Autoupdater.exe problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by CrazyPhucker, Oct 22, 2004.

  1. CrazyPhucker

    CrazyPhucker Private E-2

    Hello All. I have a problem with some spyware regenerating itself everyday. I have completed all the steps that you require to post a HijackThis log file. I clean the computer daily but stuff keeps comming back. Any help on this problem would be appreciated.
    Thank you for your time.
    Sincerely,
    CP


    [log removed]
     
  2. Kodo

    Kodo SNATCHSQUATCH

    your log file must be posted as txt file..
     
  3. CrazyPhucker

    CrazyPhucker Private E-2

    Sorry about that. I couldnt find where to attach it. I am sorry.
    I found it.
    Sincerely,
    CP
     

    Attached Files:

    • hjt.txt
      File size:
      8.9 KB
      Views:
      3
  4. Kodo

    Kodo SNATCHSQUATCH

    for you, you're gonna be my guinea pig.
    Go here and download this trial

    Run it in safe mode and then boot normal mode and post another log.. make sure the log is a notepad file (.txt)

    http://www.giantcompany.com/download.aspx?prodID=70
    GIANT Company Software - Download
     
  5. CrazyPhucker

    CrazyPhucker Private E-2

    Thank you for your help on this Kodo. Attached is the latest txt file.
    Thanks again.
    Sincerely,
    CP
     

    Attached Files:

  6. Kodo

    Kodo SNATCHSQUATCH

    well, that didn't do much.. Your system is LOADED with worms. Stuff that our tutorial should have taken care of... are you sure you completed our tutorial listed here


    http://forums.majorgeeks.com/showthread.php?t=35407
    READ ME FIRST: Basic Spyware, Trojan And Virus Removal


    and be honest about it as we're trying our best to help you.. so help us.
     
  7. CrazyPhucker

    CrazyPhucker Private E-2

    I printed out the entire thread and followed it to the "T." in the Giant software it did find 14 items and quarntined them by default, should I go back and delete them.
    This all started after I opened an email from Sams Club.
    Thanks again for all your help.
    Sincerely,
    CP
     
  8. Kodo

    Kodo SNATCHSQUATCH

    I see that you have Norton AV as your antivirus.. is this correct? if so, NAV with updated definitions should be able to handle the worms.
     
  9. CrazyPhucker

    CrazyPhucker Private E-2

    The onlything that NAV detected was some adware threats. Nothing about worms was detected, as a matter of fact, none of the online scans detected any worms.
    C.P.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you have an ATI video card with TV output? I wondering about this line:
    O4 - HKLM\..\Run: [14c50e6ce648] C:\WINDOWS\System32\atitvo32.exe

    It seems to imply ATI, but the random [14c50e6ce648] implies trojan.
     
  11. Kodo

    Kodo SNATCHSQUATCH

    that's odd..
    I don't like having people use two AV's on their system. but if it's a route to take to clean it up..

    If I could ask you to install AVAST

    http://www.majorgeeks.com/download1968.html
    Avast! Home Edition 4.1.418

    and disable Norton and scan only using Avast and see what you find. Do so in safe mode please and in normal mode.
     
  12. CrazyPhucker

    CrazyPhucker Private E-2

    No TV out on this computer. The Stinger program did not detect any trojan
    CP
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure whether Avast helped anything or not so let's hit the manual removal method.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
    atitvo32.exe
    AUTODISC.exe
    usrl400.exe
    dmldm.exe
    WindowsUpdate10067[1].exe
    WindowsUpdate20739[1].exe
    WindowsUpdate21745[1].exe
    WindowsUpdate22670[1].exe
    WindowsUpdate33794[1].exe
    WindowsUpdate53865[1].exe
    WindowsUpdate57779[1].exe
    WindowsUpdate79439[1].exe
    WindowsUpdate82748[1].exe


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [14c50e6ce648] C:\WINDOWS\System32\atitvo32.exe
    O4 - HKLM\..\Run: [59135cce213c] C:\WINDOWS\System32\AUTODISC.exe
    O4 - HKLM\..\Run: [oFFU3pU] usrl400.exe
    O4 - HKCU\..\Run: [Yhygqvj] C:\WINDOWS\System32\??rvices.exe
    O4 - HKCU\..\Run: [Zow8RfY8X] dmldm.exe
    O4 - Startup: WindowsUpdate10067[1].exe
    O4 - Startup: WindowsUpdate20739[1].exe
    O4 - Startup: WindowsUpdate21745[1].exe
    O4 - Startup: WindowsUpdate22670[1].exe
    O4 - Startup: WindowsUpdate33794[1].exe
    O4 - Startup: WindowsUpdate53865[1].exe
    O4 - Startup: WindowsUpdate57779[1].exe
    O4 - Startup: WindowsUpdate79439[1].exe
    O4 - Startup: WindowsUpdate82748[1].exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)


    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\atitvo32.exe
    C:\WINDOWS\System32\AUTODISC.exe
    C:\WINDOWS\System32\usrl400.exe
    C:\WINDOWS\System32\dmldm.exe
    C:\Documents and Settings\Trevor Rothrock\Start Menu\Programs\Startup\WindowsUpdate10067[1].exe
    C:\Documents and Settings\Trevor Rothrock\Start Menu\Programs\Startup\WindowsUpdate20739[1].exe
    C:\Documents and Settings\Trevor Rothrock\Start Menu\Programs\Startup\WindowsUpdate21745[1].exe
    C:\Documents and Settings\Trevor Rothrock\Start Menu\Programs\Startup\WindowsUpdate22670[1].exe
    C:\Documents and Settings\Trevor Rothrock\Start Menu\Programs\Startup\WindowsUpdate33794[1].exe
    C:\Documents and Settings\Trevor Rothrock\Start Menu\Programs\Startup\WindowsUpdate53865[1].exe
    C:\Documents and Settings\Trevor Rothrock\Start Menu\Programs\Startup\WindowsUpdate57779[1].exe
    C:\Documents and Settings\Trevor Rothrock\Start Menu\Programs\Startup\WindowsUpdate79439[1].exe
    C:\Documents and Settings\Trevor Rothrock\Start Menu\Programs\Startup\WindowsUpdate82748[1].exe
    C:\WINDOWS\System32\SearchBar.htm

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  14. CrazyPhucker

    CrazyPhucker Private E-2

    Well, Avast found three viruses when I scanned in regular mode. I am scanning in safe mode right now to see if anything else comes up.

    I do have a question about Norton AV. Why in the world would Norton not detect these? The def. files were up to date. This is making me think I should switch AV software.

    Thanks again for all the help guys. I will post the safemode scan of Avast and the new HJT txt. file soon.

    Sincerely,
    CP
     
  15. CrazyPhucker

    CrazyPhucker Private E-2

    OK guys. Here are the results. In the task manager there was not a "usrl400.exe" or "dmldm.exe." I then ran a HJT scan and fixed all that you listed. I then went into safe mode and deleted everything. However, it would not let me delete atitvo32.exe. Also usrl400.exe did not exist nor did dmldm.exe.

    The txt. file is attached.
    Thank you.
    C.P.
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay your log is much better. Just this line remains.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

    Did you fix it and delete the C:\WINDOWS\System32\SearchBar.htm file last time?

    You need to decide which AV program you are keeping. You cannot keep both Norton and Avast running. Most of us prefer Avast over Norton.

    You have a lot of processes running. It would be nice to not load some of them.
     
  17. Kodo

    Kodo SNATCHSQUATCH

    yeah, that log is night and day compared to the last one. Glad Avast did the trick.
     
  18. CrazyPhucker

    CrazyPhucker Private E-2

    Hello Chaslang and Kodo. Well, the two of you have helped me out tremendously. I really appreciate all of your help. I have enclosed the latest log and it seems to be clean. I am not sure how to not have some many running processes, I have looked in the start-up folder and there is not much in there. If the two of you have any spare time and could let me know how to reduce the running process I would also appreciate it. However, I know that you are very busy and since, it seems like it is not important I will understand no reply.
    I do have another question though. I am really disappointed with Norton not catching those viruses. I update the def's every evening, is there anything else I should do?

    Thanks a lot guys. I really appreciate the two of you.
    Sincerely,
    C.P.
     

    Attached Files:

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    CP,

    First let's do a few simple things, one I already mentioned.
    1) decide whether you are keep Symantec/Norton or Avast and uninstall the other.

    2) C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe This is not a required application and is put on you PC without asking you by AIM (AOL). If you do not use Viewpoint, goto Add/Remove Programs and uninstall it (this does not uninstall AIM only Viewpoint Manager).

    3) Since the GIANT Company Software application we had you install was only good for 15 days you can uninstall it. If you like it, you will need to buy the full application and install it later.

    4) The below line for MusicMatch Jukebox is not necessary for it to run and can be fixed using HijackThis. If you do not use MusicMatch Jukebox, uninstall it.
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

    5) The below line for Quicktime does not need to be loaded at startup and can also be fixed using HijackThis.
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    This is a start! Let's see where that gets us.
     
  20. CrazyPhucker

    CrazyPhucker Private E-2

    Thank you Chaslang. I took care of all that you mentioned. I dont use Windows messenger and I cant find a way of uninstalling that.
    I have also included another log file.
    Thank you for your time and all your help.
    Sincerely,
    CP
     

    Attached Files:

  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you look for Messenger or MSN Messenger in Add/Remove programs?



    The sgtray process does not have to be loaded either. So unless you desire this feature have HJT fix the below line. Here is what it is for:

    sgtray.exe is a utility from VERITAS Software Corporation which installs itself on the system tray bar, and serves to remind you to backup your files. This is a non-essential process. Disabling or enabling this is down to user preference

    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r


    The same goes for updreg. Unless you want this feature have HJT fix the below line too.

    updreg.exe is a process from Creative Technology Ltd. It is used to reminds users to register for their Creative Labs products. This is a non-essential process. Disabling or enabling this is down to user preference.

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    Do you use Microsoft Money? The below line not essential for system operation.

    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

    This is the Microsoft Money express system tray icon. It is used by Microsoft Money to remind you of bills, etc while not within money.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds