Jump to content

May17_loader, Apropo(s).D


AlmondScar

Recommended Posts

I'll explain -

About 3 weeks ago I went onto a lyric site to get some song words, I got LOADS of popups and couldn't close them, then ZoneAlarm kept on coming up 'Do you want MAY17_LOADER.EXE to access the internet?'

Since that time I havn't been able to open windows media player, and I have had the following files which once I delete, come back:

may17_loader.exe

isinstall_logix.exe

adstartup.exe

adloader.exe

adupdater.exe

admanager.xml

data.xml

IEENHANCER.dll

And maybe one or two more, everytime I scanned with AVG it wouldn't find it, even when it was fully updated, I downloaded spy sweeper, and it found it, but said a file similar to a0035860.cpy couldn't be deleted so would be deleted upon restart, and I always got that message.

I downloaded the AVG new update which was released today and It found May_17loader.exe, and also the infected .cpy files, It put May_17loader.exe in the virus vault, but when ever it came to moving the .cpy ones, it just came up cannot be removed. I was getting loads of popups from this so I downloaded StopZilla, which lised WMplayer as a parasite. Now what REALLY freaked me out was I got disconnected from my internet, then looked to find my WMPlayer Icon had turned into a US flag.

This has caused me alot of trouble o_O If you need any more information, please ask, here are some pictures below of what has been happening, and the colours are a bit dodgy in some, they were saved in paint xD

O_O.gif

apropo.gif

blacklist.gif

testresults.gif

(The non-infected results inbetween the ones that virus were detected are ones that I cancelled, and the date may be a bit messed up because I was trying to timefoward something in my game Petz xD)

FLAG.gif

Please, please help ;_;

PS - 3 days ago, I was a member here for one year! yey xD

Link to comment
Share on other sites


ok first go to msconfig and clear the startup items

and look at start menu "start up" folder

and remove the suspicious looking files

then use at least 2 spyware programs to remove the spyware

update all of them (I usually use 3-4 of them to make sure..(for my friends who complain about spyware))

anyways after u complete this run a virus check and

if that fails manually remove the files

some recent files I have discovered were in program files dir check there

and i'm sure there are many other suspicios looking files all over the hdd. there are not so many place they can be

anyways

1. clear startup items (msconfig + start menu)

2. run spyware

3. run anti-virus

then u should be okay!

if the antivirus complains about the virus not being removed manually delete it.. if it says "cannot delete" check your taskmanager and see if that files is working.

then since some files are in your _restore folder for once go to system properties and disable the "system restore" u can get it back up after u clear your virus/etc...

Link to comment
Share on other sites

Thanks so much for your reply, but I've tried everything you've said several times already, I can't find the _restore folder, and I've enabled the viewing of hidden folders and it's just not there, I've searched for the infected file names on my computer and it says it can't find them, I've just HijackThis to remove some files, I have SpySweeper, Zonealarm, Spybot, AVG, I've scanned with the 3 several times, SpySweeper says the files will be removed on reboot and AVG just comes up ''Blah' cannot be removed'.

This apropos virus is just meant to cause popups, but it's infected Windows Media Player also and it's file icon o.O I've deleted the apropos files countless times and my computer keeps locking up and freezing.

_nothing_ is working o_O

Link to comment
Share on other sites

I've no idea what the Ultravnc program is, but I'll look into it tomorrow, as I have to go soon, I'm tired and It's really late xD

I do have my HijackThis log file though:

Logfile of HijackThis v1.97.7

Scan saved at 01:38:14, on 13/06/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\HIDSERV.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQINET.EXE

C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\LOGITECH\IMAGESTUDIO\LOGITRAY.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\AIM95\AIM.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE

C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE

C:\WINDOWS\SYSTEM\LVCOMS.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE

C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGW.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lesley.proboards21.com/index.cgi

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\SYSTEM\IEENHA~1.DLL

O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe

O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe

O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [sTOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\Adstartup.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [sTOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE

O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

O4 - HKLM\..\RunOnce: [spySweeper_BT01] "C:\Program Files\Webroot\Spy Sweeper\Bt01.exe" /SpySweeper_BT01

O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE

O4 - Startup: Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: AIM (HKLM)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8087.1669212963

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab27571.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab27571.cab

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

Hope that can give you some idea of what's running etc.

Link to comment
Share on other sites

Try this:

Click START & go to MY COMPUTER, right-click then click EXPLORE & click the WINDOWS folder then click SYSTEM 32 folder then find the following below & delete it. Just delete ADStartUP.exe, all the files names listed below(delete AdUpdater.exe, adupmanager.xml, data.xml, IEEnhancer.dll) & not the full links here. Also u might not be able to delete ADStartUP.exe right away but follow the instructions here below on the registry edit & u can go back & delete the ADStartUP.exe & the rest

%Windir%\System32\ADStartUP.exe

%Windir%\System32\AdUpdater.exe

%Windir%\System32\adupdmanager.xml

%Windir%\System32\data.xml

%Windir%\System32\IEEnhancer.dll

After deleting these files from your system you will need to delete a registry entry:

Click the "Start" button on the taskbar

Click "Run..."

Type "regedit" and click the "OK" button

Click the "Start" button on the taskbar

Open the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" registry key

Right-click "Adstartup" and click "Delete"

Link to comment
Share on other sites

I don't think it has been suggested yet, so here's my suggestion as to how to remove viruses.. first, do like what has been told earlier, disable system restore (for the duration of this process anyway) and restart the computer in safe mode and then run the virus scan there. That's what I always do, and it usually kills everything, cause nothing gets loaded there but critical windows files, so unless the virus has had a chance at those (something which should not really be a possibility with WFP) it should get removed. Try it anyway, works for me.

Link to comment
Share on other sites

I'll just have to have a go at it on safe mode, and BeenThereB4, I found something similar to what you suggested on google and it didn't work.

Thanks very much everyone, wish me luck! ^^,

EDIT:

Er... doh. Didn't work in safe mode >_<

notremoved.gif

Link to comment
Share on other sites

I need loadqm, I've always had that file even before I've had the internet, either that or my computer has been doomed since day 1.

What do you mean disable system restore? If this virus wipes my computer I won't beable to restore, and I would have to get a brand new hard drive, and my dad would kill me. xD And I don't know how too anyway. And I've disabled the startup items that are to do with the virus yes.

Link to comment
Share on other sites

if it wipes u're hdd u need to get a new hdd ? why?

it doesn't kill your hdd, all u'd need is a format if the situation is that bad.

but I think it can be easily recovered from the virus and trojans.

ok from the link beenthereb4 provided I'd do this:

Manually Purge the Data Store

To completely and immediately remove the infected file or files in the data store, disable and re-enable the System Restore feature.

WARNING: Using the following steps will completely remove all restore points from the data store. Do not use this method if this will cause problems. When you enable the System Restore feature again, the System Restore feature will create a new restore point and then resume monitoring your computer.

Click Start, point to Settings, and then click Control Panel.

Double-click System, and then click the Performance tab.

Click File System, and then click the Troubleshooting tab.

Click to select the Disable System Restore check box, click Apply, click to clear the Disable System Restore check box, click Apply, and then click OK.

Restart the computer when you are prompted to do so. When the computer restarts, the data store is purged and the System Restore feature begins monitoring the system again.

since the restore folders are contaminated with the virus I believe u cannot really restore, even if u restore u'll be getting the virus back

so disable it

run the virus check.. again

for most of the viruses u don't really need to get a brand new of anything, well maybe get a brand new OS? / anti-virus program :)

about loadqm I once thought u were using xp anyways if ME needs it that's cool :rolleyes:

Link to comment
Share on other sites

Thanks so much ^^, I'll disable the system restore and keep you updated.

EDIT:

The folder is messed up now, it says it only has 3 files, and I'm talking about the whole _restore folder, and I still have the american flag icon and can't open WMPlayer >_<.

empty.jpg

EDIT (again xD, well, it's better than double posting):

Scanned and everything came up clear, still can't run WMP, so I'm rescanning just to make sure, and it also has that flag icon.

Link to comment
Share on other sites

Oh this is really urgent now ;_; My computer locked up earlier and I restarted to find the adstartup.exe file was back >_<' And the only thing I found about the american flag issue was on a message board on newgrounds.com and the post wasn't even there!

Help ;_; And sorry for double posting.

Link to comment
Share on other sites

LoadQM is Msn Messenger related and can safely be disabled.

Even if you disable System Restore, you still can't delete the folder. Search these boards, I know there's a thread on how to actually remove/disable System Restore. I find SR totally useless, I use Goback, which is totally cool.

About LoadQM:

loadqm.exe -- Installed with MSN Explorer and MSN Messenger. Loads the MSN Queue Manager. Required to enable the WU AutoUpdate feature. Note that disabling this can sometimes prevent internet sharing working on Win2K Pro SP2. Reports also suggest that removing it will re-enable internet access - hence the "users choice" recommendation. If you have problems leave it, otherwise I recommend you disable it.

Note: I've disabled this with no problems and had system performance improve from removing this file from the Startup.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...