[logosbooksrecords]

Hi everyone -

I usually don't find the need to post in these situations, but I am absolutely positively stumped here. I'll try to explain what's going on, but its hard to find definitive symptoms of what's happening.

So, we're in a bookstore, and somebody somehow got some malware/trojan type software downloaded and has caused a super nasty infection. We've been through the obvious, which inlcludes removal of all bad stuff through control panel, full and complete hijcackthis scanning and removal, adaware, spybot, even the nasty xoftspy, also stinger, cwshred, dsrfix and other small removal apps.

The main visible symptom is that firefox windows keep popping up that start out with "looking up %1" in the status bar, then they do something very quickly at google.com, and then end up at the "mozilla.org" webiste (NOT our homepage). Also, we've had the bargain buddy trio of programs appear, and the computer keeps momentarily freezing up and then letting go (classic malware behavior). We also have a few random string .dlls that keep popping up in the windows\system directory. Interestingly, they are all 396kb and all have the same creating date/time. I can usually get all but one of them deleted if I run rundll32 process, but the main guy never goes away and never changes names.

We also have the Winfixer onslaught, with the windows-official-looking warnings and browser popups.

One more thing...our computer runs the "windows is updating your configuration files" deal on every boot, which makes me think maybe its taken over part of windows update?

Also, we have had ezula infection, and something that caused a "!submit" folder to appear in the root directory.

Any ideas would be appreciated. We're going nuts over here. I'll post my hjt log, but I'm pretty sure its clean as a whistle.

Logfile of HijackThis v1.99.1
Scan saved at 12:45:06 PM, on 8/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\S-T-I-N-G-E-R.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.logo/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab

Thanks so much

Josh
Logos Books and Records - Santa Cruz CA
[email protected]

Edited by logosbooksrecords, 11 August 2005 - 02:46 PM.

[Advertisements]

Welcome to GeeksToGo

I'm pretty sure you have the latest look2me infection. The creation of files of same size definitely suggests that.

Please download L2m9xfix from one of these two locations:
GeeksToGo
Noidea.us

Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat.

Regards,

Armodeluxe

[Armodeluxe]

Welcome to GeeksToGo

I'm pretty sure you have the latest look2me infection. The creation of files of same size definitely suggests that.

Please download L2m9xfix from one of these two locations:
GeeksToGo
Noidea.us

Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat.

Regards,

Armodeluxe

[Armodeluxe]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.