Free Malware Removal Forum

[NonSuch]

I've got a Dell PC with a nasty little infection. The two notable symptoms were
1) Periodic pop-up windows advising that the PC was infected and that RegCure Registry Cleaner should be downloaded and run immediately.
2) When running Firefox 3, occasionally MANY windows would suddenly open, crashing Firefox.

The PC belongs to my son who is 1200 miles away at college in Georgia, and is fairly clueless about computers. Thus, I'm trying to fight this remotely, since his college Tech Support department doesn't even KNOW what HijackThis is.
The machine has been running in SAFE MODE for a week now. It crashes every 20 or 30 minutes. Attached is the most recent HijackThis Logfile (15 Feb). I note that the line

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL thcrku.dll fvredj.dll zimrck.dll dgjlsf.dll zdlbbh.dll doykxb.dll hcnubw.dll bxnjzt.dll tpsqfv.dll efduyh.dll

is significantly different from the same line on 11 Feb, which was
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL thcrku.dll fvredj.dll zimrck.dll
Obviously something is still malisciously at work.
Here is the 15Feb HijackThis Log:
---------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:47 PM, on 2/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\hijackthis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0070119
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk- rel&channel=us&ibd=0070119
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Fjaje] rundll32.exe "C:\WINDOWS\Pzoqacolalocup.dll",e
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\winlognn.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [f0c95485] rundll32.exe "C:\WINDOWS\system32\ttbtqfaa.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [A00FB8874.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00FB8874.exe
O4 - HKCU\..\Run: [A00F3157B6.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00F3157B6.exe
O4 - HKCU\..\Run: [A00F13A35.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00F13A35.exe
O4 - HKCU\..\Run: [A00F1E522F2.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00F1E522F2.exe
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [A00F2D18E.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00F2D18E.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\CHRIST~1\LOCALS~1Temp\csrssc.exe
O4 - HKCU\..\Run: [A00F3FB39.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00F3FB39.exe
O4 - HKCU\..\Run: [A00FB7346.exe] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_A00FB7346.exe
O4 - HKCU\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun
O4 - HKCU\..\Run: [zf4tdlcuqk5ypnkpwd6t0bxwuu4tuqlya4p] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\lp2iybg423lc.exe
O4 - HKCU\..\Run: [lnfvom20y715047wd53gev] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\i51vuf15w3.exe
O4 - HKCU\..\Run: [eabr6r1xeizuv] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\jcb7gsuxcf.exe
O4 - HKCU\..\Run: [rptlf8rn24wno77d] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\ok0qqy4gsd8kd.exe
O4 - HKCU\..\Run: [jlv9h4omuypwq0fx] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\hjm6aa6o6ycaz.exe
O4 - HKCU\..\Run: [md1yzoo66smyckslk9r3b6jfk0gc4e5eyitd5dc] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\vhptmyfb.exe
O4 - HKCU\..\Run: [no99o4ajbjqx5bjua8i2cqb9s9rebphkhf8w7g0b9h] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\j55lvfnrhlu.exe
O4 - HKCU\..\Run: [jtpyl6gzs63bffscoweei7x1vfylok] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\opxxbv0i7.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9806339054
O18 - Filter hijack: text/html - {f6342a51-db95-4fe5-9872-477cc0cbf986} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL thcrku.dll fvredj.dll zimrck.dll dgjlsf.dll zdlbbh.dll doykxb.dll hcnubw.dll bxnjzt.dll tpsqfv.dll efduyh.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7698 bytes
------------------------------------------

Many Thanks,

Dr. Ralph S Jameson

[NonSuch]

I hate to be the bearer of bad news but one or more of the identified infections on this system is a Backdoor Trojan.

Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to advise your son to disconnect this PC from the Internet immediately. If he does any banking or other financial transactions on the PC or if it should contain any other sensitive information, please inform him that he needs to get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of his situation. If this computer has been networked with other computers, they should be checked to make sure they have not become infected. If any USB drives have been connected to this computer, they may also be infected.

In addition to the backdoor Trojan that has been identified, this system is afflicted with other infections. Although an attempt could be made to clean this machine, it could never be considered to be truly clean, secure, or trustworthy. We could not say definitively that unknown and unseen malware will have been removed, nor will this system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on the computer during the removal process. In short, this system may never regain its former stability or its full functionality without a reformat. Therefore, the best and safest course of action is a reformat and reinstallation of the Windows operating system.

Prior to reformatting the system, your son may remove and salvage his data files. No programs or executable files should be saved as they would likely be infected, and all data files should be scanned with anti-virus and anti-spyware programs prior to being returned to the hard drive after it has been reformatted. If he is not comfortable performing this procedure himself, we would advise you to tell him to take the computer to a reliable, local, computer repair shop and have them do the work for him, or perhaps his college tech support department could do the work.

Should you have any questions, please feel free to ask.

These postings are provided "AS IS" with no warranties, and confer no rights.

[Ralph.Jameson]

NonSuch-

Well, Knowing the bad news is better than not know the bad news. Thanks. It is quite probable that credit card information was stolen a couple of weeks ago.

Since the PC in question is on a College network, would you venture an opinion as to whether the malware was more likely to have been downloaded from a malicious website or to have come through the network.

Does it look like Conficker Worm? What is the likelihood that the infected PC has spread the malware to other PCs or servers on the network? Should the College Tech Support people (who are pretty clueless to begin with) be advised that there is bad stuff on the network?

We're trying to do damage control, and then damage repair.

thanks much,

Ralph Jameson

[NonSuch]

You're very welcome. I'm sorry I didn't have better news for you.

It's impossible to tell which of the infections came first, but at least one of them is known to result from a file download. However, there are many ways of getting infections, including infected USB sticks, P2P filesharing, using cracks or key generators, pirated software, web sites, links, the list goes on and on. You should also be aware that anti-virus programs do not run while the machine is in safe mode. So, any time this system was in safe mode and connected to the internet, it was extremely vulnerable and, of course, the malware had carte blanche to "phone home" and to bring in other new infections as well.

This is information on just one of the infections:

http://www.trendmicro.com/vinfo/graywar ... Y&VSect=Td

No, this does not look like the conficker worm. Also, I doubt that these infections were acquired via the network, though anything is possible. If the network was the vector for infection, one would anticipate that any computers that were the primary source of the infection would have been rendered essentially inoperable by the infection at this point and some warning would have been given to users of the network by the college. Regardless, it is important that the College Tech Support people be made aware that their network has been exposed to high-risk malware. As for the likelihood that these infections have been transferred to other systems via the network, that would depend a great deal on how well the network is locked down. I could not even hazard a guess.

These postings are provided "AS IS" with no warranties, and confer no rights.

[NonSuch]

As it appears this issue requires a reformat for resolution, and therefore exceeds the scope of this forum, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal