related to an AV, but I didn't make a troubleshooting topic like I was told to (I think by Firon), and soon after fixed my own problem, which is what I do .Now my grandmas computers on the other hand, which didn't have anti-virus till I put something on it, and is used by my Myspace and AIM loving cousin, has some real trouble. One thing I did was bring drives from both computers home, connected it externally, scanned it, found and removed some crap, and did a little internal house keeping. Both computers ran a lot faster right after that. Still, the built by one of my relatives machine is having issues, and I REALLY HATE THAT COMPUTER NOW. I think it's malware, because pctools.com failed to load on that machine (first sponsored Google result after running a search for HijackThis).But I digress, if someone could direct me to a good site to search for information, the information I need, or point out something I should look into, it would be helpful. Just before I left I ran HijackThis and saved the file to one of my USB drives, maybe someone will recognize something. Also, Spybot S&D is detecting 3 registry entries for something called "Command Service", from what I read in the immediate Google results it appears to be both malware and anti-malware related, and was said to be a false positive in some cases that was fixed, but those posts are 2005-2006.Just to note in case someone looks at this for me, I'll be removing the resident spyware scanners I tried as I slowly grew tired with the system, also, avasts "Standard" and "E-mail" shields are the only shields running, no P2P an' stuff. I believe a few things were reported from that scanner----------------------------------------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:59:45 PM, on 3/2/2008Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\System32\oodtray.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Lexmark 7100 Series\lxbxmon.exeC:\Program Files\Lexmark 7100 Series\ezprint.exeC:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exeC:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\oodag.exeC:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\WINDOWS\System32\lxbxcoms.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)F2 - REG:system.ini: UserInit=userinit.exeO2 - BHO: (no name) - {52750014-98F1-9A06-F613-E81C84EEEBCE} - C:\WINDOWS\System32\qjmxfl.dll (file missing)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [ipWins] C:\Program Files\ipwins\ipwins.exeO4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\System32\oodtray.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"O4 - HKLM\..\Run: [LXBXCATS] rundll32 øT÷wÿÿÿÿõw!çw\3\LXBXtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [sBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exeO4 - HKUS\S-1-5-18\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [okru] C:\PROGRA~1\COMMON~1\okru\okrum.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [Dctu] "C:\PROGRA~1\ICROSO~1\lsass.exe" -vt yazb (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [Nav] C:\Program Files\s?curity\?serinit.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150061746388O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbxcoms.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exeO23 - Service: Windows XP-SP2 FW (REMWIN) - Unknown owner - C:\WINDOWS\logonw.exe (file missing)O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe--End of file - 4955 bytes----------------------------------------------------------------------------------------Things that jump out at me are "O4 - HKLM\..\Run: [LXBXCATS] rundll32 øT÷wÿÿÿÿõw!çw\3\LXBXtime.dll,_RunDLLEntry@16", that may be new as I only recently started getting a error about it being missing or something, name is similar to the Lexmark printer scanner faxer software, "tclock_install.exe", CounterSpy mentioned tclock, and maybe okrum.exe? And obvious loose ends like the missing Yahoo toolbar.If someone helps out, thanks in advance. I know it's not related to µTorrent, other then me using the WebUI on that computer which I don't trust anymore . Link to comment Share on other sites More sharing options...
jewelisheaven Posted March 3, 2008 Report Share Posted March 3, 2008 Yea, all look injected. To avoid rebooting, try killing handles with process explorer for :O4 - HKUS\S-1-5-18\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [okru] C:\PROGRA~1\COMMON~1\okru\okrum.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [Dctu] "C:\PROGRA~1\ICROSO~1\lsass.exe" -vt yazb (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [Nav] C:\Program Files\s?curity\?serinit.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')Additionally if you didn't notice C:\WINDOWS\System32\lxbxcoms.exe <-p--- same prefix for that garbage entry.Suspect services:O23 - Service: Windows XP-SP2 FW (REMWIN) - Unknown owner - C:\WINDOWS\logonw.exe (file missing)O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exeI'd also be wary of your REAL lexmark printer drivers.. since they appear to be the source of the spoofed filenames. Link to comment Share on other sites More sharing options...
GTHK Posted March 3, 2008 Author Report Share Posted March 3, 2008 Thanks jewelisheaven, I've found you to be one of the more helpful members of the site .The computer is running better now, but it looks like it also has some hardware issues, I hate helping a family member by fixing up a computer made by another family member . On the plus side, I'm getting a widescreen DVI LCD monitor . Link to comment Share on other sites More sharing options...
jewelisheaven Posted March 4, 2008 Report Share Posted March 4, 2008 I must correct myself TClock by itself isn't bad. And I was even scolded by someone I respect by targetting it as bad-ware. This person uses it as a pesudo-WoW-HUD-like display of the date/time as a widget on his desktop.The others however... especially the run and runonce keys under SYSTEM appear to be injected mal/bad-ware... I always find things suspect in \system32 and ESPECIALLY \windows when hooked as services. Since it's stuck itself in there.. I'd be sure you run something thorough like rootkit revealer prevx and spyboy S&D in safemode after updating your antivirus defs.... after removing all the injected run keys. After you clean it in safemode nothing should be left, but it's still a good idea to run them again in normal mode Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.