How to delete the love slow.exe malware?

[phreak0ut]

I'm infected with this spyware, but I'm not able to remove it. Avast doesn't detect this at all. AVG antispyware also didn't detect this and same goes with Spyware S&D. I installed KIS. It detected it, but its not able to remove as well. I know the location of the file, but I can't delete it manually as it shows that the file is in use. I don't know how I got infected with all the security measures I take up

[Siddharth Maheshwari]

Try finding the program in the process bar and close it and delete it.Sheddrers can also do it.

[Kiran.dks]

Post the HijackThis Log report here.

[Pathik]

if u hav linux installed too then boot ito it n delete that file... or use a live cd..

[sakumar79]

Have you tried to remove it in safe mode?

Arun

[phreak0ut]

@Siddarth- Shredder didn't work. Tried it. @sakumar-Haven't tried out with Safe Mode yet. Will be installing Nod32 and trying out. Will be posting the HijackThis log as well.

[47shailesh]

To remove this adware program using its uninstall option, do the following:

1. Click Start>Settings>Control Panel.
2. Double-click on Add/Remove Programs.
3. In the displayed list, choose the following program:
   Save
4. Click on Change/Remove.
5. Follow the instructions on the dialog box that appears.
6. Close the Add/Remove Programs window, and the Control Panel window.

Now must refer to this location for complete removal of ots traces...
source SAVENOW

[anandk]

^ i dont think savenow crfeates slow.exe !? i think its the adware.lop process, but since u know the location of the file, download and use 'delete doctor' from www.diskcleaners.con to delete the malware. then make sure u run ccleaner or something like that. and ya a hjt logfile wud help.

[phreak0ut]

Here is my log file:

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 11:02:47 PM, on 2/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\TopDesk\topdesk.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Sunil\Desktop\AutoShutdown\autoshutdown2. exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSI\DigiCell\DigiCell.exe
C:\Program Files\Easy Eyes Saver 2.9\Eyes_Saver.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Eset\nod32.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Sunil\LOCALS~1\Temp\Rar$EX00.016\Hijac kThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.240.48.195/webLogin.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Vistadrv] C:\Program Files\VistaDrives\vsdrv.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1170693966\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TopDesk] C:\Program Files\TopDesk\topdesk.exe
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [debug cdrom multi boob] C:\Documents and Settings\All Users\Application Data\Grim 2 debug cdrom\love slow.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AutoShutdown] C:\Documents and Settings\Sunil\Desktop\AutoShutdown\autoshutdown2. exe
O4 - HKCU\..\Run: [warn roam] C:\DOCUME~1\Sunil\APPLIC~1\HTMSTA~1\Ace that.exe
O4 - HKCU\..\RunOnce: [Eyes_Saver.exe] C:\Program Files\Easy Eyes Saver 2.9\Eyes_Saver.exe
O4 - Global Startup: DigiCell.lnk = C:\Program Files\MSI\DigiCell\DigiCell.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{19B756F7-03A2-4F10-8D0E-464537AA25DA}: NameServer = 61.1.96.69
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

I know there are a lot of startup entries. I need to fix some issues, for which I really don't have the time and most of the time I'm on linux

EDIT: CCleaner is not doing such a great job of cleaning up the files. I see from this log that XDrive contents still reside. I'll try with other cleaners. Let's see. Now, NOD32 also didn't detect the malware

[anandk]

dont forget to use delete doctor.

among cleaners, i prefer and use 'ace utilities' and 'tune-up utilities'.

logfile appears clean. xcpt that ur ie start page appears to have been hijacked. u can also always get it auto-analysed in detail at www.hijackthis.de

btw, does easy eye saver really help, sunil ?

[phreak0ut]

I used Delete Doctor just now, but it is refusing to get deleted. I've scheduled to remove it on the next system startup. Hopefully it should. I use Tune up utilites as well. Very nice application.

Yes, Easy eye saver are for people who keep staring at the monitor for a loooong time. Every 20 minutes, the monitor goes into standby for a minute and plays soothing sounds.

[anandk]

it will delete on reboot ! this doc knows his job

[Kiran.dks]

I don't see any problems in the log report.
Love slow.exe should be located in:
C:\Documents and Settings\CLÉMENCE\Application Data\MPEGFR~1\Love Slow.exe
Reboot in safe mode and try deleting it.

[47shailesh]

Quote:

Originally Posted by anandk

^ i dont think savenow crfeates slow.exe !? i think its the adware.lop process, but since u know the location of the file, download and use 'delete doctor' from www.diskcleaners.con to delete the malware. then make sure u run ccleaner or something like that. and ya a hjt logfile wud help.

Sry i was mistaken with the name...

Here is yet another effective solution and free too

download moveonboot:

It's free and this simple tool allows you to Move, Copy or Delete files before Windows can lock or alter the files. The changes are made to your hard drive before Windows starts, hence it requires a restart of your system after you give MoveOnBoot its instructions. There are no messy boot or DOS commands, just a simple 3-step process.

Step 1: Locate the name of the file that is causing your problems.

Step 2: Decide if you want to copy, move or delete the file.

Step 3. Choose a destination for moving the file, or a new file name for the rename option (this option won't appear if you are deleting a file).

Click OK to confirm you want to process. The nice thing is that the program doesn't make you reboot straight away. It's a good idea to reboot ASAP, but if you are in the middle of something and want to wait, the program will simply run next time you start Windows

[phreak0ut]

@anand The doctor didn't do the job. He forgot I guess Also, how did you come to know that it was adware.lop??? You were right on and only one ad removal tool was able to detect it, but not remove Super Ad blocker was the one.

@Kiran Actually, the file is located at C:\Documents and Settings\All Users\Application Data\Grim 2 debug cdrom\love slow.exe

@Shailesh I've scheduled for the deletion. I still haven't tried out in Safe Mode If the software fails, I'll be doing it in Safe mode and hopefully it should work.

[Kiran.dks]

Quote:

Originally Posted by phreak0utt

@Kiran Actually, the file is located at C:\Documents and Settings\All Users\Application Data\Grim 2 debug cdrom\love slow.exe

I just gave an example of it's location. CLÉMENCE\Application Data\MPEGFR~1\Love Slow.exe is the user profiles doc settings. In your case it, it will be in your log-in. "ALL USERS" is also possible. Check out in ur specific log-in doc folder too...xxxxx\Application Data\....\Love Slow.exe.

Log-in in "safe mode" and try deleting it.

[anandk]

i m surprised deletedoctor failed to delete the file on system restart
disable system restore and try again. else try 'killbox' ...

[ApoorvKhatreja]

It's quite unlikely that the doctor forgot to do his job. The doctor is very particular. Maybe the spyware has more copies which replaced. I remember having a virus similar to your spyware. Try and search for more files which resemble the spyware file.

Or just open your processes tab in Windows Task Manager. If your a regualr process viewer, you might as well know the processes that usually run. If you spot a process with an unusual name (for eg - loveslow.exe), note it's name, search for it and delete it. Also goto run, type msconfig. In the startup tab, usually you should have your antivirus process and a few more usual processes. If over there you notice a program which you haven't installed, or you don't want to be loaded at startup, remove the check from it, and press OK.

[phreak0ut]

@kiran Yes, it is according to the user profile. In my case, it was in the location which I mentioned.

@anand, @apoorv Even I was surprised that the doctor didn't do his job. Sometimes few stuff is beyond his control I guess

@shailesh I tried out MoveOnBoot which you suggested and it worked like a charm!! Thanks!! Reps to you!

[Kiran.dks]

Did you try removing it in "safe mode"? Anyways..It's good to see that the problem is solved.

[phreak0ut]

Nope! I would have tried out in Safe Mode if MoveOnBoot hadn't done the job. I'm glad the problem is resolved