|
|||||||
| Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
 |
|
|
Topic Tools |
|
#1
May 3rd, 2005, 03:28 AM
|
|||
|
|||
|
Archive atiupdpl.exe
Hey everyone!
I´m having some problems when I start the PC. An error window shows up with the message "atiupdpl.exe is causing an error at KERNEL32.DLL". Can you guys help me? Here´s my HJT log : Logfile of HijackThis v1.99.1 Scan saved at 23:19:11, on 2/5/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\ATIUPDPL.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGEMC.EXE C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab Thank you! 
|
![[cinnamongirl] is offline](https://cybertechhelp.com/images/statusicon_cth/user_offline.gif)
|
#2
May 3rd, 2005, 03:59 AM
|
||||
|
||||
|
Welcome to CTH [cinnamongirl]. It's almost certainly a malware file but it would be a good idea to identify it before we delete it. Could you make sure that you can view hidden files and folders (and System Files) and run a search for atiupdpl.exe. When you find it, copy it to a new folder, zip it up (this is important) and email it to me (include a link to this thread). My address is anniefriday@xtra.co.nz. I will post back when I have checked it out.
|
|
#3
May 3rd, 2005, 10:00 PM
|
||||
|
||||
|
Hi again [cinnamongirl], it's baddie alright (Trojan-Proxy.Win32.Small.bo) and we may have to get rid of it in DOS but we will try Killbox first.
Download Killbox from here, unzip the file to your Desktop and have it ready to use. When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts)and run Hijack This again. Check the below entries and click on Fix Checked. O4 - HKLM\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe O4 - HKLM\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe Run Killbox now. Copy and paste the full file path of the below file in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot. C:\WINDOWS\SYSTEM\atiupdpl.exe Post a new Hijack This log.
|
|
#4
May 4th, 2005, 12:53 AM
|
|||
|
|||
|
Hi AnnMarie, I´ve done everything that you told me to and apparently it worked! Just a few observations :
1. When I started Windows, before I see your reply, another error window show up with the message "A349801.exe is causing an error at KERNEL32.DLL". I´ve found this file at C:\. 2. When I runned HJT in Safe Mode, I´ve found just three of the four entries you said me to check. The "O4 - HKCU\..\RunServices: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe" wasn´t there. 3. I´m having a lot of problems with spywares, and viruses. How can I protect my computer? I´ve tried to use OutPost Firewall, but I don´t know how to configure it and use it correctly. 4. I don´t know if it´s just an impression, but I guess my HD´s free space is changing a lot. Sunday, when I started using the PC, I had 1,75 GB free. A little later, I had 1,45, and now I have 1,42. How can I see if there´s a problem? And here´s the new log : Logfile of HijackThis v1.99.1 Scan saved at 20:33:52, on 3/5/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGCC.EXE C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGEMC.EXE C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab Thank you again! 
|
|
#5
May 4th, 2005, 01:04 AM
|
||||
|
||||
|
Your log looks fine now [cinnamongirl]. Go ahead and delete A349801.exe.
Have a look here for suggestions on preventing reinfection. Regarding your disk space, a good registry and file cleaner should fix this. See here for a list of programs that might help (I use Ace Utilities and can recommend it but I do not use the delete duplicate dll feature).
|
|
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
Similar Topics
|
||||
| Topic | Topic Starter | Forum | Replies | Last Post |
| Outlook 2000 will not Archive or Auto Archive | Canmore | Applications | 2 | March 1st, 2007 10:12 PM |
| atiupdpl | sniffer | Malware Removal | 46 | September 29th, 2005 10:59 PM |
| atiupdpl... wat is it? | technoblur | Malware Removal | 7 | June 11th, 2005 02:18 AM |
| atiupdpl.exe AGAIN! | [cinnamongirl] | Malware Removal | 14 | May 23rd, 2005 06:16 AM |
| atiupdpl.exe | Seablues | Malware Removal | 1 | May 15th, 2005 01:39 AM |
All times are GMT +1. The time now is 03:41 AM.