Files are filling up my computer!

[Ljtw]

One of my computers (Computer 1) has hundreds and hundreds of files in c:\documents and settings\Lisa\local settings\application data\microsoft\msn\db30\mail... Also, my sent messages on msn saved to my computer each appeared 4 times, I have deleted all of my messages. I have hardly any memory left. In addition, when I return to my computer after leaving it idle for a while, it seems to have rebooted and McAfee needs to reload and it keeps trying to reinstall Microsoft Word 2002.

On my other computer (Computer 2), I get messages saying that the computer does not recognize a file that is trying to run (something about a download helper).

The two computers are networked, TiVo is also hooked up. TiVo appears to be working fine.

I went through all the steps listed in: Viruses/Spyware/Malware, preliminary removal instructions, for both computers. There were some things that appeared in some of the removal programs, including Coulomb Dialer on both computers and Win32 Trojan Downloader on Computer 2. Hopefully this takes care of most of the problems. But the files are still there. What do I do next? Attached are the logs and reports from HijackThis and AVG.

I would greatly appreciate any help you could give me! Thank you in advance.

 

[sw123]

You may want to try simply deleting the files.

sw123(bday's tommorow )

 

[howard_hopkinso]

Hello and welcome to Techspot.

Computer 1.

Delete all files in AVG Antispyware quarantine.

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)

O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab

O16 - DPF: {1EC3FCEC-2C86-44F5-8B18-C4A4A08DF484} (ROVAUpdate Class) - http://rova.worldnet.ml.com/rovacompany/ml/updates/rovaup2-3-161e1.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_4.cab

O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_4_0_15_Silent.cab

O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - https://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB

O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_3.cab

Click on the fix checked button.

Close HJT and reboot your system.

Other than the above, computer 1 is clean.

Computer 2.

Delete all files in AVG Antispyware quarantine.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint
Viewpoint Manager

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ViewMgr.exe
PowerReg Scheduler V3.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - Startup: PowerReg Scheduler V3.exe

O8 - Extra context menu item: RemindU - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm

O9 - Extra button: Verizon Central - {5B3FB261-CF72-4c66-B314-8E6FF9980307} - www.verizon.net (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)

O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (HKCU)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Viewpoint<Delete the entire folder.
PowerReg Scheduler V3.exe<Search your system for this file and delete all instances found.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log from both computers

Regards Howard :wave: :wave:

This thread is for the use of Ljtw only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Ljtw]

Howard,

On Computer 1, I did everything you listed, except for removing this:

O16 - DPF: {1EC3FCEC-2C86-44F5-8B18-C4A4A08DF484} (ROVAUpdate Class) - http://rova.worldnet.ml.com/rovacomp...p2-3-161e1.cab

ROVA is the program we use to connect to work from this computer. I was afraid removing it would interfere with that. Should I still remove it?

As for the hundreds and hundreds (make that hundreds of thousands) of files in the location stated in my initial message, I tried removing them, but the computer freezes if I try to remove more than maybe a dozen at a time. I have removed around 500 so far, only 146,148 to go. There appears to be at least 60 copies of each file now. Any suggestions?

On Computer 2, I did everything, but I could not find (I think the following, it was one of the 09 ones):

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

There was no folder for C:\Program Files\Viewpoint.
I found several references to PowerReg Scheduler V3.exe in a search, but not the file itself.

I have attached new HJT logs for both computers.

How do I protect my computers from this happening again? I've been running McAfee virus and firewall.

Thank you so much, I truly appreciate your help.

 

[howard_hopkinso]

Computer 1

It looks like you may have a lop infection.

Please Download NoLop to your desktop from one of the links below...
http://www.spywareedge.net/nolop/NoLop.exe
http://www.thespykiller.co.uk/forum/...pmod;dl=item16

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop.
If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HJT log

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.-- http://www.boletrice.com/downloads/mscomctl.ocx

Computer 2.

The HJT log is clean.

Regards Howard

This thread is for the use of Ljtw only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Ljtw]

I downloaded and ran the program from the first website. No lop infection was found. I've attached the log below. In looking at the log, I noticed there is a folder for Viewpoint. Should I do the instructions you gave me for Computer 2?

I also ran AVG again. One of the files I had previously deleted through AVG was on my computer. I deleted it again. Attached is a new report for Computer 1.

On computer 1, I've noticed that about every 15 minutes, something is trying to access my computer for about 2 minutes. I've attached a copy of one of those two minute periods from the inbound report for McAfee firewall. I've added this IP address to my banned list.

Attached is a new HJT log from computer 1.

Once again, thank you so much.

Lisa

 

[howard_hopkinso]

I can see no evidence in your HJT log of Viewpoint. However, you should check in add remove programmes in your control panel and uninstall anything to do with Viewpoint if there.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

GUpload.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [GUpload] C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\GRAS301\GUpload.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Cm\GRAS301\GUpload.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know if you`re still having problems with computer 1.

Regards Howard

This thread is for the use of Ljtw only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Ljtw]

I did the above. There was a viewpoint player (?). I have attached a new HJT log.

I am still getting the same things on my inbound reports.

Since I didn't have a lop infection, what may be causing the files to replicate? Did any of the above fix that problem?

Thanks again!

 

[howard_hopkinso]

Your HJT log is clean and I can see no sign of any infection.

I can`t acount for the number of files that are accumulating at this stage.

Is your computer still rebooting on it`s own? Even if it`s not, I`d like you to post 5 or 6 of your lates minidumps from the following directory, if there are any.

C:\windows\mindumps

Regards Howard

This thread is for the use of Ljtw only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Ljtw]

There do not appear to be anymore files accumulating in that location. I just can't help feeling like there are more duplicate files elsewhere. I have 144GB on this computer with only 31.03 GB free or 21% free. Before I removed almost all of those files, I had only about 10% free. Now I know I probably have more programs and possibly saved files on this computer, but my other computer (2), has only 37.24 GB with 16.53 GB free, or 44%. Is there any location you would suggest looking?

It has not rebooted on its own since you've begun helping me. But I also have not let the machine sit idle without turning it off, or locking it down with McAfee.

There are no files in c:\windows\minidump.

I'm glad the HJT logs on both computers are clean. I really can't thank you enough.

 

[howard_hopkinso]

Download and run the Cleaner programme as per these instructions. Do this on both computers. This should help you to get rid of a lot of useless crap.

Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs. Click the run cleaner button with no browsers open. Do this several times.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of Ljtw only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Ljtw]

Thank you so much for all of your help!

 

[Ljtw]

Howard,

More files with different names are back today but in one folder up. C:\documents and settings\Lisa\local settings\application data\microsoft\msn\db30\. I ran McAfee virus scan and it found a trojan: Downloader-BAI.gen

I quarantined it.

What steps should I take?
Do I need to disable system restore in order to remove this?

Attached is a new HJT log.

Thanks again.

 

[howard_hopkinso]

Your HJT log is clean.

Please do the following on both computers.

Delete the trojan file in McAfee quarantine.

Download and run the McAfee Avert stinger. Make sure it`s fully updated and let it fix whatever it finds.

Download and run the Blacklight programme. follow all the instructions carefully.

Let me know the results.

Regards Howard

This thread is for the use of Ljtw only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Ljtw]

I thought I posted yesterday, but I don't see it here, so I will try again.

I did all of the above, they found nothing. I also ran McAfee virus scan on computer 2 and it found Downloader-BAI.gen on it as well. I deleted it.

Even after deleting this, both of my computers are having additional files on them, all seem to be related to my e-mail.

Also, on computer 2, when I downloaded those programs, MSN11.downloaderhost appeared. I cancelled the action.

What should I do next?

Thanks, Lisa

 

[howard_hopkinso]

What you have is the Win32/Luder.L worm, this is not good at all. See HERE and HERE for more info.

The worm will have caused a great deal of damage, as well as dropping more malware onto your systems.

I think you should seriously consider, backing up your important data and reformating, as I have no way to help you get rid of this destructive infection.

Regards Howard

This thread is for the use of Ljtw only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.