Posts by tekina

Hi, thanks for the reply :)
Here are the two logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:46 PM, on 11/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Documents and Settings\Administrator\Desktop\Virus Removal Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.google.co.in/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {F0083C93-40CD-40B7-BAC1-158DCC7DEC6E} - C:\WINDOWS\system32\atmli.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=120508 serial=DR12CNG-2676408-DQJ lang=EN
O4 - HKLM\..\Run: [PN-56M] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel …

Hi, Judy.
I did as you said, and here's the combofix log:

ComboFix 08-11-27.07 - Administrator 2008-11-29 21:02:51.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.643 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
 * Created a new restore point

[B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AgCPanelKorea.dll
c:\windows\system32\asycfi.dll
c:\windows\system32\ati3dua.dll
c:\windows\system32\audiosr.dll
c:\windows\system32\auth.dll
c:\windows\system32\avtap.dll
c:\windows\system32\batmete.dll
c:\windows\system32\bitsprx.dll
c:\windows\system32\bthse.dll
c:\windows\system32\bthser.dll
c:\windows\system32\capesnp.dll
c:\windows\system32\CddbLangF.dll

.
(((((((((((((((((((((((((   Files Created from 2008-10-28 to 2008-11-29  )))))))))))))))))))))))))))))))
.

2008-11-28 13:01 . 2008-11-28 13:01	<DIR>	d--------	c:\program files\Alcohol Soft
2008-11-28 12:59 . 2008-11-28 12:59	685,816	--a------	c:\windows\system32\drivers\sptd.sys
2008-11-27 23:04 . 2001-08-17 22:36	8,704	--a------	c:\windows\system32\kbdjpn.dll
2008-11-27 23:04 . 2001-08-17 22:36	8,704	--a--c---	c:\windows\system32\dllcache\kbdjpn.dll
2008-11-27 23:04 . 2001-08-17 22:36	8,192	--a------	c:\windows\system32\kbdkor.dll
2008-11-27 23:04 . 2001-08-17 22:36	8,192	--a--c---	c:\windows\system32\dllcache\kbdkor.dll
2008-11-27 23:04 . 2001-08-17 14:55	6,144	--a------	c:\windows\system32\kbd106.dll
2008-11-27 23:04 . 2001-08-17 14:55	6,144	--a------	c:\windows\system32\kbd101c.dll
2008-11-27 23:04 . 2001-08-17 14:55	6,144	--a------	c:\windows\system32\kbd101b.dll
2008-11-27 23:04 . 2001-08-17 14:55	6,144	--a--c---	c:\windows\system32\dllcache\kbd106.dll
2008-11-27 23:04 . 2001-08-17 14:55	6,144	--a--c---	c:\windows\system32\dllcache\kbd101c.dll
2008-11-27 23:04 . 2001-08-17 14:55	6,144	--a--c---	c:\windows\system32\dllcache\kbd101b.dll
2008-11-27 23:04 . 2001-08-17 14:55	5,632	--a------	c:\windows\system32\kbd103.dll
2008-11-27 23:04 . 2001-08-17 14:55	5,632	--a--c---	c:\windows\system32\dllcache\kbd103.dll
2008-11-25 22:43 . 2008-11-25 22:43	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2008-11-25 22:43 . 2008-11-25 22:43	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-25 22:43 . 2008-11-25 22:43	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-25 22:43 . 2008-10-22 16:10	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-25 22:43 . 2008-10-22 16:10	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2008-11-10 17:13 . 2008-11-13 21:43	<DIR>	d--------	c:\program files\JAM2 …

Did you click Yes on the box or just restart the computer.
You need to click that Yes button and then restart.

yes, thats exactly what i did. The anti-malware couldn't remove it i guess.
The registry couldn't be edited. Nor can i maually delete those keys.

Im located in India, Pune.
My ISP is Bharat Sanchar Nigam Limited (BSNL)
i ran the scan 3 times and rebooted three times, but the registry keys keep popping up every time.
Thanks for your valuable time, i really appreciate it. :)
---Aniket

oh i did do that. This is what it showed :

when i reboot, nothing more happens, the program does not start.
again, here's the log: Malwarebytes' Anti-Malware 1.30
Database version: 1423
Windows 5.1.2600 Service Pack 2

11/25/2008 11:10:41 PM
mbam-log-2008-11-25 (23-10-37).txt

Scan type: Quick Scan
Objects scanned: 46932
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.BHO.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\atmli.dll (Trojan.BHO.H) -> No action taken.

here's the new HJT log : Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:00 …

thanks for replying jholland :)
i did install malwares' anti malware. here's the log:

Malwarebytes' Anti-Malware 1.30
Database version: 1423
Windows 5.1.2600 Service Pack 2

11/25/2008 11:30:44 PM
mbam-log-2008-11-25 (23-30-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 81327
Time elapsed: 14 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.BHO.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0083c93-40cd-40b7-bac1-158dcc7dec6e} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\atmli.dll (Trojan.BHO.H) -> No action taken.
================================================

and the new HJT log:

================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:16 PM, on 11/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe

hi,
im having annoying popups directing Internet Explorer to virus sites. im using Kaspersky Internet Security 7.0, i detects the virus, but can't remove the file (atmli.dll) in the system32 folder....
can anyone help?
Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:12 PM, on 11/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {F0083C93-40CD-40B7-BAC1-158DCC7DEC6E} - C:\WINDOWS\system32\atmli.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=120508 serial=DR12CNG-2676408-DQJ lang=EN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [PN-56M] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 …

hey everyone,
just stumbled upon this awesome site.....
im from India. Love programing, cellphones, flashing and stuff. Also like to "tamper" with my OS. :)