Need Help!!!! Please!!!!

Discussion in 'adware, spyware & hijack cleaning' started by thatotherguy, Jun 2, 2004.

Thread Status:
Not open for further replies.
  1. thatotherguy

    thatotherguy Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    1
    Hi. I have this spyware or some program that keeps making these popups and prevents me from clicking on my desktop icons. I checked the processes that were running and I think it is called May17_loader.exe. It seems to be the one because I tried deleting it but it comes back after I restart my computer. I also have adware, spy doctor, spybot search and destroy, but they failed to get rid of it completely. I also noticed that I'm able to click on my desktop after restarting the computer, but popups are still created and when I click on windows media player, my desktop freezes again. Thank you for your help!

    Logfile of HijackThis v1.97.7
    Scan saved at 1:35:46 AM, on 6/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Promon.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\Sktempdm.exe
    C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    C:\WINDOWS\System32\Skdaemon.exe
    C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\NMSSvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\WINDOWS\System32\ICO.EXE
    C:\WINDOWS\System32\FSRremoS.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\Pelmiced.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\Adstartup.exe
    C:\WINDOWS\System32\may17_loader.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\BMCENT~1\BMClient.exe
    C:\Documents and Settings\Patrick\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\System32\IEENHA~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Detect Kbd Daemon] SK2000DM.EXE
    O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
    O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
    O4 - HKLM\..\Run: [BookmarkCentral] C:\PROGRA~1\BMCENT~1\BMLauncher.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe
    O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\System32\may17_loader.exe" /HideUninstall /HideDir /PC=AM.ALGX
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
    O4 - Startup: Knowledge Machine.lnk = C:\GALTWARE\MACHINE.EXE
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: =>&Spanish - http:\\wordreference.com\es\j\iees69.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O12 - Plugin for .uk/~bates/: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
    O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...r.viewpoint.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7861.7028472222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
     
  2. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    First, from Add/Remove Programs, uninstall Apropos if listed.

    Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

    O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\System32\IEENHA~1.DLL

    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe
    O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\System32\may17_loader.exe" /HideUninstall /HideDir /PC=AM.ALGX

    Reboot, and delete

    files
    C:\WINDOWS\System32\Adstartup.exe
    C:\WINDOWS\System32\may17_loader.exe

    These may be hidden files. See HERE for how to show hidden files.

    Please post a followup Hijack this log, and say if your problems persist.
     
Thread Status:
Not open for further replies.