atiupdpl.exe AGAIN!

[[cinnamongirl]]

Hey everybody,

I´m here again to ask for help. The problem I told here before (http://cybertechhelp.com/forums/showthread.php?t=76181) came back. Today, when I started Windows, the same error message was there again. And the file a349801.exe came back too, I think they have something in common!
Please help me, I don´t know what to do anymore!

[AnnMarie]

Hi [cinnamongirl], please post a new Hijack This log. I would also like to see a couple more logs this time.

Go here and download and run Silent Runners.vbs. It generates a log too. Please post the information back in this thread.

Download this zipped file to your desktop http://skads.org/special/rkfiles.zip and unzip it to it's own folder. When you run the utility, it will generate a log listing suspicious files. This utility must be run in Safe Mode to work correctly.

Boot into Safe Mode (restart your PC and tap F8 as it restarts) and doubleclick on RKFILES.BAT to run it. It will take quite a while (10 minutes or more so be patient). When it has finished a text file will open, save the log and post it in this thread. Do not attempt to delete any files, wait for me to check them.

You might have to make a couple of posts.

[sniffer]

I have the same problem with atiupdpl.exe file and a349801.exe. I have run hijack this, and everything logged is correct as with silent runners. I ran killbox and deleted these files on reboot, but they automatically appear again after some time if i leave my computer on. I tried manual deletion with the same result.
I have searched the internet trying to find out about this file, and cinnamongirl's post is the only other thing i can find. Please help!

[sniffer]

Hi. i have the same problem with the atiupdpl.exe file and the a349801.exe file. atiupdpl is located under windows/system, while a349801.exe is under c:/. I have run hijack this and silent runner but all the logged files are ok. I have manually deleted these files, and deleted them through killbox (as well as atiupdpl.log). This fixes the problem temporaraliy but they both return after a certain time (even if teh computer is just left on). I run norton's security, and spybots, but no program picks up these files. Please help...

[[cinnamongirl]]

Here´s the Silent Runners´ log :

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows Millennium
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"MsnMsgr" = ""C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"atiupdpl" = "C:\WINDOWS\SYSTEM\atiupdpl.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"AVG7_CC" = "C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"LoadQM" = "loadqm.exe" [MS]
"atiupdpl" = "C:\WINDOWS\SYSTEM\atiupdpl.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once\ {++}
"885492" = "C:\WINDOWS\INF\unregmp2.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services\ {++}
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]
"KPF4" = "C:\Arquivos de programas\Kerio\Personal Firewall 4\kpf4ss.exe" ["Kerio Technologies"]
"atiupdpl" = "C:\WINDOWS\SYSTEM\atiupdpl.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Instalação do Windows - Conversor de unidade (FAT32)"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Acesso à rede dial-up"
-> {CLSID}\InProcServer32\(Default) = "rnaui.dll" [MS]
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}" = "Extrator de miniaturas de arquivo GDI+"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\THUMBVW.DLL" [MS]
"{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\SHELL32.DLL" [MS]
"{53C74826-AB99-4d33-ACA4-3117F51D3788}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\SHELL32.DLL" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGSE.DLL" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGSE.DLL" ["GRISOFT, s.r.o."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\ARQUIVOS DE PROGRAMAS\WINRAR\rarext.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"AUHook" = "{BCBCD383-3E06-11D3-91A9-00C04F68105C}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\AUHOOK.DLL" [MS]

Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------
C:\WINDOWS\Menu Iniciar\Programas\Iniciar
"Microsoft Office" -> shortcut to: "C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

Enabled Scheduled Tasks:
------------------------
"Agendador do PCHealth para coleta de dados" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"1-Click Maintenance" -> launches: "C:\ARQUIVOS DE PROGRAMAS\TUNEUP UTILITIES 2004\SystemOptimizer.exe /schedulestart" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

[[cinnamongirl]]

And here´s the RKFiles log :

ECHO est desativado

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

[AnnMarie]

Hi sniffer, please start your own topic. It is far too difficult trying to work with two sets of logs in one thread.

Please post a Hijack This log too [cinnamongirl].

[[cinnamongirl]]

Here it goes...

Logfile of HijackThis v1.99.1
Scan saved at 21:35:03, on 8/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\ARQUIVOS DE PROGRAMAS\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\ARQUIVOS DE PROGRAMAS\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KPF4] C:\Arquivos de programas\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab

[AnnMarie]

Ok, close Internet Explorer and all open windows and run Hijack This again. Check the below entries and click on Fix Checked.

O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

Run Killbox again. Copy and paste the full file path of the below files in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

C:\WINDOWS\SYSTEM\atiupdpl.exe
C:\A349801.exe

Reboot, run Disk Cleanup and delete all Temporary Internet Files and Temp files. When you have done this, disable your antivirus program and go here and run an online scan with BitDefender. When the ActiveX Control has loaded, under Scan Options, check all options and select the drive you want scanned. Post back and let us know what it found..

Run Hijack This again and post a new log (if any viruses are detected and removed, reboot first)

[[cinnamongirl]]

Hi AnnMarie,

First of all , sorry for my delay. I did everything you told me to and right now I haven´t problems with atiupdpl or a349801. Here´s the results of BitDefender; as you can see, I still have the files on my PC, at C:\_restore, and they couldn´t be disinfected. The error messages didn´t come back because I disabled System Restore before deleting the files. Can I just delete all files from _restore? Thank you.

Bye!

C:\_RESTORE\TEMP\ATIUPDPL.0: infected with Win32.Worm.Mytob.1.Gen
C:\_RESTORE\TEMP\ATIUPDPL.0: disinfection failed
C:\_RESTORE\TEMP\A349801.0: infected with Win32.Worm.Mytob.1.Gen
C:\_RESTORE\TEMP\A349801.0: disinfection failed
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>RELATED.HTM: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hotbar.zip=>sbRecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Hotbar.zip=>sbRecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Ficheirodeassistnciaausente.zip=> sbRecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Ficheirodeassistnciaausente.zip=> sbRecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente.zip=>sbRe covery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente.zip=>sbRe covery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente1.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente1.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente2.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente2.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente3.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente3.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente4.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente4.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente5.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente5.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Caminhoerradodaaplicao.zip=>sbRec overy.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Caminhoerradodaaplicao.zip=>sbRec overy.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente6.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente6.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente7.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente7.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente8.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente8.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente9.zip=>sbR ecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente9.zip=>sbR ecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente10.zip=>sb Recovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente10.zip=>sb Recovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente11.zip=>sb Recovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente11.zip=>sb Recovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente12.zip=>sb Recovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente12.zip=>sb Recovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente13.zip=>sb Recovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente13.zip=>sb Recovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente14.zip=>sb Recovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente14.zip=>sb Recovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente15.zip=>sb Recovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DLLcompartilhadoausente15.zip=>sb Recovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Ficheirodeassistnciaausente1.zip= >sbRecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Ficheirodeassistnciaausente1.zip= >sbRecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Ficheirodeassistnciaausente2.zip= >sbRecovery.reg: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\Ficheirodeassistnciaausente2.zip= >sbRecovery.ini: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated1.zip=>RELATED.HTM: password protected
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated1.zip=>sbRecovery.ini : password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow2.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck2.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt11.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt12.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt13.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt21.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt22.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt23.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt31.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt32.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt33.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt41.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt42.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt43.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt51.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt52.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt53.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt61.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt62.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox2.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox3.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox4.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>default.skn: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn2.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn3.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph2.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph3.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph4.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph5.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph6.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph7.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>main.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>preview.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>sprite1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab1.bmp: password protected
C:\Arquivos de programas\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab2.bmp: password protected

[AnnMarie]

Disabling System Restore should have flushed those files unless you havent rebooted. See instructions here

[[cinnamongirl]]

Ok, I cannot believe! atiupdpl.exe and a349801.exe came back again! With the system restore disabled! Oh, god, I really don´t know what to do anymore...

[AnnMarie]

Go to Start > Run and type:

%temp%

and OK. Your Temp folder will open. Select the contents and delete all files. Also run Disk Cleanup and delete all Temporary Internet Files.

Reboot and then go here and run a Housecall scan. Post back and let us know what it found. Also post a new Hijack This log.

[[cinnamongirl]]

Hi,

Finally my problem is over. To resolve this, I disabled the System Restore and configured Windows to show all files. Then, I started Windows into Safe Mode, runned HiJack This and made a "system scan only". Fixed the entries

O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe

O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe, runned KillBox and deleted the 3 files on reboot, and used the program Clean Up! (http://downloads.stevengould.org/cleanup/CleanUp40.exe). And this is my new log :
Logfile of HijackThis v1.99.1
Scan saved at 22:29:23, on 22/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KPF4] C:\Arquivos de programas\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

Thank you for your help, AnnMarie!

Bye

[AnnMarie]

That's good news [cinnamongirl] and that's a nice clean log.