Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old May 7th, 2005, 03:04 AM
[cinnamongirl] [cinnamongirl] is offline
New Member
 
Join Date: May 2005
Posts: 9
Angry atiupdpl.exe AGAIN!

Hey everybody,

Iīm here again to ask for help. The problem I told here before (http://cybertechhelp.com/forums/showthread.php?t=76181) came back. Today, when I started Windows, the same error message was there again. And the file a349801.exe came back too, I think they have something in common!
Please help me, I donīt know what to do anymore!
Reply With Quote
  #2  
Old May 7th, 2005, 06:01 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Hi [cinnamongirl], please post a new Hijack This log. I would also like to see a couple more logs this time.

Go here and download and run Silent Runners.vbs. It generates a log too. Please post the information back in this thread.

Download this zipped file to your desktop http://skads.org/special/rkfiles.zip and unzip it to it's own folder. When you run the utility, it will generate a log listing suspicious files. This utility must be run in Safe Mode to work correctly.

Boot into Safe Mode (restart your PC and tap F8 as it restarts) and doubleclick on RKFILES.BAT to run it. It will take quite a while (10 minutes or more so be patient). When it has finished a text file will open, save the log and post it in this thread. Do not attempt to delete any files, wait for me to check them.

You might have to make a couple of posts.
Reply With Quote
  #3  
Old May 8th, 2005, 05:08 PM
sniffer sniffer is offline
New Member
 
Join Date: May 2005
Posts: 26
Question atiupdpl.exe problem too

I have the same problem with atiupdpl.exe file and a349801.exe. I have run hijack this, and everything logged is correct as with silent runners. I ran killbox and deleted these files on reboot, but they automatically appear again after some time if i leave my computer on. I tried manual deletion with the same result.
I have searched the internet trying to find out about this file, and cinnamongirl's post is the only other thing i can find. Please help!
Reply With Quote
  #4  
Old May 8th, 2005, 05:12 PM
sniffer sniffer is offline
New Member
 
Join Date: May 2005
Posts: 26
Question atiupdpl.exe problem too

Hi. i have the same problem with the atiupdpl.exe file and the a349801.exe file. atiupdpl is located under windows/system, while a349801.exe is under c:/. I have run hijack this and silent runner but all the logged files are ok. I have manually deleted these files, and deleted them through killbox (as well as atiupdpl.log). This fixes the problem temporaraliy but they both return after a certain time (even if teh computer is just left on). I run norton's security, and spybots, but no program picks up these files. Please help...
Reply With Quote
  #5  
Old May 8th, 2005, 07:18 PM
[cinnamongirl] [cinnamongirl] is offline
New Member
 
Join Date: May 2005
Posts: 9
Hereīs the Silent Runnersī log :

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows Millennium
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"MsnMsgr" = ""C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"atiupdpl" = "C:\WINDOWS\SYSTEM\atiupdpl.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"AVG7_CC" = "C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"LoadQM" = "loadqm.exe" [MS]
"atiupdpl" = "C:\WINDOWS\SYSTEM\atiupdpl.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once\ {++}
"885492" = "C:\WINDOWS\INF\unregmp2.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services\ {++}
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]
"KPF4" = "C:\Arquivos de programas\Kerio\Personal Firewall 4\kpf4ss.exe" ["Kerio Technologies"]
"atiupdpl" = "C:\WINDOWS\SYSTEM\atiupdpl.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Instalaįão do Windows - Conversor de unidade (FAT32)"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Acesso ā rede dial-up"
-> {CLSID}\InProcServer32\(Default) = "rnaui.dll" [MS]
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}" = "Extrator de miniaturas de arquivo GDI+"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\THUMBVW.DLL" [MS]
"{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\SHELL32.DLL" [MS]
"{53C74826-AB99-4d33-ACA4-3117F51D3788}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\SHELL32.DLL" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGSE.DLL" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGSE.DLL" ["GRISOFT, s.r.o."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\ARQUIVOS DE PROGRAMAS\WINRAR\rarext.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"AUHook" = "{BCBCD383-3E06-11D3-91A9-00C04F68105C}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\AUHOOK.DLL" [MS]

Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------
C:\WINDOWS\Menu Iniciar\Programas\Iniciar
"Microsoft Office" -> shortcut to: "C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

Enabled Scheduled Tasks:
------------------------
"Agendador do PCHealth para coleta de dados" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"1-Click Maintenance" -> launches: "C:\ARQUIVOS DE PROGRAMAS\TUNEUP UTILITIES 2004\SystemOptimizer.exe /schedulestart" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Reply With Quote
  #6  
Old May 8th, 2005, 07:43 PM
[cinnamongirl] [cinnamongirl] is offline
New Member
 
Join Date: May 2005
Posts: 9
And hereīs the RKFiles log :

ECHO est desativado

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

Reply With Quote
  #7  
Old May 8th, 2005, 11:00 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Hi sniffer, please start your own topic. It is far too difficult trying to work with two sets of logs in one thread.

Please post a Hijack This log too [cinnamongirl].
Reply With Quote
  #8  
Old May 9th, 2005, 01:41 AM
[cinnamongirl] [cinnamongirl] is offline
New Member
 
Join Date: May 2005
Posts: 9
Here it goes...

Logfile of HijackThis v1.99.1
Scan saved at 21:35:03, on 8/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\ARQUIVOS DE PROGRAMAS\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\ARQUIVOS DE PROGRAMAS\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KPF4] C:\Arquivos de programas\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab

Reply With Quote
  #9  
Old May 9th, 2005, 11:21 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Ok, close Internet Explorer and all open windows and run Hijack This again. Check the below entries and click on Fix Checked.

O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

Run Killbox again. Copy and paste the full file path of the below files in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

C:\WINDOWS\SYSTEM\atiupdpl.exe
C:\A349801.exe

Reboot, run Disk Cleanup and delete all Temporary Internet Files and Temp files. When you have done this, disable your antivirus program and go here and run an online scan with BitDefender. When the ActiveX Control has loaded, under Scan Options, check all options and select the drive you want scanned. Post back and let us know what it found..

Run Hijack This again and post a new log (if any viruses are detected and removed, reboot first)
Reply With Quote
  #10  
Old May 14th, 2005, 03:20 AM
[cinnamongirl] [cinnamongirl] is offline
New Member
 
Join Date: May 2005
Posts: 9
Hi AnnMarie,

First of all , sorry for my delay. I did everything you told me to and right now I havenīt problems with atiupdpl or a349801. Hereīs the results of BitDefender; as you can see, I still have the files on my PC, at C:\_restore, and they couldnīt be disinfected. The error messages didnīt come back because I disabled System Restore before deleting the files. Can I just delete all files from _restore? Thank you.

Bye!

C:\_RESTORE\TEMP\ATIUPDPL.0: infected with Win32.Worm.Mytob.1.Gen
C:\_RESTORE\TEMP\ATIUPDPL.0: disinfection failed
C:\_RESTORE\TEMP\A349801.0: infected with Win32.Worm.Mytob.1.Gen
C:\_RESTORE\TEMP\A349801.0: disinfection failed
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>RELATED.HTM: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hotbar.zip=>sbRecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hotbar.zip=>sbRecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Ficheirodeassistnciaausente.zip=> sbRecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Ficheirodeassistnciaausente.zip=> sbRecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente.zip=>sbRe covery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente.zip=>sbRe covery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente1.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente1.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente2.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente2.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente3.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente3.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente4.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente4.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente5.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente5.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Caminhoerradodaaplicao.zip=>sbRec overy.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Caminhoerradodaaplicao.zip=>sbRec overy.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente6.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente6.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente7.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente7.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente8.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente8.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente9.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente9.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente10.zip=>sb Recovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente10.zip=>sb Recovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente11.zip=>sb Recovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente11.zip=>sb Recovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente12.zip=>sb Recovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente12.zip=>sb Recovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente13.zip=>sb Recovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente13.zip=>sb Recovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente14.zip=>sb Recovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente14.zip=>sb Recovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente15.zip=>sb Recovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente15.zip=>sb Recovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Ficheirodeassistnciaausente1.zip= >sbRecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Ficheirodeassistnciaausente1.zip= >sbRecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Ficheirodeassistnciaausente2.zip= >sbRecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Ficheirodeassistnciaausente2.zip= >sbRecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated1.zip=>RELATED.HTM: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated1.zip=>sbRecovery.ini : password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow2.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck2.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt11.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt12.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt13.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt21.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt22.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt23.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt31.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt32.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt33.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt41.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt42.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt43.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt51.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt52.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt53.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt61.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt62.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox2.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox3.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox4.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>default.skn: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn2.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn3.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph2.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph3.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph4.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph5.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph6.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph7.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>main.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>preview.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>sprite1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab2.bmp: password protected
Reply With Quote
  #11  
Old May 14th, 2005, 04:09 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Disabling System Restore should have flushed those files unless you havent rebooted. See instructions here
Reply With Quote
  #12  
Old May 15th, 2005, 03:34 AM
[cinnamongirl] [cinnamongirl] is offline
New Member
 
Join Date: May 2005
Posts: 9
Ok, I cannot believe! atiupdpl.exe and a349801.exe came back again! With the system restore disabled! Oh, god, I really donīt know what to do anymore...
Reply With Quote
  #13  
Old May 15th, 2005, 06:34 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Go to Start > Run and type:

%temp%

and OK. Your Temp folder will open. Select the contents and delete all files. Also run Disk Cleanup and delete all Temporary Internet Files.

Reboot and then go here and run a Housecall scan. Post back and let us know what it found. Also post a new Hijack This log.
Reply With Quote
  #14  
Old May 23rd, 2005, 02:33 AM
[cinnamongirl] [cinnamongirl] is offline
New Member
 
Join Date: May 2005
Posts: 9
Smile

Hi,

Finally my problem is over. To resolve this, I disabled the System Restore and configured Windows to show all files. Then, I started Windows into Safe Mode, runned HiJack This and made a "system scan only". Fixed the entries

O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe, runned KillBox and deleted the 3 files on reboot, and used the program Clean Up! (http://downloads.stevengould.org/cleanup/CleanUp40.exe). And this is my new log :

Logfile of HijackThis v1.99.1
Scan saved at 22:29:23, on 22/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE


O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KPF4] C:\Arquivos de programas\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab


Thank you for your help, AnnMarie!

Bye
Reply With Quote
  #15  
Old May 23rd, 2005, 06:16 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
That's good news [cinnamongirl] and that's a nice clean log.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
atiupdpl sniffer Malware Removal 46 September 29th, 2005 10:59 PM
atiupdpl... wat is it? technoblur Malware Removal 7 June 11th, 2005 02:18 AM
trojan horse infected atiupdpl skrumrie Windows 98 2 May 17th, 2005 06:01 PM
atiupdpl.exe Seablues Malware Removal 1 May 15th, 2005 01:39 AM
Archive atiupdpl.exe [cinnamongirl] Malware Removal 4 May 4th, 2005 01:04 AM


All times are GMT +1. The time now is 02:20 PM.