Malware Removel.. atmclk.exe, dcomcfg.exe

[G.T]

I hope those of you with this issue have disabled "System Restore" before you have tried deleting, zapping and killing the issues with whatever chosen application. If not, you may zap it but as soon as you reboot it might be coming back that way.

 

[gygabite]

No problem anymore, i formated all my hdds and i just installed WinXP new and im now running every game again without problems

 

[Comporit]

Windows Temp Window Popping Up

I still get a window that pops up that says Windows Temp with a black screen, which then shuts by itself.

Does anyone have any suggestion on how to get rid of that?

 

[trog100]

it would be major problem for me if i had to reformat all my bloody hardrives just to get rid of a piece of malware.. the idea is to try and avoid such drastic methods.. he he

trog

 

[gygabite]

I get used to it, just installed Windows new a few weeks ago(a fresh windows runs really faster), anyway its no big deal to install all games new its done on one afternoon while doing homework. Only the activation sucks...

 

[Tatty_Two]

I get used to it, just installed Windows new a few weeks ago(a fresh windows runs really faster), anyway its no big deal to install all games new its done on one afternoon while doing homework. Only the activation sucks...

Get yourself a decent firewall and little furry nasty things killers to try and stop them getting there in the first place. There are actually some good freebies around now, one of the ones I use is Adaware SE Personal plus I got hardware and software firewalls and intrusion detection/blocking seperatly and for the first time ever I seem to be crap free!

 

[gygabite]

OK, the only thing i have atm is the crappy windows fw and its useless

 

[trog100]

one thing i do is to have small 20 gig partition for my operating system.. on this i put windows and about a dozen or so basic apps.. a more complete operating system so to speak.. this takes up about 6 gigs in all and is my C drive..

i back this up every so often.. i use win PE and just copy the C drive to another folder somewhere.. i call it by the date i did it... say C-11-5-2006

any time i like useing win PE i can delete the entire contents of my current C drive and copy back the latest or whatever back up i have made..

providing u havnt installed loads of stuff since your last back up it all works.. at the worse u have to re-install the odd proggy that has a missing registry entry..

i have tons of apps on my system.. the reformat option just aint there for me.. my small C drive copy method seems to work.. but u do need something like acronis disk image or win PE to do it.. windows dont like being deleted while its running.. he he he

trog

 

[cajunot]

I think I figured it out...

Okay, thanks for all the info previous posters gave....it helped me get rid of mine...this is what I did:

I did a variation of what jockkinias posted on 5/07/06. I had to do it in safe mode and even then the atmclk.exe did not want to delete...

So I went back to regedit and did a search for all entries in my registry and deleted those that contained dcomcfg, atmclk, regperf, and SpyFalcon.

even as I did this, I noticed that under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVirsion\polices, after deleating kernel32.exe and wininet.dll they reinserted themselves a few minutes later....

I use Mcafee antivirus software and I previously noted that it cleaned viruses:
1. IdlFOE.tmp
2. appmagr.dll
3. simpole.tlb

I did a computer file search for each entry Mcafee found and supposingly cleaned and in C:\Windows\system32 I found that simpole.tlb was still there, so deleted this (all in safe mode). I then went under C:\Windows\prefetch and deleted dcomcfg.exe, atmclk.exe, and regperf.exe.

I repeated the search on regedit and deleted all references containing dcomcfg, atmclk, regperf, and those containing "wininet" that looked to be associated with the previous searches.

I then rebooted into safe mode once more and was able to delete atmclk.exe, dcomcfg.exe, and regperf.exe from C:\Windows\system32.


Now, I don't know exactly why it worked, but I suspect that the simpole.tlb was reinserting teh kernel32.exe and wininet.dll entries back into HLM\SOFTWARE\Microsoft\windows\currentversion\policies right after I deleted them.

Be careful if you decide to go this rout. It is always risky to alter your computer's registry without being sure of what you are doing....I did it because if I goofed up, I could just reload Windows XP.

Oh, one more detail that might enable someone to come up with what's going on and maybe an easier way to do what I did or at least a better way to explain it. I did notice that when I pulled up the task manager while in safe mode, atmclk.exe was running. I left-clicked on atmclk.exe and choose "end process tree" from the dropdown menu. I saw that the entry was deleated and then immediatly relisted somewhere else on my list of running applications. I know that means that another program was rerunning atmclk.exe after I deleated it, but I am not much of a computer expert to know the whys and wherefores of what is going on......hope this helps someone...

 

[Stee]

kudos to usctrojansfan04

I too was aflicted with the same problem....unlike a unix system I was unable to kill the task: atmclk.exe. It was like jesus rising from the dead over and over. Man it was frustrating

Thanks to usctrojansfan04's solution....it worked like a charm !!

cheers !


Stee

 

[Lazarus_nz]

Hey Pheonix_789, I used to have the same problem. Here's the solution:

Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Then select option #2 (Clean) - It will find the problem, but will at first not be able to fix it because it is being used by another process. Then allow it to reboot, and SmitfraudFix will appear at start up and clean the annoying buggers.

Note: For me, when SmitfraudFix appeared at start up to clean the malware, it said it had an error cleaning the files. If it does display that, just click ignore and it will delete them once and for all!

Thanks for this. It helped no end.

 

[Zain020]

HORRAY! It works. One problem however, the damn boat it came in on won't die. It removed the process but not the program fueling it. I think it came in with a ton of advertisements including one on my start menu saying "Your computer is infected!". Everytime I try to use a program that involves hiding the desktop it kills the program and puts me back to desktop with that poping up yet again.

 

[mre_888]

Hey Pheonix_789, I used to have the same problem. Here's the solution:

Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Then select option #2 (Clean) - It will find the problem, but will at first not be able to fix it because it is being used by another process. Then allow it to reboot, and SmitfraudFix will appear at start up and clean the annoying buggers.

Note: For me, when SmitfraudFix appeared at start up to clean the malware, it said it had an error cleaning the files. If it does display that, just click ignore and it will delete them once and for all!

man thanks so much for that!
yesterday I spent all afternoon and night trying to find something to get rid of all these damn spyware which installed themselves onto my computer and wouldnt get lost!
was thinking about formatting my computer but was lucky enough to find your post before I did it!

 

[slamdancer]

How about some help with this. I got rid of the atmlck and the dcomcfg by using smitfraudfix..but I have another problem...it seems that a virus has invaded my Winlog system file. .. It is a legitimate file that is needed in system32 to run XP....how do I get rid of the virus in it?...any ideas? please send me an email at saulfp2004@yahoo.com...ty slam

 

[slamdancer]

How about some help with this. I got rid of the atmlck and the dcomcfg by using smitfraudfix..but I have another problem...it seems that a virus has invaded my Winlog system file. .. It is a legitimate file that is needed in system32 to run XP....how do I get rid of the virus in it?...any ideas? please send me an email at saulfp2004@yahoo.com...ty slam

die! virus die! we will overcome!

 

[SolumTECH]

Finally killed spyfalcon and it's residuals

Get rid of it once and for ALL(atmclk.exe)
i am running WINDOWS 2000 but this should work for xp also

files that must be removed
to kill this damn program(incomplete but smitfraud get all of them except1)

atmclk.exe - in system32
regperf.exe
ld28E0.tmp
1024 folder
fyhhxw.dll---problem dill---fix= boot to cmd line go to c:\winnt\system32(or sbnudh.dll in some xp systems)
type del fyhhxw.dill
stdole3.tlb
simpole.tlb
wapisvsu.exe
**********************
Lets destroy the malicious prorams!!

i fixed this problem by
1. uninstalling Spyfalcon(just use the windows uninstaller)
**(note trendmicro's pccillin internet security trial edition removed 4 viruses that come
with this malware. i used this in between steps 1 and 2 but if you have your own virus removal prog it should do the same)
2. dling the security task manager-install and run it
*(shows all the hidden processes running on you computer and has an excellent "google it"
option when you right click on a process to see if its real)
3. stop the atmclk.exe process
3. dling and running SmitfraudFix
4. after i did that dispite people saying it fixed all their problems i
still had a pop up every min saying i had 4 viruses. the program manifested
itself on my system tray and was completely uninteractable except when you
click it you get sent to the spyfalcon site.
5.Smitfraud fix couldnt remove or forgot to remove fyhhxw.dll
6. secruity task manager can see a process called Run a dill as an app
and you cannot stop the process.
7. now we know how that pop up is always running even though it isnt an exe and
you cat find any registry values
8.boot to cmd line go to c:\winnt\system32 type del fyhhxw.dill
EVERY TRACE WILL FINALLY BE GONE
(if you dont really know how to move around the command line its no problem just remember
1.cd= change directory
2.cd \. takes you to the root directory, c:
3.cd winnt takes you to the winnt folder
4.cd system32 takes you to the system32 folder
5.once you are there delete fyhhxw.dill by typing
del fyhhxw.dill (sbnudh.dll in some xp systems)

dl links
trendmicro antivirus -click try- http://www.trendmicro.com/buy/us/personal.asp
security task manager - http://www.neuber.com/taskmanager/download.html
smitfraudfix -zip file- http://siri.geekstogo.com/SmitfraudFix.php

spyfalcon info - do with it what you will =)
Domain Name: SPYFALCON.COM (195.225.176.79)
Registrant:
SunShine Ltd
David Taylor
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null, 98101, PH
Tel. +206.9543154

Other domains at the same IP address:
Spyfalconupdate.com
Updateyourwindows.com

a major help in beating this was looking at the time stamp on the file properties in system32
if you get a virus look for files with the same time stamp almost certantly they are products of the virus

please send me an email or post a response i wanna know if this helps anyone =)
i know i fixed it in a round about way but i think i avoided alot of unpleasent registry editing
Tank you everyone on the boards every little bit helped slay the beast

 

[chron]

hate to break it to you, but sometimes malware gets in and cant be removed. Best thing to do is format.

Besides, formatting is fun! Its like making your computer new again... if new computers came with dust? :/

And in the future - try to avoid the free porn sites XD

 

[SolumTECH]

it was a bad cd key finder site =) asta-killer... though the site may not be bad alot of the links are

 

[chron]

thats the risk you take when you travel to the dark parts of the web like that. If I download a torrent and it doesn't come with a CD key, i generally give up rather quickly since most "serial key" websites are just bogus websites wanting your vote to be at the top of a list of other very bogus websites...

 

[SolumTECH]

aye, i wish there were simpler ways of learning valuble lessions besides putting your data on the line

 

[Legie]

Download Hijack this. Run it and post the log, maybe there is something running at startup that needs to be deleted.

I had this same issue, after I tryed to delete it as most every person here has, after reading this thread, i went out and bought Spysweeper out of frustration, only i still have this very annoying little icon in my lower right hand corner bar that is a flashing red circle, crossed out, like a do not enter thingy, that changes to a green.. what looks like a 3/4 circle with an ear on the uper right side of it.. i cant really see it to well, but it gives a pop up ever ~3-4mins, in a red bordered, light blue backgrounded small box about 1"x1" saying:
"Your computer is infected!
Critical System Error!
System detected virus activities. They may cause critical system failure. Please, use antimalware software to clear and protect your system from parasite programs. Click here to get all available software."

I dont think i have clicked on it since im not sure what it is, i have NEVER seen it befor.

As Polaris573 has said here is a copy of my Hijackthis log. I know there is alot of crap on here, but as long as I can use this comp for what i need i dont mind, but this is just an anoyying little thing i have here.

Any help would be much appreciated!





Logfile of HijackThis v1.99.1
Scan saved at 10:38:24 PM, on 5/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Thomas' Folder\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WebrootDesktopFirewall] C:\Program Files\Webroot\Desktop Firewall\WebrootDesktopFirewall.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Desktop Firewall Log Server (WebrootDesktopFirewallLogServer) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFLogService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe

 

[chron]

yea I hear dat! lol. When I was growing up I would constantly take risks with the family computer trying to learn as much as I could. I remember I was 9 when we bought our first computer. It was dos and we got flight simulator for it, TOTALLY WICKED! For some reason I opened up the computer and started messing with jumper settings. My reason: I was trying to connect to the internet! ROFL.

yea, needless to say I corrupted some data and we took it and got it upgraded to windows 95 and added a cd rom!

I wish I could go back in time and teach my younger self all the basics to computers. Its so sad to think how ignorant I once was.

But oh well, perhaps that first F up is what has driven my unrelenting quest for computer knowlage, no matter what type it is.

 

[SolumTECH]

step 8 on my first post covers removing Fyhhxw.dll
that gets rid of the problem legie just posted

"flashing red circle, crossed out, like a do not enter thingy, that changes to a green.. what looks like a 3/4 circle with an ear on the uper right side of it."

 

[Legie]

I tryed to do what you say for Step 8 but i dont have a file called Fyhhxw.dll
Any other names it goes by? or <gulp> has it been shifty and changed its name already somehow?

 

[SolumTECH]

im pretty sure that part of the program wont replicate..but if you dont have the file you are probably going to have to go into system32 and start checking the time stamp on all the dills
try this
1.start\search\open the "Look in" drop down menu\browse\change search dir to system32
2. search for dill and see what comes up. when i did this just now i didnt find any dills in the folder
3.if you see any dills in your search results check the time they were created if the virus caused it the date/time will be the exact moment of infection

also check the file properties on your system32 folder make sure you can see hidden files
=( its all i can think of right now