to the best of my friend's recollection:
- the infection seemingly started when visiting a professional site (with firefox) that had been hacked (unfortuantely she doesn't recall which site..., but it was a site that came up in google when searching for "Understanding the Immune System How It Works". the site in question doesn't seem to come up in a seach that i did just now.
- surprisingly firefox launched IE!
- then all sorts of other popups started popping up.
at this point i came onto the scene:
- rebooted. once firefox was started, about every two minutes a new firefox window would open browing to a certain site (sorry don't recall the name of this either and i now have the infected computer offline so that it doesn't reinfect fully). however i saw mention of this site on other posts that i can't now find. it was a short name like 7 characters .com. starting with i i think....
- if firefox is not running then this doesn't happen. however all browsers and other apps are blocked from a number of sites (virus & help related)
- anyway, even tho i verified (by adding a entry) that the usual hosts file is in use, many virus removal sites (mcaffe.com for instance) are blocked (127.0.0.1 redirect) even tho these are not listed in hosts.
- several virus checkers don't find anything. of course, they can't update themselves because of the blocked sites problem
- i ran hijack this several times (logs attached). fascinating! it actually shows different results when running under a different form. so i'll assume that the infection messes with hijack results. hijackthis can't directly upload the logs as that is also seemingly IP blocked.
- as you can see in the logs, i tried removing a bunch of stuff (O2 .dlls mostly) that showed up at the time of infection. however, one very nasty bit won't go away (O2 & O20 mlJDVPJD.dll).
- the computer won't boot in safe mode!!! the driver loading stuff scrolls by on the screen. then it just stops. not sure if this was a problem with how the computer was initially setup. i didn't know that it was possible to configure XP in a way that safe mode boot won't work.
- i removed java looking stuff (.exe and others) as they seem suspicious to me.
- if the computer is online, the other O2 .dlls come back
- if the computer is offline (pulled the network cable), the other .dlls don't come back but the computer now shuts down after about 15 minutes.
- i just downloaded dds and combofix and am going to give them a try
the 3 hijackthis logs have self-explanatory names and are attached in the order that i ran them...
i'll check back here for more. i enabled email notification.
____________Ron