AlmondScar Posted June 12, 2004 Share Posted June 12, 2004 I'll explain -About 3 weeks ago I went onto a lyric site to get some song words, I got LOADS of popups and couldn't close them, then ZoneAlarm kept on coming up 'Do you want MAY17_LOADER.EXE to access the internet?'Since that time I havn't been able to open windows media player, and I have had the following files which once I delete, come back:may17_loader.exeisinstall_logix.exeadstartup.exeadloader.exeadupdater.exeadmanager.xmldata.xmlIEENHANCER.dllAnd maybe one or two more, everytime I scanned with AVG it wouldn't find it, even when it was fully updated, I downloaded spy sweeper, and it found it, but said a file similar to a0035860.cpy couldn't be deleted so would be deleted upon restart, and I always got that message.I downloaded the AVG new update which was released today and It found May_17loader.exe, and also the infected .cpy files, It put May_17loader.exe in the virus vault, but when ever it came to moving the .cpy ones, it just came up cannot be removed. I was getting loads of popups from this so I downloaded StopZilla, which lised WMplayer as a parasite. Now what REALLY freaked me out was I got disconnected from my internet, then looked to find my WMPlayer Icon had turned into a US flag.This has caused me alot of trouble o_O If you need any more information, please ask, here are some pictures below of what has been happening, and the colours are a bit dodgy in some, they were saved in paint xD(The non-infected results inbetween the ones that virus were detected are ones that I cancelled, and the date may be a bit messed up because I was trying to timefoward something in my game Petz xD)Please, please help ;_;PS - 3 days ago, I was a member here for one year! yey xD Link to comment Share on other sites More sharing options...
XtremeMaC Posted June 12, 2004 Share Posted June 12, 2004 ok first go to msconfig and clear the startup items and look at start menu "start up" folderand remove the suspicious looking filesthen use at least 2 spyware programs to remove the spywareupdate all of them (I usually use 3-4 of them to make sure..(for my friends who complain about spyware))anyways after u complete this run a virus check and if that fails manually remove the filessome recent files I have discovered were in program files dir check thereand i'm sure there are many other suspicios looking files all over the hdd. there are not so many place they can be anyways1. clear startup items (msconfig + start menu)2. run spyware3. run anti-virusthen u should be okay!if the antivirus complains about the virus not being removed manually delete it.. if it says "cannot delete" check your taskmanager and see if that files is working.then since some files are in your _restore folder for once go to system properties and disable the "system restore" u can get it back up after u clear your virus/etc... Link to comment Share on other sites More sharing options...
AlmondScar Posted June 13, 2004 Author Share Posted June 13, 2004 Thanks so much for your reply, but I've tried everything you've said several times already, I can't find the _restore folder, and I've enabled the viewing of hidden folders and it's just not there, I've searched for the infected file names on my computer and it says it can't find them, I've just HijackThis to remove some files, I have SpySweeper, Zonealarm, Spybot, AVG, I've scanned with the 3 several times, SpySweeper says the files will be removed on reboot and AVG just comes up ''Blah' cannot be removed'.This apropos virus is just meant to cause popups, but it's infected Windows Media Player also and it's file icon o.O I've deleted the apropos files countless times and my computer keeps locking up and freezing._nothing_ is working o_O Link to comment Share on other sites More sharing options...
XtremeMaC Posted June 13, 2004 Share Posted June 13, 2004 hmm i'm sure someone else will reply but install ultravnc put a password, and let me have a look at your comp? u can cut the connection whenever u want if u don't trust me... Link to comment Share on other sites More sharing options...
AlmondScar Posted June 13, 2004 Author Share Posted June 13, 2004 I've no idea what the Ultravnc program is, but I'll look into it tomorrow, as I have to go soon, I'm tired and It's really late xDI do have my HijackThis log file though:Logfile of HijackThis v1.97.7Scan saved at 01:38:14, on 13/06/2004Platform: Windows ME (Win9x 4.90.3000)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\SPOOL32.EXEC:\WINDOWS\SYSTEM\DEVLDR16.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\MSTASK.EXEC:\WINDOWS\SYSTEM\STIMON.EXEC:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXEC:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXEC:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\SYSTEM\RESTORE\STMGR.EXEC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\WINDOWS\SYSTEM\HIDSERV.EXEC:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXEC:\COMPAQ\CPQINET\CPQINET.EXEC:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\PROGRAM FILES\LOGITECH\IMAGESTUDIO\LOGITRAY.EXEC:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXEC:\WINDOWS\LOADQM.EXEC:\PROGRAM FILES\AIM95\AIM.EXEC:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXEC:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXEC:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXEC:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXEC:\WINDOWS\SYSTEM\LVCOMS.EXEC:\WINDOWS\SYSTEM\DDHELP.EXEC:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXEC:\WINDOWS\DESKTOP\HIJACKTHIS.EXEC:\PROGRAM FILES\GRISOFT\AVG6\AVGW.EXER1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ieR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lesley.proboards21.com/index.cgiR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=homeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearchR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhomeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearchR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%sO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLLO2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\SYSTEM\IEENHA~1.DLLO2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorunO4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exeO4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -sO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [Hidserv] Hidserv.exe runO4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exeO4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exeO4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exeO4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exeO4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exeO4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exeO4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exeO4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startupO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [sTOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorunO4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exeO4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\Adstartup.exeO4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [schedulingAgent] mstask.exeO4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exeO4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exeO4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -serviceO4 - HKLM\..\RunServices: [sTOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXEO4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /backgroundO4 - HKLM\..\RunOnce: [spySweeper_BT01] "C:\Program Files\Webroot\Spy Sweeper\Bt01.exe" /SpySweeper_BT01O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exeO4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXEO4 - Startup: Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exeO4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.htmlO8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.htmlO8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.htmlO8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.htmlO8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.htmlO9 - Extra button: AIM (HKLM)O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8087.1669212963O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab27571.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab27571.cabO16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cabHope that can give you some idea of what's running etc. Link to comment Share on other sites More sharing options...
BeenThereB4 Posted June 13, 2004 Share Posted June 13, 2004 Try this:Click START & go to MY COMPUTER, right-click then click EXPLORE & click the WINDOWS folder then click SYSTEM 32 folder then find the following below & delete it. Just delete ADStartUP.exe, all the files names listed below(delete AdUpdater.exe, adupmanager.xml, data.xml, IEEnhancer.dll) & not the full links here. Also u might not be able to delete ADStartUP.exe right away but follow the instructions here below on the registry edit & u can go back & delete the ADStartUP.exe & the rest%Windir%\System32\ADStartUP.exe %Windir%\System32\AdUpdater.exe %Windir%\System32\adupdmanager.xml %Windir%\System32\data.xml %Windir%\System32\IEEnhancer.dll After deleting these files from your system you will need to delete a registry entry: Click the "Start" button on the taskbar Click "Run..." Type "regedit" and click the "OK" button Click the "Start" button on the taskbar Open the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" registry key Right-click "Adstartup" and click "Delete" Link to comment Share on other sites More sharing options...
DarkPhoenix Posted June 13, 2004 Share Posted June 13, 2004 I don't think it has been suggested yet, so here's my suggestion as to how to remove viruses.. first, do like what has been told earlier, disable system restore (for the duration of this process anyway) and restart the computer in safe mode and then run the virus scan there. That's what I always do, and it usually kills everything, cause nothing gets loaded there but critical windows files, so unless the virus has had a chance at those (something which should not really be a possibility with WFP) it should get removed. Try it anyway, works for me. Link to comment Share on other sites More sharing options...
AlmondScar Posted June 13, 2004 Author Share Posted June 13, 2004 I'll just have to have a go at it on safe mode, and BeenThereB4, I found something similar to what you suggested on google and it didn't work.Thanks very much everyone, wish me luck! ^^,EDIT:Er... doh. Didn't work in safe mode >_< Link to comment Share on other sites More sharing options...
XtremeMaC Posted June 13, 2004 Share Posted June 13, 2004 I'd delete this: C:\WINDOWS\LOADQM.EXE did u follow the steps btw?disable all startup itemsdisable system restoreand etc.. ??? Link to comment Share on other sites More sharing options...
AlmondScar Posted June 13, 2004 Author Share Posted June 13, 2004 I need loadqm, I've always had that file even before I've had the internet, either that or my computer has been doomed since day 1.What do you mean disable system restore? If this virus wipes my computer I won't beable to restore, and I would have to get a brand new hard drive, and my dad would kill me. xD And I don't know how too anyway. And I've disabled the startup items that are to do with the virus yes. Link to comment Share on other sites More sharing options...
BeenThereB4 Posted June 13, 2004 Share Posted June 13, 2004 It is a system restore issue:Antivirus Tools Cannot Clean Infected Files in the _Restore FolderFollow the instructions for purging. Link to comment Share on other sites More sharing options...
XtremeMaC Posted June 13, 2004 Share Posted June 13, 2004 if it wipes u're hdd u need to get a new hdd ? why?it doesn't kill your hdd, all u'd need is a format if the situation is that bad.but I think it can be easily recovered from the virus and trojans.ok from the link beenthereb4 provided I'd do this:Manually Purge the Data StoreTo completely and immediately remove the infected file or files in the data store, disable and re-enable the System Restore feature.WARNING: Using the following steps will completely remove all restore points from the data store. Do not use this method if this will cause problems. When you enable the System Restore feature again, the System Restore feature will create a new restore point and then resume monitoring your computer. Click Start, point to Settings, and then click Control Panel.Double-click System, and then click the Performance tab.Click File System, and then click the Troubleshooting tab.Click to select the Disable System Restore check box, click Apply, click to clear the Disable System Restore check box, click Apply, and then click OK.Restart the computer when you are prompted to do so. When the computer restarts, the data store is purged and the System Restore feature begins monitoring the system again.since the restore folders are contaminated with the virus I believe u cannot really restore, even if u restore u'll be getting the virus backso disable itrun the virus check.. again for most of the viruses u don't really need to get a brand new of anything, well maybe get a brand new OS? / anti-virus program about loadqm I once thought u were using xp anyways if ME needs it that's cool Link to comment Share on other sites More sharing options...
AlmondScar Posted June 13, 2004 Author Share Posted June 13, 2004 Thanks so much ^^, I'll disable the system restore and keep you updated.EDIT:The folder is messed up now, it says it only has 3 files, and I'm talking about the whole _restore folder, and I still have the american flag icon and can't open WMPlayer >_<.EDIT (again xD, well, it's better than double posting):Scanned and everything came up clear, still can't run WMP, so I'm rescanning just to make sure, and it also has that flag icon. Link to comment Share on other sites More sharing options...
AlmondScar Posted June 13, 2004 Author Share Posted June 13, 2004 Oh this is really urgent now ;_; My computer locked up earlier and I restarted to find the adstartup.exe file was back >_<' And the only thing I found about the american flag issue was on a message board on newgrounds.com and the post wasn't even there!Help ;_; And sorry for double posting. Link to comment Share on other sites More sharing options...
Tarun Posted June 13, 2004 Share Posted June 13, 2004 LoadQM is Msn Messenger related and can safely be disabled.Even if you disable System Restore, you still can't delete the folder. Search these boards, I know there's a thread on how to actually remove/disable System Restore. I find SR totally useless, I use Goback, which is totally cool.About LoadQM:loadqm.exe -- Installed with MSN Explorer and MSN Messenger. Loads the MSN Queue Manager. Required to enable the WU AutoUpdate feature. Note that disabling this can sometimes prevent internet sharing working on Win2K Pro SP2. Reports also suggest that removing it will re-enable internet access - hence the "users choice" recommendation. If you have problems leave it, otherwise I recommend you disable it.Note: I've disabled this with no problems and had system performance improve from removing this file from the Startup. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now