Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox popups, hostfile-like redirects, hijack can't remove possible infection, and more


  • This topic is locked This topic is locked
4 replies to this topic

#1 Ron Wolf

Ron Wolf

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Menlo Park, CA
  • Local time:07:07 AM

Posted 02 January 2009 - 04:46 AM

my friend's computer acquired a very complex infection on the morning of the 28th. i'm a fairly sophisticated user (your worst nightmare?) and so have tried to remove it. at this point i want to post here for possible help as well as to alert you, and others, to the impressive complexity of this infection.

to the best of my friend's recollection:
- the infection seemingly started when visiting a professional site (with firefox) that had been hacked (unfortuantely she doesn't recall which site..., but it was a site that came up in google when searching for "Understanding the Immune System How It Works". the site in question doesn't seem to come up in a seach that i did just now.
- surprisingly firefox launched IE!
- then all sorts of other popups started popping up.
at this point i came onto the scene:
- rebooted. once firefox was started, about every two minutes a new firefox window would open browing to a certain site (sorry don't recall the name of this either and i now have the infected computer offline so that it doesn't reinfect fully). however i saw mention of this site on other posts that i can't now find. it was a short name like 7 characters .com. starting with i i think....
- if firefox is not running then this doesn't happen. however all browsers and other apps are blocked from a number of sites (virus & help related)
- anyway, even tho i verified (by adding a entry) that the usual hosts file is in use, many virus removal sites (mcaffe.com for instance) are blocked (127.0.0.1 redirect) even tho these are not listed in hosts.
- several virus checkers don't find anything. of course, they can't update themselves because of the blocked sites problem
- i ran hijack this several times (logs attached). fascinating! it actually shows different results when running under a different form. so i'll assume that the infection messes with hijack results. hijackthis can't directly upload the logs as that is also seemingly IP blocked.
- as you can see in the logs, i tried removing a bunch of stuff (O2 .dlls mostly) that showed up at the time of infection. however, one very nasty bit won't go away (O2 & O20 mlJDVPJD.dll).
- the computer won't boot in safe mode!!! the driver loading stuff scrolls by on the screen. then it just stops. not sure if this was a problem with how the computer was initially setup. i didn't know that it was possible to configure XP in a way that safe mode boot won't work.
- i removed java looking stuff (.exe and others) as they seem suspicious to me.
- if the computer is online, the other O2 .dlls come back
- if the computer is offline (pulled the network cable), the other .dlls don't come back but the computer now shuts down after about 15 minutes.
- i just downloaded dds and combofix and am going to give them a try

the 3 hijackthis logs have self-explanatory names and are attached in the order that i ran them...

i'll check back here for more. i enabled email notification.

____________Ron

Attached Files


____________________Ron

BC AdBot (Login to Remove)

 


#2 Ron Wolf

Ron Wolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Menlo Park, CA
  • Local time:07:07 AM

Posted 02 January 2009 - 05:12 AM

forgot to mention that i tried removing the mlJDVPJD.dll using hijackthis' remove file at reboot function. even that doesn't get rid fo the file!

am now attaching the dds logs that i just ran. not sure why your instructions ask that the dds.txt be inserted directly into the conversation here?? i'll do that if important. otherwise, i would just as soon keep the discussion itself cleaner by attaching logs.

also from the attach.txt, it seems that this infection even ran a system savepoint as the savepoints are at just at the time of infection.

we had already found an issue with the savepoints as that's one of the 1st things that i wanted to try, reverting to previous savepoint. indeed my friend thought that she had made other savepoints. but none were to be found. did the infection get rid of them? this is really a nasty creature!!!

Attached Files


____________________Ron

#3 Ron Wolf

Ron Wolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Menlo Park, CA
  • Local time:07:07 AM

Posted 02 January 2009 - 06:03 AM

PROBLEM RESOLVED!!

Knock on wood. Using the helpful instructions posted elsewhere on BleepingComputer, I downloaded and ran ComboFix. It got rid of mlJDVPJD.dll and the associated registry entries as well as a few other items (log attached). The issues with blocked sites, with firefox auto-launching the window (at least so far), the machine restarting (at least so far), seem to be fixed.

I'll note that one step of the ComboFix setup didn't go as expected as the Windows Recovery Console install seemed to fail. An error came up saying that it couldn't be installed due to low memory, low disk, or corrupted install file (sorry I didn't write down the exact error message). However, the process seemed to go forward fine after that. The console that I downloaded was WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe and the system says that it is XP Pro SP3, DE language.

OK. Would appreciate any comments or suggestions for more stuff that I should look at or do.

RANT -> as you can see from the logs, this system was 'protected' (ha ha ha ha ha) with NOD32. What's the deal with these virus apps that don't detect even in memory viruses much less get rid of them? And how unacceptable is it that MS doesn't provide the level of support and repair that the wonderful writers of ComboFix and this BBS do??? Much less a system that is so easily infected.

I'm also posting some of this to the Mozilla forum as they should know that this whole mess started from FireFox...

Attached Files

  • Attached File  log.txt   13.09KB   3 downloads

____________________Ron

#4 Ron Wolf

Ron Wolf
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Menlo Park, CA
  • Local time:07:07 AM

Posted 02 January 2009 - 06:05 AM

Oh, one more thing. I just found in my notes that the site that the launched FireFox window was going to was sagipsul.com.
____________________Ron

#5 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:11:07 AM

Posted 14 January 2009 - 03:18 AM

Thanks for informing us what you have done.
Good luck.
Should you find other problems please start a new topic.

This thread is closed,
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users