This file keeps trying to load upon startup. 

hf1dkgw.exe

Can someone please tell me what this file does and how I can
permanently prevent it from trying to load. I'm having problems with
pop-up ads and think this may be spyware of some sort

---

Request for Question Clarification by livioflores-ga on 06 Sep 2005 13:56 PDT

Hi!!

This file is a randomly named executable file created for a pestware
that your computer got in someway.

The easy answer to your question is to start in safe mode and then
search and delete such file, but commonly this is not enough with most
of the pestwares.

To do a better work in order to get rid of this pest download
HijackThis, scanyour computer with it and post a log here (do not fix
anything without assistance because you can damage your system). You
will find instructions at the following page:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

See this part of the tutorial:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HowToUse

After you post the log here I will analyze it and show you the steps
to get rid of all the pests infecting your PC.

Regards,
livioflores-ga

---

Clarification of Question by steve75-ga on 06 Sep 2005 14:40 PDT

Logfile of HijackThis v1.99.1
Scan saved at 5:38:42 PM, on 9/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\sbroido\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by The Motley Fool
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file
missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} -
C:\WINDOWS\system32\rm6yg.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [hf1dkgw.exe] C:\WINDOWS\System32\hf1dkgw.exe /k
O4 - HKCU\..\RunOnce: [hf1dkgw.exe] C:\WINDOWS\System32\hf1dkgw.exe /k
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -
res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
http://software-dl.real.com/1552245878686ebed720/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
- http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107895330937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
- http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126034195671
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe

Hi!!


Your computer is infected with a pest and I think that it can be esily
fixed. Please do the following:

First, download and install CleanUp! but do not run it yet.
Note that Cleanup! deletes EVERYTHING out of temp/temporary folders
and does not make backups:
http://www.stevengould.org/downloads/cleanup/CleanUp40.exe


Now reboot into Safe Mode. You can do this by restarting your computer and
after hearing your computer beep once during startup, but before the
Windows icon appears, press F8 until a menu appears. Use your up arrow
key to highlight Safe Mode, then hit enter. Or see other options and
further instructions here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam


Once in Safe Mode, Open Cleanup! by double-clicking the icon on your
desktop (or from the Start --> All Programs menu). Set the program up as
follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
   -Empty Recycle Bins
   -Delete Cookies
   -Delete Prefetch files
   -Scan local drives for temporary files
   -Cleanup! All Users
*Click OK
*Press the CleanUp! button.

Always in safe mode run HjackThis, click Scan, and place a checkmark
ONLY to the following items (if still present):
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} -
C:\WINDOWS\system32\rm6yg.dll
O4 - HKLM\..\RunOnce: [hf1dkgw.exe] C:\WINDOWS\System32\hf1dkgw.exe /k
O4 - HKCU\..\RunOnce: [hf1dkgw.exe] C:\WINDOWS\System32\hf1dkgw.exe /k
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
http://software-dl.real.com/1552245878686ebed720/netzip/RdxIE601.cab

After you selected ALL the above existing items click on the "Fix Checked" button.

Ensure that all the files in your system are viewable:
"Help: How to Show System Files"
http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Then find and delete the following files:
C:\WINDOWS\system32\rm6yg.dll
C:\WINDOWS\System32\hf1dkgw.exe

·Reboot into normal mode (that is normally).
Once in normal mode check your computer behaviour. Then run
HijackThis, scan your computer and generate a fresh log (you must not
fix anything, after a new analysis of it I will tell you if there are
remanents to be fixed with this tool), this log must be posted here as
a request of a clarification.


I hope this helps you. Feel free to request for a clarification if you need it.

Regards,
livioflores-ga

---

Request for Answer Clarification by steve75-ga on 07 Sep 2005 11:34 PDT

Seems to be gone! Hooray!

Logfile of HijackThis v1.99.1
Scan saved at 2:31:57 PM, on 9/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\userinit.exe
C:\Documents and Settings\sbroido\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file
missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -
res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
- http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107895330937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
- http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126034195671
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =  
O17 - HKLM\Software\..\Telephony: DomainName = 
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =  
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =  
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = h 
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =  
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =  
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe

---

Clarification of Answer by livioflores-ga on 07 Sep 2005 19:33 PDT

Hi!!

Yes your log seems to be clean now, congratulations, you did it very well.
Now some security advices:
- You have not updated your Windows with the Service pack 2, I
strongly suggest you to do that, just visit the Windows update page:
http://windowsupdate.microsoft.com/


- You have not running any antivirus, again this is an invitation to
future infections, I suggest you to download and install Avast!
antivirus, it is free and a good one. Just register here and you will
receive a free one year key via email, you must not pay for it:
http://www.avast.com/i_kat_207.php?lang=ENG

Download it from here:
http://www.avast.com/eng/down_home.html


- You are not using a firewall, again it is not a good idea. There are
very good free options:
Zone Alarm:
http://download.zonelabs.com/bin/free/1003_zl/zlsSetup_60_667_000.exe

Kerio:
http://www.kerio.com/kpf_download.html


- You can vaccinate your computer agains spywares using
SpywareBlaster, see more info here:
"Using SpywareBlaster to protect your computer from Spyware,
Hijackers, and Malware":
http://www.bleepingcomputer.com/forums/index.php?showtutorial=49

Download it from here:
http://www.javacoolsoftware.com/sbdownload.html


I hope that this info helps you to keep your computer clean and safe.
Remember to keep updated your Windows operative system and the
security tools, you must update them at least once a week, daily is
preferred.

Best regards,
livioflores-ga

livioflores-ga, your answer to steve75-ga is really wonderful and helped me a lot.
I have no idea how to tip you since I havent created this question,
but, my sincere thanks.

Sesh

You can do that by posting a question to livioflores (Subject: To
livioflores-ga), pricing the question with the amount you want to give
him.