I'll explain -

About 3 weeks ago I went onto a lyric site to get some song words, I got LOADS of popups and couldn't close them, then ZoneAlarm kept on coming up 'Do you want MAY17_LOADER.EXE to access the internet?'

Since that time I havn't been able to open windows media player, and I have had the following files which once I delete, come back:

may17_loader.exe
isinstall_logix.exe
adstartup.exe
adloader.exe
adupdater.exe
admanager.xml
data.xml
IEENHANCER.dll

And maybe one or two more, everytime I scanned with AVG it wouldn't find it, even when it was fully updated, I downloaded spy sweeper, and it found it, but said a file similar to a0035860.cpy couldn't be deleted so would be deleted upon restart, and I always got that message.

I downloaded the AVG new update which was released today and It found May_17loader.exe, and also the infected .cpy files, It put May_17loader.exe in the virus vault, but when ever it came to moving the .cpy ones, it just came up cannot be removed. I was getting loads of popups from this so I downloaded StopZilla, which lised WMplayer as a parasite. Now what REALLY freaked me out was I got disconnected from my internet, then looked to find my WMPlayer Icon had turned into a US flag.

This has caused me alot of trouble o_O If you need any more information, please ask, here are some pictures below of what has been happening, and the colours are a bit dodgy in some, they were saved in paint xD






(The non-infected results inbetween the ones that virus were detected are ones that I cancelled, and the date may be a bit messed up because I was trying to timefoward something in my game Petz xD)



Please, please help ;_;

PS - 3 days ago, I was a member here for one year! yey xD

ok first go to msconfig and clear the startup items
and look at start menu "start up" folder
and remove the suspicious looking files
then use at least 2 spyware programs to remove the spyware
update all of them (I usually use 3-4 of them to make sure..(for my friends who complain about spyware))
anyways after u complete this run a virus check and
if that fails manually remove the files
some recent files I have discovered were in program files dir check there
and i'm sure there are many other suspicios looking files all over the hdd. there are not so many place they can be
anyways
1. clear startup items (msconfig + start menu)
2. run spyware
3. run anti-virus
then u should be okay!
if the antivirus complains about the virus not being removed manually delete it.. if it says "cannot delete" check your taskmanager and see if that files is working.

then since some files are in your _restore folder for once go to system properties and disable the "system restore" u can get it back up after u clear your virus/etc...

Thanks so much for your reply, but I've tried everything you've said several times already, I can't find the _restore folder, and I've enabled the viewing of hidden folders and it's just not there, I've searched for the infected file names on my computer and it says it can't find them, I've just HijackThis to remove some files, I have SpySweeper, Zonealarm, Spybot, AVG, I've scanned with the 3 several times, SpySweeper says the files will be removed on reboot and AVG just comes up ''Blah' cannot be removed'.

This apropos virus is just meant to cause popups, but it's infected Windows Media Player also and it's file icon o.O I've deleted the apropos files countless times and my computer keeps locking up and freezing.

_nothing_ is working o_O

hmm
i'm sure someone else will reply but
install ultravnc put a password, and let me have a look at your comp?
u can cut the connection whenever u want if u don't trust me...

I've no idea what the Ultravnc program is, but I'll look into it tomorrow, as I have to go soon, I'm tired and It's really late xD

I do have my HijackThis log file though:

Logfile of HijackThis v1.97.7
Scan saved at 01:38:14, on 13/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LOGITECH\IMAGESTUDIO\LOGITRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGW.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lesley.proboards21.com/index.cgi
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\SYSTEM\IEENHA~1.DLL
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\Adstartup.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKLM\..\RunOnce: [SpySweeper_BT01] "C:\Program Files\Webroot\Spy Sweeper\Bt01.exe" /SpySweeper_BT01
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8087.1669212963
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab27571.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab27571.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

Hope that can give you some idea of what's running etc.

Try this:

Click START & go to MY COMPUTER, right-click then click EXPLORE & click the WINDOWS folder then click SYSTEM 32 folder then find the following below & delete it. Just delete ADStartUP.exe, all the files names listed below(delete AdUpdater.exe, adupmanager.xml, data.xml, IEEnhancer.dll) & not the full links here. Also u might not be able to delete ADStartUP.exe right away but follow the instructions here below on the registry edit & u can go back & delete the ADStartUP.exe & the rest
%Windir%\System32\ADStartUP.exe
%Windir%\System32\AdUpdater.exe
%Windir%\System32\adupdmanager.xml
%Windir%\System32\data.xml
%Windir%\System32\IEEnhancer.dll

After deleting these files from your system you will need to delete a registry entry:


Click the "Start" button on the taskbar

Click "Run..."

Type "regedit" and click the "OK" button

Click the "Start" button on the taskbar

Open the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" registry key

Right-click "Adstartup" and click "Delete"

I don't think it has been suggested yet, so here's my suggestion as to how to remove viruses.. first, do like what has been told earlier, disable system restore (for the duration of this process anyway) and restart the computer in safe mode and then run the virus scan there. That's what I always do, and it usually kills everything, cause nothing gets loaded there but critical windows files, so unless the virus has had a chance at those (something which should not really be a possibility with WFP) it should get removed. Try it anyway, works for me.

I'll just have to have a go at it on safe mode, and BeenThereB4, I found something similar to what you suggested on google and it didn't work.

Thanks very much everyone, wish me luck! ^^,


EDIT:

Er... doh. Didn't work in safe mode >_<

I'd delete this:
C:\WINDOWS\LOADQM.EXE
did u follow the steps btw?
disable all startup items
disable system restore
and etc.. ???

I need loadqm, I've always had that file even before I've had the internet, either that or my computer has been doomed since day 1.

What do you mean disable system restore? If this virus wipes my computer I won't beable to restore, and I would have to get a brand new hard drive, and my dad would kill me. xD And I don't know how too anyway. And I've disabled the startup items that are to do with the virus yes.

It is a system restore issue:

Antivirus Tools Cannot Clean Infected Files in the _Restore Folder

Follow the instructions for purging.

if it wipes u're hdd u need to get a new hdd ? why?
it doesn't kill your hdd, all u'd need is a format if the situation is that bad.
but I think it can be easily recovered from the virus and trojans.

ok from the link beenthereb4 provided I'd do this:


since the restore folders are contaminated with the virus I believe u cannot really restore, even if u restore u'll be getting the virus back
so disable it
run the virus check.. again

for most of the viruses u don't really need to get a brand new of anything, well maybe get a brand new OS? / anti-virus program

about loadqm I once thought u were using xp anyways if ME needs it that's cool

Thanks so much ^^, I'll disable the system restore and keep you updated.

EDIT:
The folder is messed up now, it says it only has 3 files, and I'm talking about the whole _restore folder, and I still have the american flag icon and can't open WMPlayer >_<.



EDIT (again xD, well, it's better than double posting):
Scanned and everything came up clear, still can't run WMP, so I'm rescanning just to make sure, and it also has that flag icon.

Oh this is really urgent now ;_; My computer locked up earlier and I restarted to find the adstartup.exe file was back >_<' And the only thing I found about the american flag issue was on a message board on newgrounds.com and the post wasn't even there!

Help ;_; And sorry for double posting.

LoadQM is Msn Messenger related and can safely be disabled.

Even if you disable System Restore, you still can't delete the folder. Search these boards, I know there's a thread on how to actually remove/disable System Restore. I find SR totally useless, I use Goback, which is totally cool.

About LoadQM:
loadqm.exe -- Installed with MSN Explorer and MSN Messenger. Loads the MSN Queue Manager. Required to enable the WU AutoUpdate feature. Note that disabling this can sometimes prevent internet sharing working on Win2K Pro SP2. Reports also suggest that removing it will re-enable internet access - hence the "users choice" recommendation. If you have problems leave it, otherwise I recommend you disable it.



Note: I've disabled this with no problems and had system performance improve from removing this file from the Startup.

Okay. I have you on my Aim so I can send you some files to help fix the problem. Even a System Restore Remover which is great freeware, and a few other helpful files.

If others what the System Restore Remover Pro file, I can post the URL.

C-Girl

I Belive you have you have a version of the Cool Web search trojen i haven been removing all week at work.
Heres what you got to do:
Your going to need a few tools
1.SmartKiller
2.CWShedder
3.HijackThis

Run those apps inorder.

-The first will remove the auto trojen running in the backround. It can disable apps from finding the tojen/adware and even corrupt the app your using.
-Then run CWshedder, this will find all instances of the CWS and delete it. It may ask you to restart and run it again, if so, do it.
-Then Run Hijackthis. This app will show everything that is running in your start up, even hidden scripts etc.
It is abit of advanced tool however most everything that it finds can be disabled...just be wary of what you take out casue it can casue some errors on boot if u delte a critical boot file..


After all that i would reccomend getting and app like Spybot search and destry and runnign that to remove any remaining traces.


So far I have removed about 15 of these pesky little bastards at work...

|Drew|

Thank you Truan and Drew.

I ran SmartKiller and CWShredder, both came up clear, I ran HijackThis again, and it came up with 2 registry BHO's without files. One went, and one, which I noticed last night, did not go, it is:
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

I think this may be what is behind the virus, I could look for it in the registry but I wouldn't know where to find it, and I have disabled system restore, and my computer comes up clear, yet I still have this flag.

Here is my HijackThis logfile.

Logfile of HijackThis v1.97.7
Scan saved at 22:59:20, on 13/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\LOGITECH\IMAGESTUDIO\LOGITRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\LOGITECH\IMAGESTUDIO\LOWLIGHT.EXE
C:\PROGRAM FILES\JASC SOFTWARE INC\PAINT SHOP PRO 8\PAINT SHOP PRO.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lesley.proboards21.com/index.cgi
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8087.1669212963
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab27571.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab27571.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

This scan says PSP8 was a running process, but at the time it was closed, could this be anything to do with the virus?

totally irrelevant but I want to tell u that u have too many processes running on your computer
I dunno how much ram u have but I can tell this much, they're are slowing down your computer

My computer runs fine, everything loads quickly, usually when I kill something it comes back 10 mins later anyway.

Hes right C
Id get rid of nearly all those cept for the Windows based ones

|Drew|

I went through a startup application list for her and removed about a paragraphs worth of items.

Hmm if some file cant be deleted in windows then delete it in Dos, or Linux ! use a bootable cd with ntfs (if ur partition is ntfs) and then try to clean it..

The only way i choose to clean out virii is thru Linux or Dos.. If it still cant be cleaned then u gotta format before tha **** thing spreads

Hope it helps,
Bye,
Jazz

original problem solved:

Hey i had this same problem, not necessarily with windows media player. However, I know that Apropos is not a virus, it's adware that dispays popups on your computer. it is very annoying. you can find how to remove it manually on a step by step instruction here: http://www.kephyr.com/spywarescanner/libra...pos/index.phtml

you may find it necessary to uninstall it manually, because my spyware program said it would delete it on reboot, but it was still there when i performed a new sweep.

If problems persist with your windows media player, then apropos is not related to it, and you may have other devices or viruses on your computer.