Hi Jim -
This is a new variant of LOP infection, and I have a new tool to use to help us ID the hidden sources of the infection.
Copy these instructions to Notepad. Follow these instructions only at this point, in the order given, and provide only the logs asked for in this post, please.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download
CleanUp! (
Alternate Link if main link doesn't work) and install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!
Download Killbox from one of these locations:
http://www.greyknight17.com/spy/KillBox.exe
http://www.downloads.subratam.org/KillBox.zip
http://www.atribune.org/downloads/KillBox.exe
- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\tvmcwrd.dll
C:\WINDOWS\SYSTEM32\ocxdrv32.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe027.dll
C:\Documents and Settings\All Users\Application Data\BaseStyleIdolDebug
C:\Documents and Settings\Owner\7k15.exe
C:\Documents and Settings\Owner\Application Data\OnlineLoad
C:\WINDOWS\system32\msrac32.dll
Select/Highlight all the filename(s) from the above.
Copy to clipboard by pressing [CTRL]+[C] on your keyboard.
Start
KillBox.exe - Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
- Select/tick the following:
- Delete on Reboot
- End Explorer Shell While Killing File
- Unregister.dll Before Deleting * if it's not grayed out
- Click the RED X button.
- Click Yes at the 'Delete on Reboot' prompt.
- Click Yes at the 'Pending Operations prompt'.
* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows.
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.
Allow your system to reboot into normal mode.
Please configure CleanUp with the following settings:
Open
Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "
Options..."
*Move the arrow down to "
Custom CleanUp!"
*Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click
OK
Press the
CleanUp! button to start the program. Reboot/logoff when prompted.
Delete the contents of the following folders, but not the folders (let me know if there is known good data (yours) stored in these locations):
C:\Program Files\OmegaKiller1[1].2\
backup
C:\Documents and Settings\Owner\Desktop\Saved Files From Desktop\
backup
Download
Findlop. Unzip it to your desktop.
Double click fl.bat. It will open a notepad file.
Copy the contents of that file and past it here in your reply.
Run a scan with HJT, save the log and post it here.
So, I need a log from:
HJT
fl.bat
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006