BleepingComputer.com: Iloveher.exe Problem

hello.. im just new here, so i guess i'll just go straight to the point..

someone inserted a flashdisk on my pc, and my mcafee detected something like a script trying to edit my registry, but before i could choose the block option, the thing's already there, and when i blocked it mcafee cant remove it anymore..

now the thing i was talking about is this flashing "say no to drugs!!!" in the middle of my screen.thing it does is it disables the task manager..i dunno what else but thats the first thing i noticed.

i also have an avg and avg anti spyware installed aside from mcafee, the problem is they cant detect it as a virus or something.. i opened my avg anti spyware and checked the analysis, like a task manager, and saw the iloveher.exe.. i was able to find it in the prefetch folder in windows,and its a pf file.i was able to delete it from the prefetch folder or terminate it from the avg antispyware..but whenever i click my hard drives,both of them, it comes back again...

a friend recommended combofix, since all of my antivirus software didnt worked, i tried it.. at first it worked.. but when i restarted my computer, its back again..

im using a 40g HD for my softwares and a 80g HD for my file storage.. i just reformatted both of them, reinstalled windows, but its still there.. so i think its in my files. the problem is, my files are too important for me to delete it, thats why im trying to find a way to manually remove it...

thats all that i can think of right now. im too tired cuz ive been trying to fix it for the second night now..

if u have any questions that may relate or may help with this matter pls do so. or if theres something that i missed telling pls tell me..

and all the help that i could get i would gladly appreciate it..

tnx for now guys..

Post a Hijack This Log in the Hijack This Forum by following the directions in the link below. DO NOT post a log in this forum. http://www.bleepingcomputer.com/forums/topic34773.html

Go to Start > Run and type: cmd
press Ok
At the command prompt, copy/paste:

cd \
dir /as /ah >>"C:\Output.txt"

press Enter.
A text file named output.txt will be saved in the root directory (C:\Output.txt).
Open the text file, copy and paste the contents into your next reply.

sir buddy, sorry if i posted in the wrong place, like i said, im only new here.. hope u understand..

sir quietman7, heres the result of what you've told me to do.. also tried it on my d drive, ill post it also..

Volume in drive C has no label.
Volume Serial Number is 471E-9EB1

Directory of C:\

10/23/2007 04:56 AM 211 boot.ini
10/24/2007 07:17 PM 1,073,270,784 hiberfil.sys
03/15/2007 04:16 AM 36,864 Iloveher.exe
10/23/2007 05:09 AM 0 IO.SYS
10/23/2007 05:09 AM 0 MSDOS.SYS
08/03/2004 07:38 PM 47,564 NTDETECT.COM
08/03/2004 07:59 PM 250,032 ntldr
10/24/2007 07:17 PM 1,610,612,736 pagefile.sys
10/24/2007 12:49 AM <DIR> RECYCLER
10/23/2007 05:15 AM <DIR> System Volume Information
10/24/2007 01:30 AM <DIR> Recycled
8 File(s) 2,684,218,191 bytes
3 Dir(s) 35,169,140,736 bytes free


heres for the d drive..

Volume in drive D has no label.
Volume Serial Number is 471D-6275

Directory of D:\

03/15/2007 04:16 AM 36,864 Iloveher.exe
10/23/2007 02:55 AM <DIR> System Volume Information
10/24/2007 07:47 PM 39 autorun.inf
10/23/2007 03:37 AM <DIR> Recycled
2 File(s) 36,903 bytes
2 Dir(s) 49,092,165,632 bytes free


thats it sir! hope to hear from you soon... tnx for now...

I can't find any info on Iloveher.exe so do this:

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of Iloveher.exe and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.

I also want you to do this:

Go to Start > Run and type: regedit
Press "OK" and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the right pane you should see the default entries:
Shell = Explorer.exe
Userinit = C:\WINDOWS\system32\userinit.exe,

Post back and let me know if thats correct.

yeah sir the shell and userinit registries are correct...

i just finished the online scan that u told me to do... these are the results...

Last file scanned at least one scanner reported something about: WinImage.v8.10.8100.Incl.Keygen-TSZ.zip (MD5: 849befb932ce5ba22bcb485901e8b170, size: 11930 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control Harnig.gen1
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus Mal/Packer
VirusBuster X
VBA32 X

but it said there that "You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives. We are not affiliated with any third parties that conduct tests using this service." so im not sure if its real...

i tried downloading sophos but macafee blocked it and said its infected.. in norman site i cant find the donwload link..

one thing i noticed that the (virus?)'s doing aside from disabling task manager is it also disables the folder option, both in explorer tools and in control panel..

i really am thanking you sir for giving time to this problem of mine... tnx for now again...

Some infections are often responsible for registry alterations and accompanied by other types of malware files which need to be identified, then removed. Its time to have a deeper look as to what's causing your problems by creating and posting a hijackthis log.

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

If HijackThis will not run, try renaming it. Open the HijackThis Folder, right-click on the HijackThis.exe file and rename it Scanner.exe. Double-click on Scanner.exe (which is still HijackThis) and then run your scan. If needed, change the .exe to something else such as .bat, .com, .pif, or .scr. Example: Scanner.bat or Scanner.com

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.