hijack this log

[yanks26]

For the past month I've run adware and I've had a bug that doesn't want to go away. If you could check my log and see if there is anything wrong with it, that would be great. Thankyou very much.

Logfile of HijackThis v1.99.1
Scan saved at 5:42:21 PM, on 2/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AOpen\Mouse\Amoumain.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1135214065\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chad I\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://steampowered.com/Steam/Marketing/December16.2005/img/CSS_Seal_Team_6.jpg
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\AOpen\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135214065\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Chad I\Local Settings\Temp\{F3DDD045-F509-41A4-B50B-A1611C49FD7A}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

 

[elmarcorulz]

What bug is it that doesnt go away?

 

[yanks26]

I'm not that sure. I just ran adware again and it says it's with my system and one is with my volume control. I have absolutely no clue how i got it or why it won't go away with adware.

 

[Buzz1927]

Run Hijackthis and select "Do a system scan only", place a check by the following entries.

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

Close all open windows and browsers, and hit "Fix Checked".

Delete this folder.

C:\Program Files\winupdates

Reboot and post a new log.

 

[yanks26]

I did what you told me to do with the hijack this, but i was looking for the folder you told me to delete and i can't find it.
Anyway, here's my hijackthis log you told me to do.
Thanks a lot.

Logfile of HijackThis v1.99.1
Scan saved at 2:34:00 PM, on 2/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AOpen\Mouse\Amoumain.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\AOL\1135214065\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://steampowered.com/Steam/Marketing/December16.2005/img/CSS_Seal_Team_6.jpg
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\AOpen\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135214065\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Chad I\Local Settings\Temp\{F3DDD045-F509-41A4-B50B-A1611C49FD7A}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

 

[Buzz1927]

Please download, install, and update the NEW free version of Ewido trojan scanner:

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
   
2. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
   
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
   
4. After the update finishes (the status bar at the bottom will display "Update successful")
   
5. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
   
6. If ewido finds anything, it will pop up a notification. Select "Remove" and "Perform action on all Infections" and "Create encrypted backup".
   
7. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Then post the Ewido report here.

 

[yanks26]

I did the ewido and everything you told me to do but it wants me to get rid of all 1518 of them one by one. I've never even heard of these things that it wants me to get rid of either. Do you want me to get rid oe each one, one by one?

 

[Buzz1927]

Embedded in an archive, yes? Unfortunately, you need to select "yes" for every one, I just done 3000 on my sister's.

 

[yanks26]

Should i even bother to look and see if they are embedded because the forst 500 were? Or if i hit one that is not embedded, will it hurt my computer?

 

[burton_o6]

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

C:\Program Files\winupdates\winupdates.exe

 

[Buzz1927]

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

C:\Program Files\winupdates\winupdates.exe

Have you read the whole thread?

 

[burton_o6]

ya...i did...i understand that you have found the files needed to be fixed...And i am posting a second opinion, confirming your anwsers...you can settle down now

 

[yanks26]

Anywho, it won't let me delete that anyway.

 

[burton_o6]

safemode?

 

[Buzz1927]

Sorry??? I can settle down now?

yanks, boot into safemode and delete it.

 

[yanks26]

Ok

 

[burton_o6]

"" did you read the last post?

 

[yanks26]

And just another question. I have limewire and when i start up my computer, it awlways pops up. I've tried clicking it so it would pop up when i start up, then clicking it so it doesn't start up when i do. But it does. I've also tried deleting it completely then downloading it again, but it always pops up when i start my computer. Any ideas?
Thanks

 

[yanks26]

And even when i completely close after i and it starts up, it still pops up.

 

[burton_o6]

msconfig. start up tab...uncheck limewire