Welcome guest, is this your first visit? Click the "Create Account" button now to join.
Page 1 of 3 123 LastLast
Results 1 to 10 of 26
  1. #1

    (pchfsa step of the prework skipped as program did not function properly)

    Yesterday I formatted my hdd and did a fresh win7 install, however, according to superantispyware I am already infected by a Trojan.agent/Gen-Fallegg
    (c:\program files (86)\microsoft\desktoplayer.exe)
    Malwarebytes is unable to detect it though.

    Even in safe mode the file cannot be deleted as it is being used by the system. I managed to delete it using a secondary OS on another partition but after a reboot the infected file reappears.
    I am running Win7 64 bit, fully updated.

    OTL files too long to be included so I've attached them instead.

    thx
    Attached Files
      My System SpecsSystem Spec

  2. #2

    Hi, Welcome to PCHF!

    It seems you have a rather new infection, please give me a moment to review your logs and I shall have a fix for you momentarily. :mrgreen:
      My System SpecsSystem Spec

  3. #3

    Hi.

    Please run OTL.exe.

    • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Files
      e:\Program Files (x86)\Microsoft\DesktopLayer.exe
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
      "Userinit"="c:\windows\system32\userinit.exe,"
      
      :commands
      [emptytemp]
      [emptyflash]
      [resethosts]
      [reboot]
    • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
    • Click the red Run Fix button.
    • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTL.exe


    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    ===============

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      *srv.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

    Note: The log can also be found on your Desktop entitled SystemLook.txt
      My System SpecsSystem Spec

  4. #4

    All processes killed
    ========== FILES ==========
    e:\Program Files (x86)\Microsoft\DesktopLayer.exe moved successfully.
    ========== REGISTRY ==========
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\"Userinit"|"c:\windows\system32\userinit.exe," /E : value set successfully!
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: jaikyro
    ->Temp folder emptied: 62806104 bytes
    ->Temporary Internet Files folder emptied: 2848010 bytes
    ->Java cache emptied: 0 bytes
    ->Opera cache emptied: 9966271 bytes
    ->Flash cache emptied: 2365 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 128287376 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 195.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: jaikyro
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb

    E:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.9.1 log created on 08092010_152910

    Files\Folders moved on Reboot...
    File\Folder E:\Users\jaikyro\AppData\Local\Temp\~DF1916C3FC6F9E3AA7.TMP not found!
    File\Folder E:\Users\jaikyro\AppData\Local\Temp\~DF629B53A72F6819DD.TMP not found!
    File\Folder E:\Users\jaikyro\AppData\Local\Temp\~DF82B21F1E305CC412.TMP not found!
    File\Folder E:\Users\jaikyro\AppData\Local\Temp\~DFA08F42A8A0E5E57E.TMP not found!
    File\Folder E:\Users\jaikyro\AppData\Local\Temp\~DFA7CF04E34C3DFA99.TMP not found!
    File\Folder E:\Users\jaikyro\AppData\Local\Temp\~DFF9FB9554E08C973D.TMP not found!
    E:\Users\jaikyro\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FBL1210L\ads[1].htm moved successfully.
    E:\Users\jaikyro\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FBL1210L\jobgooglead[1].htm moved successfully.
    E:\Users\jaikyro\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FBL1210L\toolbar[1].htm moved successfully.
    E:\Users\jaikyro\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1WAZ9VNJ\ads[1].htm moved successfully.

    Registry entries deleted on Reboot...

    -----

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 15:33 on 09/08/2010 by jaikyro (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "*srv.exe"
    E:\Program Files\Cameo\bsetrootSrv.exe --a--- 57344 bytes [21:26 08/08/2010] [13:31 09/08/2010] 83F5A64A268F21C7C6D6DD54CE8A88C2
    E:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7600.16385_none_0fd180464a231384\plasrv.exe --a--- 9216 bytes [23:31 13/07/2009] [01:39 14/07/2009] B1B85A3B631E2CC1B5F0FC5BE06AAFE1
    E:\Windows\winsxs\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_6.1.7600.16385_none_c09aa5b3bec88beb\BdeUISrv.exe --a--- 48640 bytes [23:22 13/07/2009] [01:38 14/07/2009] 1DA6B19BE5D4949C868A264BC5E74206
    E:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7600.16385_none_40a54b0d12b542e8\qappsrv.exe --a--- 23040 bytes [00:17 14/07/2009] [01:39 14/07/2009] 7DF67AEC622671AF4CD641BDBFE94342
    E:\Windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7600.16385_none_1548f4bc3949a69a\WmiApSrv.exe --a--- 203264 bytes [23:47 13/07/2009] [01:39 14/07/2009] 38B84C94C5A8AF291ADFEA478AE54F93

    -=End Of File=-
      My System SpecsSystem Spec

  5. #5

    E:\Program Files\Cameo\bsetrootSrv.exe among other files in the same folder were flagged as Trojan.Zbot by malwarebytes in a scan i did last night.
    I should probably also add that cameo is a shell replacement that I've been using for a long time so when I installed windows I grabbed cameo from another partition which means this thing might have been around for a while.
      My System SpecsSystem Spec

  6. #6

    I chose the lesser of two evils, namely to format the sucker. Virus free now.
    Thx for the effort.
    Hopefully I wont be back here for a while.
    I request that you close this thread.
      My System SpecsSystem Spec

  7. #7

    Hi.

    Alright, glad all is well, Cameo got infected with the new infection.

    I was looking forward to removing this malware, a format wasn't really necessary, I could have cleaned it without data loss, but that is alright.
      My System SpecsSystem Spec

  8. #8

    Okay this is starting to do my head in. Its back! Even after formatting, the damn desktoplayer.exe has returned.
    First thing I did after installing windows was to get MS security essentials and yesterday everything seemed fine, but tonight essentials went bananas claiming severe amounts of files were infected with VBS/Ramnit.B or Win32/Ramnit.A. A superantispyware scan showed the return of desktoplayer.exe.

    These are some persistant sob's! Seems I need your help after all.
      My System SpecsSystem Spec

  9. #9

    Hi.

    Lets start over, what all did you do before you were infected after the fresh install? Did you use backed-up data? If so, your backed-up data needs cleaning as well.

    Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in

      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\system32\*.sys
      %systemroot%\system32\drivers\*.dll
      %systemroot%\system32\drivers\*.ini
      %systemroot%\system32\drivers\*.exe
      %SYSTEMDRIVE%\*.*
      %PROGRAMFILES%\*.
      %appdata%\*.*
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      disk.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      mv61xx.sys
      usbstor.sys
      /md5stop
      CREATERESTOREPOINT
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time



    Note: in the event that OTL fails to run, please use alternate download links to try again:

    http://oldtimer.geekstogo.com/OTL.com
    http://oldtimer.geekstogo.com/OTL.scr
      My System SpecsSystem Spec

  10. #10

    Well, I have 5 partitions C, D, E, F, and G. C and E both had windows 7 on them before and were both infected with desktoplayer. Both were formatted and I am now running windows from drive C while E stands empty. However, D, F, and G all have a bunch of video files and the latter 2 I also use for installing games. In addition, F and G also have download folders, ie. where I place all my inbound junk. I guess its quite possible that infections might stem from there.

    I'm attaching the files as before.
    Attached Files
      My System SpecsSystem Spec

 

 
Page 1 of 3 123 LastLast
Similar Threads
Thread Forum
Trojan.NSIS.Agent.A AntiVirus, Firewalls & System Security
irsetup.exe (Trojan.Agent) Internet and Email
Trojan help for Win.32.agent.azsy AntiVirus, Firewalls & System Security
trojan.agent msnnoed.exe AntiVirus, Firewalls & System Security
Need help Trojan Agent/Spyware-Thanks AntiVirus, Firewalls & System Security