how to remove this?? (atmli.dll)

Question

tekina 0 Newbie Poster

15 Years Ago

hi,
im having annoying popups directing Internet Explorer to virus sites. im using Kaspersky Internet Security 7.0, i detects the virus, but can't remove the file (atmli.dll) in the system32 folder....
can anyone help?
Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:12 PM, on 11/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {F0083C93-40CD-40B7-BAC1-158DCC7DEC6E} - C:\WINDOWS\system32\atmli.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=120508 serial=DR12CNG-2676408-DQJ lang=EN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [PN-56M] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B26A5BE-FB0E-4E79-A5F5-26688DB92C01}: NameServer = 218.248.255.212 218.248.255.139
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

--
End of file - 4275 bytes

windows-virus

4 Contributors
15 Replies
225 Views
1 Week Discussion Span
Latest Post 15 Years Ago Latest Post by crunchie

All 15 Replies

jholland1964 650 Posting Expert

15 Years Ago

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer.

Run a new HJT scan. Post back with that log and the MBA-M log.

jholland1964 650 Posting Expert

15 Years Ago

Did you read the instructions for MBA-M? Please go back, update it again to be sure, and then run it again following this part of my previously posted instructions;

* Be sure that everything is checked, and click Remove Selected.

Once you do that then Reboot the computer and run HiJackThis again.
Judy

jholland1964 650 Posting Expert

15 Years Ago

When you reboot after MBA-M tells you to reboot the program will not start again. But run it again to be certain that it DID remove.
You should always reboot when it says some items cannot be removed until the reboot. The reason for this is some of these are in use so in order to remove them the computer must be rebooted so that MBA-M can remove them before they restart.
Where are you located? What is the name of your internet provider?

jholland1964 650 Posting Expert

15 Years Ago

Did you click Yes on the box or just restart the computer.
You need to click that Yes button and then restart.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

tekina 0 Newbie Poster · Answer 1 · 2008-11-26T00:07:41+00:00

thanks for replying jholland :)
i did install malwares' anti malware. here's the log:

Malwarebytes' Anti-Malware 1.30
Database version: 1423
Windows 5.1.2600 Service Pack 2

11/25/2008 11:30:44 PM
mbam-log-2008-11-25 (23-30-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 81327
Time elapsed: 14 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.BHO.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\atmli.dll (Trojan.BHO.H) -> No action taken.
================================================

and the new HJT log:

================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:16 PM, on 11/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\Virus Removal Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {F0083C93-40CD-40B7-BAC1-158DCC7DEC6E} - C:\WINDOWS\system32\atmli.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=120508 serial=DR12CNG-2676408-DQJ lang=EN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [PN-56M] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

--
End of file - 4115 bytes

tekina 0 Newbie Poster · Answer 2 · 2008-11-26T11:48:59+00:00

oh i did do that. This is what it showed :

when i reboot, nothing more happens, the program does not start.
again, here's the log: Malwarebytes' Anti-Malware 1.30 Database version: 1423 Windows 5.1.2600 Service Pack 2 11/25/2008 11:10:41 PM mbam-log-2008-11-25 (23-10-37).txt Scan type: Quick Scan Objects scanned: 46932 Time elapsed: 4 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 4 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.BHO.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.BHO.H) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.Agent) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\atmli.dll (Trojan.BHO.H) -> No action taken.

here's the new HJT log : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:18:00 AM, on 11/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Administrator\Desktop\Virus Removal Tools\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <a href="http://www.google.co.in/">http://www.google.co.in/</a> O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {F0083C93-40CD-40B7-BAC1-158DCC7DEC6E} - C:\WINDOWS\system32\atmli.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=120508 serial=DR12CNG-2676408-DQJ lang=EN O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" O4 - HKLM\..\Run: [PN-56M] sm56hlpr.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{2B26A5BE-FB0E-4E79-A5F5-26688DB92C01}: NameServer = 218.248.255.212 218.248.255.139 O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- End of file - 4257 bytes

The good news is that my Kaspersky has stopped detecting "atmli.dll" as "Heur.Trojan.Generic"

tekina 0 Newbie Poster · Answer 3 · 2008-11-26T12:03:58+00:00

Im located in India, Pune.
My ISP is Bharat Sanchar Nigam Limited (BSNL)
i ran the scan 3 times and rebooted three times, but the registry keys keep popping up every time.
Thanks for your valuable time, i really appreciate it. :)
---Aniket

tekina 0 Newbie Poster · Answer 4 · 2008-11-27T11:26:07+00:00

Did you click Yes on the box or just restart the computer.
You need to click that Yes button and then restart.

yes, thats exactly what i did. The anti-malware couldn't remove it i guess.
The registry couldn't be edited. Nor can i maually delete those keys.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 5 · 2008-11-27T23:07:55+00:00

The first thing you should do is print out this guide as we will close all the open windows and programs, including your web browser, before starting the ComboFix program. download ComboFix, You will get a prompt asking if you want to run or save the file. Choose SAVE and save it to the desk top. DO NOT RUN it YET
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically
You should now post this log here when all is complete.

tekina 0 Newbie Poster · Answer 6 · 2008-11-29T21:48:32+00:00

Hi, Judy.
I did as you said, and here's the combofix log:

ComboFix 08-11-27.07 - Administrator 2008-11-29 21:02:51.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.643 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
 * Created a new restore point

[B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AgCPanelKorea.dll
c:\windows\system32\asycfi.dll
c:\windows\system32\ati3dua.dll
c:\windows\system32\audiosr.dll
c:\windows\system32\auth.dll
c:\windows\system32\avtap.dll
c:\windows\system32\batmete.dll
c:\windows\system32\bitsprx.dll
c:\windows\system32\bthse.dll
c:\windows\system32\bthser.dll
c:\windows\system32\capesnp.dll
c:\windows\system32\CddbLangF.dll

.
(((((((((((((((((((((((((   Files Created from 2008-10-28 to 2008-11-29  )))))))))))))))))))))))))))))))
.

2008-11-28 13:01 . 2008-11-28 13:01	<DIR>	d--------	c:\program files\Alcohol Soft
2008-11-28 12:59 . 2008-11-28 12:59	685,816	--a------	c:\windows\system32\drivers\sptd.sys
2008-11-27 23:04 . 2001-08-17 22:36	8,704	--a------	c:\windows\system32\kbdjpn.dll
2008-11-27 23:04 . 2001-08-17 22:36	8,704	--a--c---	c:\windows\system32\dllcache\kbdjpn.dll
2008-11-27 23:04 . 2001-08-17 22:36	8,192	--a------	c:\windows\system32\kbdkor.dll
2008-11-27 23:04 . 2001-08-17 22:36	8,192	--a--c---	c:\windows\system32\dllcache\kbdkor.dll
2008-11-27 23:04 . 2001-08-17 14:55	6,144	--a------	c:\windows\system32\kbd106.dll
2008-11-27 23:04 . 2001-08-17 14:55	6,144	--a------	c:\windows\system32\kbd101c.dll
2008-11-27 23:04 . 2001-08-17 14:55	6,144	--a------	c:\windows\system32\kbd101b.dll
2008-11-27 23:04 . 2001-08-17 14:55	6,144	--a--c---	c:\windows\system32\dllcache\kbd106.dll
2008-11-27 23:04 . 2001-08-17 14:55	6,144	--a--c---	c:\windows\system32\dllcache\kbd101c.dll
2008-11-27 23:04 . 2001-08-17 14:55	6,144	--a--c---	c:\windows\system32\dllcache\kbd101b.dll
2008-11-27 23:04 . 2001-08-17 14:55	5,632	--a------	c:\windows\system32\kbd103.dll
2008-11-27 23:04 . 2001-08-17 14:55	5,632	--a--c---	c:\windows\system32\dllcache\kbd103.dll
2008-11-25 22:43 . 2008-11-25 22:43	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2008-11-25 22:43 . 2008-11-25 22:43	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-25 22:43 . 2008-11-25 22:43	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-25 22:43 . 2008-10-22 16:10	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-25 22:43 . 2008-10-22 16:10	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2008-11-10 17:13 . 2008-11-13 21:43	<DIR>	d--------	c:\program files\JAM2
2008-11-09 20:30 . 2008-11-09 20:34	<DIR>	d--------	c:\program files\Microsoft GIF Animator
2008-11-09 20:30 . 2008-11-09 20:30	<DIR>	d--------	C:\Multimedia Files
2008-11-05 00:07 . 2008-11-05 00:07	0	--ah-----	c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-11-05 00:07 . 2008-11-05 00:07	0	--ah-----	c:\windows\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf
2008-11-04 23:50 . 2006-11-02 09:09	1,419,232	--a------	c:\windows\system32\wdfcoinstaller01005.dll
2008-11-04 23:50 . 2007-09-25 16:37	20,520	--a------	c:\windows\system32\drivers\ggsemc.sys
2008-11-04 23:50 . 2007-09-25 16:37	13,352	--a------	c:\windows\system32\drivers\ggflt.sys
2008-11-04 23:49 . 2004-08-04 00:56	152,576	--a------	c:\windows\system32\irftp.exe
2008-11-04 23:49 . 2004-08-04 00:56	152,576	--a--c---	c:\windows\system32\dllcache\irftp.exe
2008-11-04 23:49 . 2004-08-03 23:00	87,424	--a------	c:\windows\system32\drivers\irda.sys
2008-11-04 23:49 . 2004-08-03 23:00	87,424	--a--c---	c:\windows\system32\dllcache\irda.sys
2008-11-04 23:49 . 2004-08-04 00:56	27,136	--a------	c:\windows\system32\irmon.dll
2008-11-04 23:49 . 2004-08-04 00:56	27,136	--a--c---	c:\windows\system32\dllcache\irmon.dll
2008-11-04 23:49 . 2001-08-17 13:51	19,584	--a------	c:\windows\system32\drivers\rasirda.sys
2008-11-04 23:49 . 2001-08-17 13:51	19,584	--a--c---	c:\windows\system32\dllcache\rasirda.sys
2008-11-04 23:49 . 2001-08-17 13:51	18,688	--a------	c:\windows\system32\drivers\irsir.sys
2008-11-04 23:49 . 2001-08-17 13:51	18,688	--a--c---	c:\windows\system32\dllcache\irsir.sys
2008-11-04 23:49 . 2004-08-04 00:56	8,192	--a------	c:\windows\system32\wshirda.dll
2008-11-04 23:49 . 2004-08-04 00:56	8,192	--a--c---	c:\windows\system32\dllcache\wshirda.dll
2008-11-04 13:04 . 2008-11-04 13:04	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\Teleca
2008-11-04 13:04 . 2008-11-04 13:04	0	--a------	c:\windows\mngui.INI
2008-11-04 13:03 . 2008-11-04 13:03	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\Sony Ericsson
2008-11-04 12:58 . 2008-11-04 23:42	<DIR>	d--------	c:\program files\Common Files\Teleca Shared

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 15:38	17,013,280	--sha-w	c:\windows\system32\drivers\fidbox.dat
2008-11-29 15:36	647,456	--sha-w	c:\windows\system32\drivers\fidbox2.dat
2008-11-29 15:35	63,812	--sha-w	c:\windows\system32\drivers\fidbox2.idx
2008-11-29 15:35	231,944	--sha-w	c:\windows\system32\drivers\fidbox.idx
2008-11-29 15:29	---------	d-----w	c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-27 09:33	---------	d-----w	c:\documents and settings\Administrator\Application Data\LimeWire
2008-11-25 05:38	15	----a-w	C:\1.bat
2008-11-12 15:37	116,480	----a-w	c:\windows\system32\atmli.dll
2008-10-27 15:47	271,360	----a-w	c:\windows\system32\drivers\atksgt.sys
2008-10-27 15:46	18,048	----a-w	c:\windows\system32\drivers\lirsgt.sys
2008-10-27 15:44	---------	d-----w	c:\program files\Common Files\Wise Installation Wizard
2008-10-27 15:44	---------	d-----w	c:\program files\AGEIA Technologies
2008-10-27 15:39	---------	d-----w	c:\program files\Playlogic
2008-10-16 16:09	---------	d-----w	c:\program files\Disc2Phone
2008-10-15 16:25	---------	d-----w	c:\documents and settings\Administrator\Application Data\U3
2008-09-28 05:14	---------	d-----w	c:\documents and settings\Administrator\Application Data\Snapfish
2008-09-28 05:08	---------	d-----w	c:\documents and settings\Administrator\Application Data\Simple Star
2008-09-28 05:08	---------	d-----w	c:\documents and settings\Administrator\Application Data\Ahead
2008-09-28 05:03	---------	d-----w	c:\program files\Ahead
2008-09-28 05:02	---------	d-----w	c:\program files\Common Files\Nero
2008-09-28 05:00	---------	d-----w	c:\documents and settings\All Users\Application Data\Ahead
2008-09-28 04:59	---------	d-----w	c:\program files\Common Files\Ahead
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0083C93-40CD-40B7-BAC1-158DCC7DEC6E}]
2008-11-12 21:07	116480	--a------	c:\windows\system32\atmli.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CorelDRAW Graphics Suite 11b"="c:\program files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 729088]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RTHDCPL"="RTHDCPL.EXE" [2005-10-15 c:\windows\RTHDCPL.exe]
"PN-56M"="sm56hlpr.exe" [2004-12-29 c:\windows\sm56hlpr.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-04 08:13 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\3dsmax7\\3dsmax.exe"=
"c:\\Program Files\\backburner 2\\monitor.exe"=
"c:\\Program Files\\backburner 2\\manager.exe"=
"c:\\Program Files\\backburner 2\\server.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R0 wrxyyjkh;wrxyyjkh;c:\windows\system32\drivers\wrxyyjkh.sys [2006-02-28 23424]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-04-04 24344]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-11-04 13352]
S3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\DRIVERS\K320bus.sys [2008-10-08 61504]
S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\DRIVERS\K320mdfl.sys [2008-10-08 9328]
S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\DRIVERS\K320mdm.sys [2008-10-08 97056]
S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\K320obex.sys [2008-10-13 86368]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ed5d832-7e1c-11dd-9620-0019d1a78bb0}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe
\Shell\Open\command - regsvr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44f8ad01-9ad4-11dd-9721-0019d1a78bb0}]
\Shell\AutoRun\command - g:\autorun\AutoStart.exe
\Shell\Explore\Command - g:\autorun\AutoStart.exe
\Shell\Open\Command - g:\autorun\AutoStart.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7007d7ae-a65a-11dd-9785-0019d1a78bb0}]
\Shell\AutoRun\command - sbsb.exe
\Shell\Explore\Command - sbsb.exe
\Shell\Open\Command - sbsb.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gvhft8n6.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2008-11-29 21:07:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


c:\docume~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_bc4.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1392)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\adialhk.dll

- - - - - - - > 'lsass.exe'(1448)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll

- - - - - - - > 'explorer.exe'(2652)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-11-29 21:10:22 - machine was rebooted
ComboFix-quarantined-files.txt  2008-11-29 15:40:15

Pre-Run: 25,723,404,288 bytes free
Post-Run: 25,627,115,520 bytes free

188

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 7 · 2008-11-29T22:49:29+00:00

Ok update MBA-M again. Run a FULL SCAN. Allow it to Remove All found. Save the log. Then Reboot.
Run HJT again and save the log. Post back with both logs.

tekina 0 Newbie Poster · Answer 8 · 2008-11-30T16:45:04+00:00

Hi, thanks for the reply :)
Here are the two logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:46 PM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Documents and Settings\Administrator\Desktop\Virus Removal Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.google.co.in/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {F0083C93-40CD-40B7-BAC1-158DCC7DEC6E} - C:\WINDOWS\system32\atmli.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=120508 serial=DR12CNG-2676408-DQJ lang=EN
O4 - HKLM\..\Run: [PN-56M] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

--
End of file - 4397 bytes

and the MBA-M log:

Malwarebytes' Anti-Malware 1.30
Database version: 1437
Windows 5.1.2600 Service Pack 2

11/30/2008 4:03:55 PM
mbam-log-2008-11-30 (16-03-55).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 80652
Time elapsed: 15 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\atmli.dll (Trojan.BHO.H) -> Delete on reboot.

cohen 17 Practically a Posting Shark Featured Poster · Answer 9 · 2008-12-03T16:06:57+00:00

Pls reboot your machine, and then post the MBA-M log again as well as a fresh hijackthis log...

Because the current MBA-M log is showing that no action was taken....

Cohen

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 10 · 2008-12-03T17:13:49+00:00

Because the current MBA-M log is showing that no action was taken....
Cohen

You might have posted in the wrong thread as it looks to me like MBAM was run correctly :D

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 11 · 2008-12-03T17:28:56+00:00

Please download FileFind from Atribune:
http://www.atribune.org/downloads/FileFind.zip

Unzip the file and save it to your desktop.

To run FileFind, please do the following: Click on FileFind.exe
In the box labeled "Enter the directory to search"
Enter Drive eg.. C:\
In the box labeled "Enter the file to search"
Enter the file sbsb.exe
Now click on the "Find" button
Once the utility has found the files click on "Export"
This will save a text file to your C:\ drive as "Export.txt"
Double click on Export.txt, copy and paste this information in your next post.

==============

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::

File::
c:\windows\system32\atmli.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0083C93-40CD-40B7-BAC1-158DCC7DEC6E}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7007d7ae-a65a-11dd-9785-0019d1a78bb0}]Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

how to remove this?? (atmli.dll)

Recommended Answers Collapse Answers

All 15 Replies

Recommended Answers