Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old May 26th, 2005, 01:15 PM
sniffer sniffer is offline
New Member
 
Join Date: May 2005
Posts: 26
Unhappy atiupdpl

Hi,

I am having a problem getting rid of atiupdpl.exe and a349801.exe. I think they are related files. I have done all the things listed in other posts. I have used killbox, manually delted the files, ran regedit and deleted those entries, used hijack this, used cleanup etc. They work for a day or two, then thses files just come back again.
I have searched the internet and greatis software and trend micro both acknowledge atiupdpl and say they can remove it. However if i run trendmicro's housecall, it doesn't detect it.

Below is my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 8:58:55 PM, on 5/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DESK98.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab


Also another little problem, if i leave my computer on for a while, Iexplorer shows as a running process several times, but no internet explorer window is open.
I run windows ME. Please help...
Reply With Quote
  #2  
Old May 29th, 2005, 05:14 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Hi sniffer. I am sorry that your topic was overlooked. Do you still need help? If so, please run Hijack This again and post a new log.
Reply With Quote
  #3  
Old May 29th, 2005, 02:29 PM
sniffer sniffer is offline
New Member
 
Join Date: May 2005
Posts: 26
still have problems

Yes i still have the problem. A349801 just caused an error and it installs atiupdpl.exe (atiupdpl appears in hijack this but normally after i delete everything i get the previous hijack this log)
I just deleted them both again. I have tried rebooting in safe mode, deleting them, removing of startup, deleting them from registry, but they still keep appearing after a day or 2. I guess there is some other hidden active file.

Anyway i will appreciate the help.
thanks



Logfile of HijackThis v1.99.1
Scan saved at 10:17:52 PM, on 5/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\GGJC.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\Run: [GGJC] C:\WINDOWS\SYSTEM\GGJC.EXE
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
Reply With Quote
  #4  
Old May 29th, 2005, 02:41 PM
sniffer sniffer is offline
New Member
 
Join Date: May 2005
Posts: 26
This is the logfile on reboot after deleting a349801 and atiupdpl.

Logfile of HijackThis v1.99.1
Scan saved at 10:34:18 PM, on 5/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\SYSTEM\GGJC.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\Run: [GGJC] C:\WINDOWS\SYSTEM\GGJC.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
Reply With Quote
  #5  
Old May 30th, 2005, 02:13 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
There are still a couple of baddies in your log sniffer. Boot into Safe Mode (restart your PC and tap F8 as it restarts)and run Hijack This again. Check the below entries and click on Fix Checked.

O4 - HKLM\..\Run: [GGJC] C:\WINDOWS\SYSTEM\GGJC.EXE

O15 - Trusted Zone: http://www.neededware.com

O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab

Still in Safe Mode, make sure that you can view hidden files and folders (and System Files) and run a search for and delete GGJC.EXE.

Reboot and post a new log.
Reply With Quote
  #6  
Old May 31st, 2005, 08:48 AM
sniffer sniffer is offline
New Member
 
Join Date: May 2005
Posts: 26
Ok thats all done and here is the logfile.
I appreciate the help.

Logfile of HijackThis v1.99.1
Scan saved at 4:41:30 PM, on 5/31/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
Reply With Quote
  #7  
Old May 31st, 2005, 09:03 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Your log looks fine now sniffer. Do you still have a problem?
Reply With Quote
  #8  
Old June 1st, 2005, 03:29 AM
sniffer sniffer is offline
New Member
 
Join Date: May 2005
Posts: 26
Yes i still have the problem with atiupdpl. it starts with the running of a349801.exe which causes an error, then atiupdpl runs. They are both then entered into the registry again and in the startup programs. I delete them from everywhere, but everyday they are back.
Here is the updated hijack this logfile.

Logfile of HijackThis v1.99.1
Scan saved at 11:20:21 AM, on 6/1/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
Reply With Quote
  #9  
Old June 1st, 2005, 12:28 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Go here and download and run Silent Runners.vbs. It generates a log too. Please post the information back in this thread.
Reply With Quote
  #10  
Old June 2nd, 2005, 04:12 PM
sniffer sniffer is offline
New Member
 
Join Date: May 2005
Posts: 26
I have done something else. I downloaded the free trial of Regrun (http://www.greatis.com/security/) as they are one program that say the can get rid of atiupdpl. I did a 'clean boot'. Since then Antivir picks up a349801.exe trying to run and blocks it. (however i cannot find on a search and an entry is still put into the registry) It seems to have stopped the problem though.
The following is the silent runners log. and an updated hijack this log.
How does it look now?


"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"AVGCtrl" = ""C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min" ["H+BEDV Datentechnik GmbH"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore\(Default) = "Microsoft Outlook Express 6"
\StubPath = "rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: info@ahead.de"]
"{A1A07B07-F70D-482e-B0E8-B6178E73B094}" = "hkshlex extension"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\UCP\HKSHLEX.DLL" ["Big-O Software"]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"McAfee.com Scan for Viruses - My Computer tsid_05192004122546" -> launches: "C:\PROGRAM FILES\MCAFEE.COM\VSO\mcmnhdlr.exe /runtask:0" [file not found]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]
"Symantec NetDetect" -> launches: "C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\MSJAVA.DLL" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Logfile of HijackThis v1.99.1
Scan saved at 12:05:39 AM, on 6/3/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GREATIS\REGRUNSUITE\WATCHDOG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\GREATIS\REGRUNSUITE\APPDATA.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
Reply With Quote
  #11  
Old June 3rd, 2005, 01:28 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Both logs looks fine. If you want to try and track down all a349801.exe startups in your registry, go here and download, unzip and run the Registry Search Tool. Type a349801 in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them.
Reply With Quote
  #12  
Old June 3rd, 2005, 01:59 PM
sniffer sniffer is offline
New Member
 
Join Date: May 2005
Posts: 26
Here is the log from there. I deleted these files from the registry.
thanks for help.

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "a349801" 6/3/2005 9:46:26 PM

; NOTE: This file will be deleted when you close WordPad.

; You must manually save this file to a new location if you want to refer to it again later.

; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)



[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Explorer\ComDlg32\OpenSaveMRU\*]

"d"="C:\\a349801.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]

"h"="C:\\a349801.exe"

[HKEY_USERS\.DEFAULT\Software\Greatis\Regrun2\AppDa tabase\SearchHistory\a349801]

[HKEY_USERS\.DEFAULT\Software\Greatis\Regrun2\AppDa tabase\SearchHistory\a349801]

"Name"="a349801"

Reply With Quote
  #13  
Old June 4th, 2005, 10:27 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Hi sniffer they dont need to be fixed. The top two are just most recently used lists and the bottom two are Greatis Regrun2's search history.

What is the filepath of the file that Antivir is blocking?
Reply With Quote
  #14  
Old June 5th, 2005, 03:21 AM
sniffer sniffer is offline
New Member
 
Join Date: May 2005
Posts: 26
The file path is:
C:\\a349801.exe
The file is deleted automatically but occasionally it is there again. At least anti-vir is picking it up.
Reply With Quote
  #15  
Old June 5th, 2005, 12:01 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Hi sniffer, I have done a bit more research on this beast and I have discovered it creates a mutex to keep it in memory when the file is deleted.

Open Hijack This, and click on Config > Misc Tools. Click on Open Process Manager and have a look at all your running processes. Is there anything there that looks a bit odd? To find out what each process is, doubleclick on it.

You may have to disable AntVir otherwise you may not see it.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
atiupdpl... wat is it? technoblur Malware Removal 7 June 11th, 2005 02:18 AM
atiupdpl.exe AGAIN! [cinnamongirl] Malware Removal 14 May 23rd, 2005 06:16 AM
trojan horse infected atiupdpl skrumrie Windows 98 2 May 17th, 2005 06:01 PM
atiupdpl.exe Seablues Malware Removal 1 May 15th, 2005 01:39 AM
Archive atiupdpl.exe [cinnamongirl] Malware Removal 4 May 4th, 2005 01:04 AM


All times are GMT +1. The time now is 05:10 PM.