Malware Removel.. atmclk.exe, dcomcfg.exe

[mitamex]

Any Other Ideas

Get rid of it once and for ALL(atmclk.exe)
i am running WINDOWS 2000 but this should work for 2k also

files that must be removed
to kill this damn program(incomplete but smitfraud get all of them except1)

atmclk.exe - in system32
regperf.exe
ld28E0.tmp
1024 folder
fyhhxw.dll---problem dill---fix= boot to cmd line go to c:\winnt\system32
type del fyhhxw.dill
stdole3.tlb
simpole.tlb
wapisvsu.exe
**********************
Lets destroy the malicious prorams!!

i fixed this problem by
1. uninstalling Spyfalcon(just use the windows uninstaller)
**(note trendmicro's pccillin internet security trial edition removed 4 viruses that come
with this malware. i used this in between steps 1 and 2 but if you have your own virus removal prog it should do the same)
2. dling the security task manager-install and run it
*(shows all the hidden processes running on you computer and has an excellent "google it"
option when you right click on a process to see if its real)
3. stop the atmclk.exe process
3. dling and running SmitfraudFix
4. after i did that dispite people saying it fixed all their problems i
still had a pop up every min saying i had 4 viruses. the program manifested
itself on my system tray and was completely uninteractable except when you
click it you get sent to the spyfalcon site.
5.Smitfraud fix couldnt remove or forgot to remove fyhhxw.dll
6. secruity task manager can see a process called Run a dill as an app
and you cannot stop the process.
7. now we know how that pop up is always running even though it isnt an exe and
you cat find any registry values
8.boot to cmd line go to c:\winnt\system32 type del fyhhxw.dill
EVERY TRACE WILL FINALLY BE GONE
(if you dont really know how to move around the command line its no problem just remember
1.cd= change directory
2.cd \. takes you to the root directory, c:
3.cd winnt takes you to the winnt folder
4.cd system32 takes you to the system32 folder
5.once you are there delete fyhhxw.dill by typing
del fyhhxw.dill

dl links
trendmicro antivirus -click try- http://www.trendmicro.com/buy/us/personal.asp
security task manager - http://www.neuber.com/taskmanager/download.html
smitfraudfix -zip file- http://siri.geekstogo.com/SmitfraudFix.php

spyfalcon info - do with it what you will =)
Domain Name: SPYFALCON.COM (195.225.176.79)
Registrant:
SunShine Ltd
David Taylor
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null, 98101, PH
Tel. +206.9543154

Other domains at the same IP address:
Spyfalconupdate.com
Updateyourwindows.com

a major help in beating this was looking at the time stamp on the file properties in system32
if you get a virus look for files with the same time stamp almost certantly they are products of the virus

please send me an email or post a response i wanna know if this helps anyone =)
i know i fixed it in a round about way but i think i avoided alot of unpleasent registry editing
Tank you everyone on the boards every little bit helped slay the beast

Just did it and the ^%$#^*&^(* icon still there... i'm running XP Home, already look for all those files are they are no there, when i do the "del fyhh..... " said the file is not there...
HELP... Anyone???

 

[SolumTECH]

the file that makes the stupid pop up must be different in xp. but i would guess that it still is in the system 32 folder

 

[stranger103mbp]

Have you tried MS's Beta: Windows Defender2 or MS's Beta: Windows Live Safety Center? They may work, or not. Never had any infections on my rigs (well except my wifes rig, go figure), but still run these new Beta security software from MS for giggles and grins.

The Windows Defender Beta 2.0 runs before log on, so it may work. Once you do manage to clean out the malware, clean your registery to ensure complete removal.

Windows defender detects the changes and allows them without asking a thing. Same with F-secure. Only thing that helped was SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) lots of thanks to usctrojansfan04

Cheers to all

 

[Legie]

Ok so i searched for any dll files that were created/edited on the date of when i got the virus, i found one called ojb.dll or something.. i cant recall what it was now, i just used killbox to delet it, have yet to restart computer to see if anything happend. but yes, i guess i should have mentioned that im running XP home. I have been working out of town for the past week and will be again this week but i'll try my best to check out these posts.

Thanks again!

 

[SolumTECH]

hope it worked man good luck

 

[kato506]

Hey Pheonix_789, I used to have the same problem. Here's the solution:

Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Then select option #2 (Clean) - It will find the problem, but will at first not be able to fix it because it is being used by another process. Then allow it to reboot, and SmitfraudFix will appear at start up and clean the annoying buggers.

Note: For me, when SmitfraudFix appeared at start up to clean the malware, it said it had an error cleaning the files. If it does display that, just click ignore and it will delete them once and for all!

Just wanted to say a massive Thank you. just got a laptop, two days later.... Spy Quake, four days of trying to get rid and i found this post- worked a treat- so thanks again

 

[Legie]

hope it worked man good luck

Nope, i still have that little annoying "your system is infected" thing poping up

There was another .dll that had been changed since then... while i was out of town.. i'd have to re-search again to see what it was called.. could that be it? even though it had been modified since then?

Its called sbnudh.dll any idea what this is?

*edit* Also, im not sure if its since last night when i deleted that one .dll file or what, but my comp seems to freeze up every 10mins or so, nothing works, i can hit the window's key to get the start bar to open but nothing works when i click on it, and i have to manualy turn off my comp, it also seems that after i made this first part of this post, using my 'search' my comp crashed.. so i tested it again, and now my comp crashes when i use Search. So im thinking im going to have to reformat this damn thing, unless i can get this fixed today or tomorrow.. Can anyone tell me how to fully format? if i recall using the window's boot cd doesnt fully format.. i may be wrong though.

thanks yet again!

 

[SolumTECH]

thats some bad news man if you are wondering what a particular file does just punch it into google and someone will know...if you have to reformat make sure to save all your pics and documents =/ you cant get that back...have you tried system restore..xp can restore itself to an earlyer date it creates a restore point everytime you shutdown or install something so if you can guess when you got the bug you can just reset to b4 that...at leased i hope it works that way im still trying to find an activation code for my xp

 

[Legie]

Ok so, after taking SolumTECH's advise i googled the file sbnudh.dll not sure why i never thought to do this This file IS part of SpyFalcon, so i restarted in safe mode, still wouldnt let me delete it, so i used my trusty KillBox and took care of it, for me this WAS the file that was causing that annoying little pop up window! so, now i have no more pop up window!

Thanks to everyone who had some input! cheers!

Oh, here's the link to the site i went to in reguards to the file: http://www.pcadvisor.co.uk/forums/index.cfm?action=showthread&threadid=243261&forumid=1

 

[SolumTECH]

@#%$ yeah dude im so glad you finally got it

 

[mrmagu28]

Holy Crap It Worked!!!!

I was so desperate, I googled the name of dcomcfg.exe file! This forum came up and thanks to usctrojansfan04, I can go to sleep and have my computer for another day. The thought of reformatting was horrible.

Thanks, usctrojansfan04!

I downloaded the file ran it, rebooted in safe mode, ran #2, rebooted and it got rid of the virus which my piece of crap norton or counterspy could not get rid of. Sure it detected it but norton wanted to get rid of it for $39. No thanks, the internet community like this has to stick together to get rid of pests like this. Big companies suck!! Thanks so much, my 3 day nightmare was over in 5 mins.

 

[mrmagu28]

Thanks, you saved my pc from being reformatted!!

I downloaded the file ran it, rebooted in safe mode, ran #2, rebooted and it got rid of the virus which my piece of crap norton or counterspy could not get rid of. Sure it detected it but norton wanted to get rid of it for $39 with some joe schmo in india. No thanks, the internet community like this has to stick together to get rid of pests like this. Big companies suck, they want you to buy their sw but yet they charge you extra to remove what they should be catching and removing in the first place!! Thanks so much, my 3 day nightmare was over in 5 mins.

 

[regg187]

I just got fixin the same thing on my dads laptop. TUNEUP UTILITES 2006 free 30 trial took care of it in the registry cleaner section. I told him to buy it at the end of the 30 day period. between adaware and T.U. they can fix almost anything.

 

[staci_123]

Attempting to fix this on my PC now.

I have the dcomcfg.exe, atmclk.exe, regperp.exe and the red/green circle in my tray with the frequent red box message trying to get me to buy their malware - d@m^ them!!!

I am going to try the suggestions here, but have a couple questions:
1. I can't seem to figure out how to get my PC started in safe mode. I've tried all of the function keys during startup but it just keeps trucking and logs me in to my normal desktop.
2. Where can I find the StartMgr.exe and the Killbox programs that I read about earlier in this thread?
3. Is Prevx necessary if I get those two programs? I also installed Windows Defender, Spybot, and AdAware (none of them removed my pests).
4. Spybot found a "Zlob" file that it said it fixed twice yet it keeps coming back. I linked it to the dcomcfg.exe file when I googled it. Do you think I will be able to get rid of this once and for all if I disable System Restore and run Spybot in safe mode? Or do I need to do something else for it as well?

I hate this! What morons are actually clicking on these popups and giving money to the people who have infected their PC?!?!? Someone must be or they'd give up on these Trojans...

Thanks for the advice!

 

[mrmagu28]

Here's what I did.

I rebooted, hit F8 a bunch of times and it finally got to the screen where I could choose Safe Mode. I built my pc 5 years ago and it runs great. What kind of pc do you have? Some say hit F5 or Del....depends what system you have. I ran the SmitFraudfix.zip file and it cleaned my system in 5 mins. I did not download anything else. Although I might download the TUNEUP UTILITES 2006 to clean my registry. Still looking this up to see if it a good program. I have used spybot and it was stuck in a cycle. It found them then cleaned them then found them and cleaned them again.

I also ran housecall, (http://www.trendmicro.com/hc_intro/default.asp), mcafee (Stinger) http://vil.nai.com/vil/stinger/default.aspx but did not find anything. Try these things and see if they work for you.

 

[staci_123]

I have a 1.2 GHz Celeron Gateway. I'm actually planning to replace it and upgrade soon but will be giving this PC to my mom (she has my old one from 10 years ago and it is OBSOLETE!!!) Plus I don't want to lose my data in the mean time!

Thanks, I'll try holding down F8 and see if that works then I was going to run the SmitFraudfix.zip. i'll let you know how it goes!

 

[esteban]

Successfully deleted dcomcfg.exe

Hi,
I had tried all kinds of software to delete dcomcfg.exe and they did not work. Only using your link to SmitfraudFix and following the simple instructions worked out. I did not need to do it under Safemode. After rebooting, all the undesired files were deleted. So far, I have not seen any of the popups I used to get and my webpage is not redirected to their site anymore. I did not get your message indicating it had an error in cleaning the files. Thank you for the advice. I wish others having the same problem could read this before downloading all the software (free or not) claiming they will delete it and most often, they don't.

Esteban

Hey Pheonix_789, I used to have the same problem. Here's the solution:

Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Then select option #2 (Clean) - It will find the problem, but will at first not be able to fix it because it is being used by another process. Then allow it to reboot, and SmitfraudFix will appear at start up and clean the annoying buggers.

Note: For me, when SmitfraudFix appeared at start up to clean the malware, it said it had an error cleaning the files. If it does display that, just click ignore and it will delete them once and for all!

 

[SolumTECH]

i used these utilities to clean my computer if you want to see my post on page 5 i have detailed instructions on how i removed it
Smitfraudfix is great but it didnt take care of of the green red "your computer is infected" pop up you will probably have to delete that manually the file resides in system32 folder and in windows 2000 (my computer) it is called fyhhxw.dll. on Legie's computer (windows xp) it is called sbnudh.dll
dl links
trendmicro's house call doesnt work for this virus/malware i had to dl the trial version of their antivirus
trendmicro antivirus -click try- http://www.trendmicro.com/buy/us/personal.asp
security task manager - http://www.neuber.com/taskmanager/download.html
smitfraudfix -zip file- http://siri.geekstogo.com/SmitfraudFix.php

just use windows search to see if you have sbnudh.dll or fyhhxw.dll if you do either delete them in the command prompt(see my post for instructions) or like Legie use killbox(i dont know anything about the program but he used it and it worked)

 

[oldcrusty72]

Guys,
I just signed up to say thankyou for your help to rid myself of this problem, I too had done a search and came up with your site. I'm sorry i don't have much of an idea about software so i most likely wont be able to return the favour in the near future, but i will definately check with you guys first if i have any more problems.

Thanks again, Tim

 

[drbobgold]

I am about to try smitfraud, but if you are in a hurry to deal with atmclk.exe and dcomcfg.exe, I too found that I could not delete them for "Access Denied". However, I was able to rename each of them from the command prompt page, although I think I could have done it from windows explorer as well. I just change .exe to .old, and at least the yellow triangle and its popups disappeared.

 

[SolumTECH]

that was a really good idea changing the file extension, i never thought about that when i had the same problem. You could of just used del, the command prompt doesnt care about anything really..even if the file is in use. and if that doesnt work for some reason you can boot to the command prompt

my post on page 5 is a detailed path to getting rid of all the viruses and residuals that come along with this malware

 

[manami]

Thank you all I have had same problems with atmclk.exe, regperp.exe and dcomcfg.exe and thanks to this forum I have solve it.
Did`t have to go in safe mode at all just download PREVX1 v1.2.0.48 and program did it all for me. It is free to download and to use for 30 days.
I hope my comment is helpfull to some one like yours was to me.
Thank you all again

 

[Annihil4t0r]

Removed! W00t!!!!

OMG I got it removed. Download the latest version of spybot at http://www.safer-networking.org/en/mirrors/index.html and then make sure you nab ALL the updates. For some wierd reason, I had to restart before it would install the updates. When you're done updating, do the following:

1)Immunize the system
2)Do a system scan and delete anything it finds. I believe it should ask you if it wants to run on the next restart. Say yes.
3)Restart and let it do it's scan. When it's done, delete it, and I would recommend double checking the immunize.
4)Open the process manager after everything appears to be booted up, and check if atmcld.exe and dcomcfg.exe are there. If not, you can optianally go to c:\windows\system32 and delete the files. Unfortunatly, I haven't found what keeps trying to recreate these exes, and it might just be there doing nothing until somebody finds it.

and BTW, the reason why Spybot works is because of the Tea Timer and the Immunization. The immunization will prevent it from coming back. Tea Timer will always alert you when there is a change that takes place that has a posibility of being spyware or a hijack. It's kinda like an internal firewall that requires it's hand to be held at every decision and learns only if you tell it to.

 

[DonD78217]

Fixed it with SmitfraudFix

Messed with almclk.exe & dcomcfg.exe for 3 days. This forum solved it for me with SmitfraudFix. Went to google and entered the URL so I could have the site translated. D/L ed file and it worked like the message says it will. just be patient as it works slowly.

 

[Comporit]

Trojans and viruses that cased windows to pop up

I still get a window that pops up that says Windows Temp with a black screen, which then shuts by itself.

Does anyone have any suggestion on how to get rid of that?

I just wanted to share that I downloaded the 30 day free trial version of Kaspersky Internet Security and it eliminated all those pop ups and other annoyances. www.kaspersky.com -- seeing is believing; I never would have thought until I tried it myself.