 |  |  |  |  |  |  |  |
how to remove this?? (atmli.dll)
 |
Hi, Judy.
I did as you said, and here's the combofix log:
I did as you said, and here's the combofix log:
ComboFix 08-11-27.07 - Administrator 2008-11-29 21:02:51.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.643 [GMT 5.5:30] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\AgCPanelKorea.dll c:\windows\system32\asycfi.dll c:\windows\system32\ati3dua.dll c:\windows\system32\audiosr.dll c:\windows\system32\auth.dll c:\windows\system32\avtap.dll c:\windows\system32\batmete.dll c:\windows\system32\bitsprx.dll c:\windows\system32\bthse.dll c:\windows\system32\bthser.dll c:\windows\system32\capesnp.dll c:\windows\system32\CddbLangF.dll . ((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 ))))))))))))))))))))))))))))))) . 2008-11-28 13:01 . 2008-11-28 13:01 <DIR> d-------- c:\program files\Alcohol Soft 2008-11-28 12:59 . 2008-11-28 12:59 685,816 --a------ c:\windows\system32\drivers\sptd.sys 2008-11-27 23:04 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll 2008-11-27 23:04 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll 2008-11-27 23:04 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll 2008-11-27 23:04 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll 2008-11-27 23:04 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll 2008-11-27 23:04 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll 2008-11-27 23:04 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll 2008-11-27 23:04 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll 2008-11-27 23:04 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll 2008-11-27 23:04 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll 2008-11-27 23:04 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll 2008-11-27 23:04 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll 2008-11-25 22:43 . 2008-11-25 22:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-25 22:43 . 2008-11-25 22:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-25 22:43 . 2008-11-25 22:43 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2008-11-25 22:43 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-25 22:43 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-10 17:13 . 2008-11-13 21:43 <DIR> d-------- c:\program files\JAM2 2008-11-09 20:30 . 2008-11-09 20:34 <DIR> d-------- c:\program files\Microsoft GIF Animator 2008-11-09 20:30 . 2008-11-09 20:30 <DIR> d-------- C:\Multimedia Files 2008-11-05 00:07 . 2008-11-05 00:07 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2008-11-05 00:07 . 2008-11-05 00:07 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf 2008-11-04 23:50 . 2006-11-02 09:09 1,419,232 --a------ c:\windows\system32\wdfcoinstaller01005.dll 2008-11-04 23:50 . 2007-09-25 16:37 20,520 --a------ c:\windows\system32\drivers\ggsemc.sys 2008-11-04 23:50 . 2007-09-25 16:37 13,352 --a------ c:\windows\system32\drivers\ggflt.sys 2008-11-04 23:49 . 2004-08-04 00:56 152,576 --a------ c:\windows\system32\irftp.exe 2008-11-04 23:49 . 2004-08-04 00:56 152,576 --a--c--- c:\windows\system32\dllcache\irftp.exe 2008-11-04 23:49 . 2004-08-03 23:00 87,424 --a------ c:\windows\system32\drivers\irda.sys 2008-11-04 23:49 . 2004-08-03 23:00 87,424 --a--c--- c:\windows\system32\dllcache\irda.sys 2008-11-04 23:49 . 2004-08-04 00:56 27,136 --a------ c:\windows\system32\irmon.dll 2008-11-04 23:49 . 2004-08-04 00:56 27,136 --a--c--- c:\windows\system32\dllcache\irmon.dll 2008-11-04 23:49 . 2001-08-17 13:51 19,584 --a------ c:\windows\system32\drivers\rasirda.sys 2008-11-04 23:49 . 2001-08-17 13:51 19,584 --a--c--- c:\windows\system32\dllcache\rasirda.sys 2008-11-04 23:49 . 2001-08-17 13:51 18,688 --a------ c:\windows\system32\drivers\irsir.sys 2008-11-04 23:49 . 2001-08-17 13:51 18,688 --a--c--- c:\windows\system32\dllcache\irsir.sys 2008-11-04 23:49 . 2004-08-04 00:56 8,192 --a------ c:\windows\system32\wshirda.dll 2008-11-04 23:49 . 2004-08-04 00:56 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll 2008-11-04 13:04 . 2008-11-04 13:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Teleca 2008-11-04 13:04 . 2008-11-04 13:04 0 --a------ c:\windows\mngui.INI 2008-11-04 13:03 . 2008-11-04 13:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sony Ericsson 2008-11-04 12:58 . 2008-11-04 23:42 <DIR> d-------- c:\program files\Common Files\Teleca Shared . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-29 15:38 17,013,280 --sha-w c:\windows\system32\drivers\fidbox.dat 2008-11-29 15:36 647,456 --sha-w c:\windows\system32\drivers\fidbox2.dat 2008-11-29 15:35 63,812 --sha-w c:\windows\system32\drivers\fidbox2.idx 2008-11-29 15:35 231,944 --sha-w c:\windows\system32\drivers\fidbox.idx 2008-11-29 15:29 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab 2008-11-27 09:33 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire 2008-11-25 05:38 15 ----a-w C:\1.bat 2008-11-12 15:37 116,480 ----a-w c:\windows\system32\atmli.dll 2008-10-27 15:47 271,360 ----a-w c:\windows\system32\drivers\atksgt.sys 2008-10-27 15:46 18,048 ----a-w c:\windows\system32\drivers\lirsgt.sys 2008-10-27 15:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-10-27 15:44 --------- d-----w c:\program files\AGEIA Technologies 2008-10-27 15:39 --------- d-----w c:\program files\Playlogic 2008-10-16 16:09 --------- d-----w c:\program files\Disc2Phone 2008-10-15 16:25 --------- d-----w c:\documents and settings\Administrator\Application Data\U3 2008-09-28 05:14 --------- d-----w c:\documents and settings\Administrator\Application Data\Snapfish 2008-09-28 05:08 --------- d-----w c:\documents and settings\Administrator\Application Data\Simple Star 2008-09-28 05:08 --------- d-----w c:\documents and settings\Administrator\Application Data\Ahead 2008-09-28 05:03 --------- d-----w c:\program files\Ahead 2008-09-28 05:02 --------- d-----w c:\program files\Common Files\Nero 2008-09-28 05:00 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead 2008-09-28 04:59 --------- d-----w c:\program files\Common Files\Ahead . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0083C93-40CD-40B7-BAC1-158DCC7DEC6E}] 2008-11-12 21:07 116480 --a------ c:\windows\system32\atmli.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CorelDRAW Graphics Suite 11b"="c:\program files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 729088] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "RTHDCPL"="RTHDCPL.EXE" [2005-10-15 c:\windows\RTHDCPL.exe] "PN-56M"="sm56hlpr.exe" [2004-12-29 c:\windows\sm56hlpr.exe] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] -r------- 2005-05-04 08:13 69632 c:\windows\Alcmtr.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\3dsmax7\\3dsmax.exe"= "c:\\Program Files\\backburner 2\\monitor.exe"= "c:\\Program Files\\backburner 2\\manager.exe"= "c:\\Program Files\\backburner 2\\server.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= R0 wrxyyjkh;wrxyyjkh;c:\windows\system32\drivers\wrxyyjkh.sys [2006-02-28 23424] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-04-04 24344] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-11-04 13352] S3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\DRIVERS\K320bus.sys [2008-10-08 61504] S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\DRIVERS\K320mdfl.sys [2008-10-08 9328] S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\DRIVERS\K320mdm.sys [2008-10-08 97056] S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\K320obex.sys [2008-10-13 86368] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\install.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ed5d832-7e1c-11dd-9620-0019d1a78bb0}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe \Shell\Open\command - regsvr.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44f8ad01-9ad4-11dd-9721-0019d1a78bb0}] \Shell\AutoRun\command - g:\autorun\AutoStart.exe \Shell\Explore\Command - g:\autorun\AutoStart.exe \Shell\Open\Command - g:\autorun\AutoStart.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7007d7ae-a65a-11dd-9785-0019d1a78bb0}] \Shell\AutoRun\command - sbsb.exe \Shell\Explore\Command - sbsb.exe \Shell\Open\Command - sbsb.exe . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gvhft8n6.default\ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-29 21:07:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_bc4.dat 16384 bytes scan completed successfully hidden files: 1 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1392) c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\klogon.dll c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll - - - - - - - > 'lsass.exe'(1448) c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll - - - - - - - > 'explorer.exe'(2652) c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe c:\windows\system32\ati2evxx.exe . ************************************************************************** . Completion time: 2008-11-29 21:10:22 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-29 15:40:15 Pre-Run: 25,723,404,288 bytes free Post-Run: 25,627,115,520 bytes free 188
•
•
Join Date: Jul 2008
Posts: 3,080
Reputation: 
Solved Threads: 175
Ok update MBA-M again. Run a FULL SCAN. Allow it to Remove All found. Save the log. Then Reboot.
Run HJT again and save the log. Post back with both logs.
Run HJT again and save the log. Post back with both logs.
Hi, thanks for the reply 
Here are the two logs:
and the MBA-M log:
Here are the two logs:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:08:46 PM, on 11/30/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe C:\Documents and Settings\Administrator\Desktop\Virus Removal Tools\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {F0083C93-40CD-40B7-BAC1-158DCC7DEC6E} - C:\WINDOWS\system32\atmli.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=120508 serial=DR12CNG-2676408-DQJ lang=EN O4 - HKLM\..\Run: [PN-56M] sm56hlpr.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- End of file - 4397 bytes
and the MBA-M log:
Malwarebytes' Anti-Malware 1.30
Database version: 1437
Windows 5.1.2600 Service Pack 2
11/30/2008 4:03:55 PM
mbam-log-2008-11-30 (16-03-55).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 80652
Time elapsed: 15 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\atmli.dll (Trojan.BHO.H) -> Delete on reboot. •
•
Join Date: Nov 2008
Posts: 816
Reputation:
Solved Threads: 42
Practically a Posting Shark
Pls reboot your machine, and then post the MBA-M log again as well as a fresh hijackthis log...
Because the current MBA-M log is showing that no action was taken....
Cohen
Because the current MBA-M log is showing that no action was taken....
Cohen
•
•
Join Date: Feb 2004
Posts: 10,112
Reputation:
Solved Threads: 769
•
•
•
•
Originally Posted by cohen 
Because the current MBA-M log is showing that no action was taken....
Cohen
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Feb 2004
Posts: 10,112
Reputation:
Solved Threads: 769
Please download FileFind from Atribune:
http://www.atribune.org/downloads/FileFind.zip
Unzip the file and save it to your desktop.
To run FileFind, please do the following:
==============
1. Please open Notepad
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
http://www.atribune.org/downloads/FileFind.zip
Unzip the file and save it to your desktop.
To run FileFind, please do the following:
- Click on FileFind.exe
- In the box labeled "Enter the directory to search"
- Enter Drive eg.. C:\
- In the box labeled "Enter the file to search"
- Enter the file sbsb.exe
- Now click on the "Find" button
- Once the utility has found the files click on "Export"
- This will save a text file to your C:\ drive as "Export.txt"
- Double click on Export.txt, copy and paste this information in your next post.
==============
1. Please open Notepad
- Click Start , then Run
- Type notepad.exe in the Run Box.
•
•
•
•
KillAll::
File::
c:\windows\system32\atmli.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0083C93-40CD-40B7-BAC1-158DCC7DEC6E}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7007d7ae-a65a-11dd-9785-0019d1a78bb0}]
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
- Combofix.txt
- A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Last edited by crunchie; Dec 3rd, 2008 at 7:30 am.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
|
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: HijackThis Log File - Help Needed Please
- Next Thread: Some Websites not Loading
Views: 4265 | Replies: 15
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-malware antivirus apple audio avg botnet botnets censorship combofix commercial commercials conficker crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email exam exploit explorer facebook fancheckvirus firefox gaming gtaiv gumblar halloween herss.exe hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft msn nazi news norton obama onlinethreats paedophile panel patch pc pdf phishing police policeprovirusmba-mblockedinternetaccess privacy pro problem redirecting reliability report research risk samhain sans scareware school search security sites software spam spyware sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update virus viruses vista volume vulnerability war warning web windows worm yahoo zeroday
