I usually don't find the need to post in these situations, but I am absolutely positively stumped here. I'll try to explain what's going on, but its hard to find definitive symptoms of what's happening.
So, we're in a bookstore, and somebody somehow got some malware/trojan type software downloaded and has caused a super nasty infection. We've been through the obvious, which inlcludes removal of all bad stuff through control panel, full and complete hijcackthis scanning and removal, adaware, spybot, even the nasty xoftspy, also stinger, cwshred, dsrfix and other small removal apps.
The main visible symptom is that firefox windows keep popping up that start out with "looking up %1" in the status bar, then they do something very quickly at google.com, and then end up at the "mozilla.org" webiste (NOT our homepage). Also, we've had the bargain buddy trio of programs appear, and the computer keeps momentarily freezing up and then letting go (classic malware behavior). We also have a few random string .dlls that keep popping up in the windows\system directory. Interestingly, they are all 396kb and all have the same creating date/time. I can usually get all but one of them deleted if I run rundll32 process, but the main guy never goes away and never changes names.
We also have the Winfixer onslaught, with the windows-official-looking warnings and browser popups.
One more thing...our computer runs the "windows is updating your configuration files" deal on every boot, which makes me think maybe its taken over part of windows update?
Also, we have had ezula infection, and something that caused a "!submit" folder to appear in the root directory.
Any ideas would be appreciated. We're going nuts over here. I'll post my hjt log, but I'm pretty sure its clean as a whistle.
Logfile of HijackThis v1.99.1
Scan saved at 12:45:06 PM, on 8/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\S-T-I-N-G-E-R.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.logo/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
Thanks so much
Josh
Logos Books and Records - Santa Cruz CA
[email protected]
Edited by logosbooksrecords, 11 August 2005 - 02:46 PM.