1) Periodic pop-up windows advising that the PC was infected and that RegCure Registry Cleaner should be downloaded and run immediately.
2) When running Firefox 3, occasionally MANY windows would suddenly open, crashing Firefox.
The PC belongs to my son who is 1200 miles away at college in Georgia, and is fairly clueless about computers. Thus, I'm trying to fight this remotely, since his college Tech Support department doesn't even KNOW what HijackThis is.
The machine has been running in SAFE MODE for a week now. It crashes every 20 or 30 minutes. Attached is the most recent HijackThis Logfile (15 Feb). I note that the line
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL thcrku.dll fvredj.dll zimrck.dll dgjlsf.dll zdlbbh.dll doykxb.dll hcnubw.dll bxnjzt.dll tpsqfv.dll efduyh.dll
is significantly different from the same line on 11 Feb, which was
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL thcrku.dll fvredj.dll zimrck.dll
Obviously something is still malisciously at work.
Here is the 15Feb HijackThis Log:
---------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:47 PM, on 2/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\hijackthis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0070119
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk- rel&channel=us&ibd=0070119
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Fjaje] rundll32.exe "C:\WINDOWS\Pzoqacolalocup.dll",e
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\winlognn.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [f0c95485] rundll32.exe "C:\WINDOWS\system32\ttbtqfaa.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [A00FB8874.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00FB8874.exe
O4 - HKCU\..\Run: [A00F3157B6.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00F3157B6.exe
O4 - HKCU\..\Run: [A00F13A35.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00F13A35.exe
O4 - HKCU\..\Run: [A00F1E522F2.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00F1E522F2.exe
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [A00F2D18E.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00F2D18E.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\CHRIST~1\LOCALS~1Temp\csrssc.exe
O4 - HKCU\..\Run: [A00F3FB39.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00F3FB39.exe
O4 - HKCU\..\Run: [A00FB7346.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00FB7346.exe
O4 - HKCU\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun
O4 - HKCU\..\Run: [zf4tdlcuqk5ypnkpwd6t0bxwuu4tuqlya4p] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\lp2iybg423lc.exe
O4 - HKCU\..\Run: [lnfvom20y715047wd53gev] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\i51vuf15w3.exe
O4 - HKCU\..\Run: [eabr6r1xeizuv] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\jcb7gsuxcf.exe
O4 - HKCU\..\Run: [rptlf8rn24wno77d] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\ok0qqy4gsd8kd.exe
O4 - HKCU\..\Run: [jlv9h4omuypwq0fx] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\hjm6aa6o6ycaz.exe
O4 - HKCU\..\Run: [md1yzoo66smyckslk9r3b6jfk0gc4e5eyitd5dc] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\vhptmyfb.exe
O4 - HKCU\..\Run: [no99o4ajbjqx5bjua8i2cqb9s9rebphkhf8w7g0b9h] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\j55lvfnrhlu.exe
O4 - HKCU\..\Run: [jtpyl6gzs63bffscoweei7x1vfylok] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\opxxbv0i7.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9806339054
O18 - Filter hijack: text/html - {f6342a51-db95-4fe5-9872-477cc0cbf986} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL thcrku.dll fvredj.dll zimrck.dll dgjlsf.dll zdlbbh.dll doykxb.dll hcnubw.dll bxnjzt.dll tpsqfv.dll efduyh.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
--
End of file - 7698 bytes
------------------------------------------
Many Thanks,
Dr. Ralph S Jameson