# Malware Removel.. atmclk.exe, dcomcfg.exe



## Pheonix_789 (May 2, 2006)

I keep getting a annoying pop-ups when I am not even surfing the internet, I have downloaded several programs to remove this problem with no success, I have discovered what the malicious programs are and I am having a lot of difficulty removing it, I have used a program called Prevx1 to quarantine them but is there a way to permanently remove them?


-atmclk.exe 10kb  
-dcomcfg.exe 10kb


I have used and downloaded the following programs with no sucess:

-Adaware
-Avast home edition
-System mechanic Pro
-Webroot Spywaresweeper
-Prevx1
-XP repairer PRO


Is there a way to remove the problem without reinstalling Windows XP?


----------



## trog100 (May 2, 2006)

something else is creating them.. something is causing them to run with a windows or browser start up.. windows wont let u delete files that are in use.. which is a basic problem..

one trick to disable a file u might think is causing problems but arnt sure is to rename it.. or create a new folder and put the file in it.. but again windows in a self protective manner wont often let u do this..

somehow u have to stop them running then delete them and anything associated with them.. plus find out how u got them in the first place.. 

i use an oem win pe disk for such things.. not much help if u cant lay your hands on a copy.. but i wouldnt be without mine..

trog


----------



## cjoyce1980 (May 2, 2006)

try running SpyBot, it has the option of running at windows start up. so it maybe able to remove this malware before it even loads.

http://www.spybot.info/


----------



## Thermopylae_480 (May 3, 2006)

Go to Start > Run > Type msconfig > Press enter > Choose "Diagnostic Startup" > Press Ok > Restart computer > attempt to delete files.

Diagnostic startup does not allow internet access. It loads basic programs/drivers that allow the computer to function at it's minimum capacity.


----------



## DominicStockford (May 5, 2006)

I am getting the same malware. Having used Prevx1 to try to remove it, and also started up in safe mode to try to remove it, I have had no success. The programmes are allegedly in jail, according to Prevx1, but one is still active and the files have vanished from view. Have they transmogrified into something else? Anyone any ideas?


----------



## DominicStockford (May 5, 2006)

Update! It only affects one of the user names on the computer. Maybe there is a way I can copy all my email from Outlook over to the Outlook in the other user name and then just close the affected user down? Does anyone know of a way to do that?


----------



## Polaris573 (May 5, 2006)

Download Hijack this.  Run it and post the log, maybe there is something running at startup that needs to be deleted.


----------



## gR3iF (May 5, 2006)

try to get the stuff away with panda

http://www.pandasoftware.com/downlo...=WWEN-PLTIS6-DES&Idioma=2&Country=DE&sec=down

just use any dates for the formular like:
blub@com.de
öosdh
dsaoidh 

and so on^^ test it


----------



## usctrojansfan04 (May 7, 2006)

Hey Pheonix_789, I used to have the same problem. Here's the solution:

Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop. 

Open the SmitfraudFix folder and double-click smitfraudfix.cmd 
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). 
Then select option #2 (Clean) - It will find the problem, but will at first not be able to fix it because it is being used by another process. Then allow it to reboot, and SmitfraudFix will appear at start up and clean the annoying buggers. 

Note: For me, when SmitfraudFix appeared at start up to clean the malware, it said it had an error cleaning the files. If it does display that, just click ignore and it will delete them once and for all!


----------



## Azn Tr14dZ (May 7, 2006)

And if nothing else works, I always do a clean re/install of Windows XP. My comp used to never shut down and I would have to manually shut it down each time until I did a clean re/install of Windows XP. It took 2 hours but cleaned out everything and works faster. Only do it though if nothing else works.


----------



## Mercenary4 (May 7, 2006)

Have you tried MS's Beta: Windows Defender2 or MS's Beta: Windows Live Safety Center? They may work, or not. Never had any infections on my rigs (well except my wifes rig, go figure), but still run these new Beta security software from MS for giggles and grins.

The Windows Defender Beta 2.0 runs before log on, so it may work. Once you do manage to clean out the malware, clean your registery to ensure complete removal.


----------



## EveryoneHasItInThem (May 7, 2006)

*The latest release of Prevx1 v.1.2.0.33 will remove this*

I would give Prevx1 another try. I tried the latest release v.1.2.0.33 last night and it sorted it perfectly. You should see the clean up list it builds, quite amazing and very thorough. Shows why so many of the products we all use are struggling with this.

According to prevx support there are a number of these nasties out there which some AVs and Antispyware are detecting but failing badly to disinfect and cleanup. This latest release of Prevx1 includes a ton of new clean up techniques. They also said another even more powerful version is hot on the heels. Should be out sometime next week.

Here's the post back from prevx support:

"Thanks for reporting your issues with the removal of ATMCLK.EXE. We're sorry you had problems. Prevx1 detects and disables this infection but where a new user has a prior infection Prevx1 was having difficulty disinfecting and cleaning up. These issues are now fixed in v.1.2.0.33 which shipped for new users late in the day on May 6th. Existing users of v.1.2.0.2 will be receiving an automatic update early Monday.

v.1.2.0.33 includes a lot of new clean up functionality. It has been built to deal with really persistent 'state-of-the-art' spyware and malware infections like Free.Serials, Spy Falcon, Spyware Quake (occasionally these are referred to as you say SmitFraud).

If you de-install v.1.2.0.2 and install Prevx1fresh from the web site then it will sort your problems. Or you could wait for the update kit early next week. Personally, I'd get this thing off now!

As ever let us know if you have any further issues. We are totally committed to giving you the best Antivirus, Antispyware and Anti-malware protection we can.

Regards
Prevx Support"

I am still using the 60 day free trial and this has performed brilliantly for 3 weeks now and support as you can see is fantastic. Might be well worth the $20 to use it long term.

Good luck


----------



## nwadel (May 7, 2006)

I've tried Prevx, doesn't work, it just keeps it in jail but the next day the trojan comes back. Tried the other suggestions, didn't work. Any other ideas?


----------



## EveryoneHasItInThem (May 7, 2006)

*Sorry, I got it wrong*

Sorry, my fault for wasting your time.

You need run v.1.2.0.34 of Prevx1 not v.1.2.0.33 as I stated in my previous email. 

This is currently only available as a fresh download and install (must de-install earlier versions first including v.1.2.0.33). It will then run the advanced cleanup and disinfection which will remove this once and for all.

Also Prevx support say that v.1.2.0.34 will also be available as an upgrade next week.


----------



## jcokkinias (May 8, 2006)

*Here's how u do it*

Caution. . .  Use the Registry Editor at your own risk.  If you are not familiar with the registry, take you computer to someone who is.

Open Registry Editor (regedit).

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Under this key you should see a key named "explorer" with a sub key named "run".
You can probably deleted the entire "explorer" key, but if you don't feel comfortable doing this you can go into the "run" key and delete the following three string values:
1.  dcomcfg.exe
2.  kernel32.exe
3.  wininet.dll

After u have done this you can reboot and now you can delete these three files:
1.  %systemroot%\system32\dcomcfg.exe
2.  %systemroot%\system32\atmclk.exe
3.  %systemroot%\system32\regperf.exe

Now you are cleaned up, no more popups.


----------



## HDguardian (May 8, 2006)

*stop all virus and spyware*

 
Say goodbye to all virus and spyware with
hdguardian
www.hdguardian.com
It worked for me and my friends!


----------



## emptymind (May 9, 2006)

usctrojansfan04 said:
			
		

> Hey Pheonix_789, I used to have the same problem. Here's the solution:
> 
> Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
> Extract the content (a folder named SmitfraudFix) to your Desktop.
> ...




Thanks for posting that link, I have been trying for ages to remove that spyware, even Norton 2006 would not see it but what you posted worked 100%

Many Thanks


----------



## JVansia (May 9, 2006)

*I Have a solution!*

Hey guys, ok this virus/spyware has been a major annoyance but i think i've found a way to get rid of it. atmclk.exe and dcomcfg/exe were sitting comfortable in my C:\WINDOWS\System32 directory, trying to directly delete them was hopeless as they would either regenerate each other or would say that these files are locked and so windows could not delete them, so i figured there must be some software out there that lets you delete locked files...and there is. 

Download any good program to delete locked files upon rebooting ur comp, enter the 2 bastards above and voila its off ur comp. Just FYI its likely that there are other things on ur comp that would like to see those files back on ur C:\\ so i'd advise doing full anti-virus, spyware and adware scans as soon as the files have been deleted. The software i used was EMCO MoveOnBoot and has seemed to work wonders....however when i update my msn messender, the files seem to come back and i had to delete them again, but so far, no sign of them and its been a few days. Was so relieved to get red of that damned yellow triangle! Hope it works for you to! - Jugal Vansia.


----------



## trog100 (May 10, 2006)

the remove on boot software is a good idea.. it gets around the windows not letting u delete a file while its in use factor very well.. 

the only real downside is u have to know exactly what files to aim it at.. if u do its clever idea..

trog


----------



## GroundMeat (May 10, 2006)

*The files are launched by the registry..*

[This is just a copy from another board: Original Post]

Hi demerzel. Please download SmitfraudFix (by S!Ri) 
Extract the content (a folder named SmitfraudFix) to your Desktop. 

Open the SmitfraudFix folder and double-click smitfraudfix.cmd 
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). [EDIT] if you restart in safe mode and run this program, you can clean the system, however it can take a long time to clean up depending on your system and the infection level[/EDIT]

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

[This is just a copy from another board: Original Post]


----------



## Comporit (May 11, 2006)

*My Comp is Safe*



			
				usctrojansfan04 said:
			
		

> Hey Pheonix_789, I used to have the same problem. Here's the solution:
> 
> Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
> Extract the content (a folder named SmitfraudFix) to your Desktop.
> ...



I was so desperate, I googled the name of dcomcfg.exe file!  This forum came up and thanks to usctrojansfan04, I can go to sleep and have my computer for another day.  The thought of reformatting was horrible.

Thanks, usctrojansfan04!


----------



## Tatty_One (May 11, 2006)

Also, and perhaps an easier way is load windows in "safe mode", then it will load with minimal drivers, you should then be able to go into Windows explorer and delete the little monsters as their associated files should not be running, then just re-boot normally, it has worked for me in the past.


----------



## Comporit (May 11, 2006)

Tatty_One said:
			
		

> Also, and perhaps an easier way is load windows in "safe mode", then it will load with minimal drivers, you should then be able to go into Windows explorer and delete the little monsters as their associated files should not be running, then just re-boot normally, it has worked for me in the past.



Thanks.  Actually, I did that and the buggers wouldn't budge.  Then, I restored my system to a month ago and THAT didn't help.  I SAW the files in the directory and couldn't get them out...I'm relieved and am glad I found this forum.


----------



## trog100 (May 11, 2006)

i have been useing a little proggy i have carried from system to system for some some years called StartMgr.exe..

it just lists the things that start up with windows and easily lets u switch them on or off.. 

the secret is to switch off all the junk u dont want or need and then keep a regular eye on what does start up.. if u see something new appear and u dont know for sure exactly what it is.. be suspicious..

after a while u can just look at it and know exactly what should be running and what shouldnt.. 

i have about ten items listed in my start manager and i know exactly what each one is.. if u dont prune this start up list on a regular basis tons of extra junk gets fired up with windows and most of it u dont need.. the malware and virus crap gets hidden amonst the junk.. clean out the junk and its easy to spot.. 

trog


----------



## gygabite (May 11, 2006)

Aw, i have atmclk.exe , too, but  none of your tipps helped me, so the only chance i have is to format C:


----------



## G.T (May 11, 2006)

I hope those of you with this issue have disabled "System Restore" before you have tried deleting, zapping and killing the issues with whatever chosen application.  If not, you may zap it but as soon as you reboot it might be coming back that way.


----------



## gygabite (May 11, 2006)

No problem anymore, i formated all my hdds and i just installed WinXP new and im now running every game again without problems


----------



## Comporit (May 11, 2006)

*Windows Temp Window Popping Up*

I still get a window that pops up that says Windows Temp with a black screen, which then shuts by itself.

Does anyone have any suggestion on how to get rid of that?


----------



## trog100 (May 11, 2006)

it would be major problem for me if i had to reformat all my bloody hardrives just to get rid of a piece of malware.. the idea is to try and avoid such drastic methods.. he he

trog


----------



## gygabite (May 11, 2006)

I get used to it, just installed Windows new a few weeks ago(a fresh windows runs really faster), anyway its no big deal to install all games new its done on one afternoon while doing homework. Only the activation sucks...


----------



## Tatty_One (May 11, 2006)

gygabite said:
			
		

> I get used to it, just installed Windows new a few weeks ago(a fresh windows runs really faster), anyway its no big deal to install all games new its done on one afternoon while doing homework. Only the activation sucks...



Get yourself a decent firewall and little furry nasty things killers to try and stop them getting there in the first place.  There are actually some good freebies around now, one of the ones I use is Adaware SE Personal plus I got hardware and software firewalls and intrusion detection/blocking seperatly and for the first time ever I seem to be crap free!


----------



## gygabite (May 11, 2006)

OK, the only thing i have atm is the crappy windows fw and its useless


----------



## trog100 (May 11, 2006)

one thing i do is to have small 20 gig partition for my operating system.. on this i put windows and about a dozen or so basic apps.. a more complete operating system so to speak.. this takes up about 6 gigs in all and is my C drive..

i back this up every so often.. i use win PE and just copy the C drive to another folder somewhere.. i call it by the date i did it... say C-11-5-2006 

any time i like useing win PE i can delete the entire contents of my current C drive and copy back the latest or whatever back up i have made.. 

providing u havnt installed loads of stuff since your last back up it all works.. at the worse u have to re-install the odd proggy that has a missing registry entry.. 

i have tons of apps on my system.. the reformat option just aint there for me.. my small C drive copy method seems to work.. but u do need something like acronis disk image or win PE to do it.. windows dont like being deleted while its running.. he he he

trog


----------



## cajunot (May 13, 2006)

*I think I figured it out...*

Okay, thanks for all the info previous posters gave....it helped me get rid of mine...this is what I did:

I did a variation of what *jockkinias* posted on 5/07/06.  I had to do it in safe mode and even then the atmclk.exe did not want to delete...

So I went back to regedit and did a search for all entries in my registry and deleted those that contained dcomcfg, atmclk, regperf, and SpyFalcon.

even as I did this, I noticed that under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVirsion\polices, after deleating kernel32.exe and wininet.dll they reinserted themselves a few minutes later....

I use Mcafee antivirus software and I previously noted that it cleaned viruses:
1. IdlFOE.tmp
2. appmagr.dll
3. simpole.tlb

I did a computer file search for each entry Mcafee found and supposingly cleaned and in  C:\Windows\system32 I found that simpole.tlb was still there, so deleted this (all in safe mode).  I then went under C:\Windows\prefetch and deleted dcomcfg.exe, atmclk.exe, and regperf.exe.

I repeated the search on regedit and deleted all references containing dcomcfg, atmclk, regperf, and those containing "wininet" that looked to be associated with the previous searches.

I then rebooted into safe mode once more and was able to delete atmclk.exe, dcomcfg.exe, and regperf.exe from C:\Windows\system32.


Now, I don't know exactly why it worked, but I suspect that the simpole.tlb was reinserting teh kernel32.exe and wininet.dll entries back into HLM\SOFTWARE\Microsoft\windows\currentversion\policies right after I deleted them.

Be careful if you decide to go this rout.  It is always risky to alter your computer's registry without being sure of what you are doing....I did it because if I goofed up, I could just reload Windows XP.

Oh, one more detail that might enable someone to come up with what's going on and maybe an easier way to do what I did or at least a better way to explain it.  I did notice that when I pulled up the task manager while in safe mode, atmclk.exe was running.  I left-clicked on atmclk.exe and choose "end process tree" from the dropdown menu.  I saw that the entry was deleated and then immediatly relisted somewhere else on my list of running applications.  I know that means that another program was rerunning atmclk.exe after I deleated it, but I am not much of a computer expert to know the whys and wherefores of what is going on......hope this helps someone...


----------



## Stee (May 16, 2006)

*kudos to usctrojansfan04*

I too was aflicted with the same problem....unlike a unix system I was unable to kill the task: atmclk.exe. It was like jesus rising from the dead over and over. Man it was frustrating  

Thanks to usctrojansfan04's solution....it worked like a charm !!  

cheers !
 

Stee


----------



## Lazarus_nz (May 16, 2006)

usctrojansfan04 said:
			
		

> Hey Pheonix_789, I used to have the same problem. Here's the solution:
> 
> Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
> Extract the content (a folder named SmitfraudFix) to your Desktop.
> ...



Thanks for this. It helped no end.


----------



## Zain020 (May 18, 2006)

HORRAY! It works. One problem however, the damn boat it came in on won't die. It removed the process but not the program fueling it. I think it came in with a ton of advertisements including one on my start menu saying "Your computer is infected!". Everytime I try to use a program that involves hiding the desktop it kills the program and puts me back to desktop with that poping up yet again.


----------



## mre_888 (May 19, 2006)

usctrojansfan04 said:
			
		

> Hey Pheonix_789, I used to have the same problem. Here's the solution:
> 
> Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
> Extract the content (a folder named SmitfraudFix) to your Desktop.
> ...



man thanks so much for that!
yesterday I spent all afternoon and night trying to find something to get rid of all these damn spyware which installed themselves onto my computer and wouldnt get lost!
was thinking about formatting my computer but was lucky enough to find your post before I did it!


----------



## slamdancer (May 19, 2006)

How about some help with this.  I got rid of the atmlck and the dcomcfg by using smitfraudfix..but I have another problem...it seems that a virus has invaded my Winlog system file. ..  It is a legitimate file that is needed in system32 to run XP....how do I get rid of the virus in it?...any ideas?   please send me an email at saulfp2004@yahoo.com...ty slam


----------



## slamdancer (May 19, 2006)

slamdancer said:
			
		

> How about some help with this.  I got rid of the atmlck and the dcomcfg by using smitfraudfix..but I have another problem...it seems that a virus has invaded my Winlog system file. ..  It is a legitimate file that is needed in system32 to run XP....how do I get rid of the virus in it?...any ideas?   please send me an email at saulfp2004@yahoo.com...ty slam


 die! virus die! we will overcome!


----------



## SolumTECH (May 23, 2006)

*Finally killed spyfalcon and it's residuals*

Get rid of it once and for ALL(atmclk.exe)
i am running WINDOWS 2000 but this should work for xp also

files that must be removed
to kill this damn program(incomplete but smitfraud get all of them except1)

atmclk.exe - in system32
regperf.exe 
ld28E0.tmp
1024 folder
fyhhxw.dll---problem dill---fix= boot to cmd line go to c:\winnt\system32(or sbnudh.dll in some xp systems)
             type del fyhhxw.dill
stdole3.tlb
simpole.tlb
wapisvsu.exe
**********************
Lets destroy the malicious prorams!!

i fixed this problem by 
1. uninstalling Spyfalcon(just use the windows uninstaller)
**(note trendmicro's pccillin internet security trial edition removed 4 viruses that come 
with this malware. i used this in between steps 1 and 2 but if you have your own virus removal prog it should do the same)
2. dling the security task manager-install and run it
*(shows all the hidden processes running on you computer and has an excellent "google it" 
option when you right click on a process to see if its real)
3. stop the atmclk.exe process
3. dling and running SmitfraudFix
4. after i did that dispite people saying it fixed all their problems i 
still had a pop up every min saying i had 4 viruses. the program manifested 
itself on my system tray and was completely uninteractable except when you 
click it you get sent to the spyfalcon site.
5.Smitfraud fix couldnt remove or forgot to remove fyhhxw.dll
6. secruity task manager can see a process called Run a dill as an app
and you cannot stop the process.
7. now we know how that pop up is always running even though it isnt an exe and
you cat find any registry values
8.boot to cmd line go to c:\winnt\system32 type del fyhhxw.dill
EVERY TRACE WILL FINALLY BE GONE
(if you dont really know how to move around the command line its no problem just remember 
1.cd= change directory
2.cd \. takes you to the root directory, c:
3.cd winnt takes you to the winnt folder
4.cd system32 takes you to the system32 folder
5.once you are there delete fyhhxw.dill by typing
del fyhhxw.dill (sbnudh.dll in some xp systems)

dl links
trendmicro antivirus -click try- http://www.trendmicro.com/buy/us/personal.asp
security task manager - http://www.neuber.com/taskmanager/download.html
smitfraudfix -zip file- http://siri.geekstogo.com/SmitfraudFix.php

spyfalcon info - do with it what you will =)
Domain Name: SPYFALCON.COM (195.225.176.79)
Registrant:
SunShine Ltd
David Taylor
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null, 98101, PH
Tel. +206.9543154

Other domains at the same IP address:
Spyfalconupdate.com
Updateyourwindows.com

a major help in beating this was looking at the time stamp on the file properties in system32
if you get a virus look for files with the same time stamp almost certantly they are products of the virus

please send me an email or post a response i wanna know if this helps anyone =)
i know i fixed it in a round about way but i think i avoided alot of unpleasent registry editing
Tank you everyone on the boards every little bit helped slay the beast


----------



## chron (May 23, 2006)

hate to break it to you, but sometimes malware gets in and cant be removed. Best thing to do is format.

Besides, formatting is fun! Its like making your computer new again... if new computers came with dust? :/

And in the future - try to avoid the free porn sites XD


----------



## SolumTECH (May 23, 2006)

it was a bad cd key finder site =) asta-killer... though the site may not be bad alot of the links are


----------



## chron (May 23, 2006)

thats the risk you take when you travel to the dark parts of the web like that. If I download a torrent and it doesn't come with a CD key, i generally give up rather quickly since most "serial key" websites are just bogus websites wanting your vote to be at the top of a list of other very bogus websites...


----------



## SolumTECH (May 23, 2006)

aye, i wish there were simpler ways of learning valuble lessions besides putting your data on the line


----------



## Legie (May 23, 2006)

Polaris573 said:
			
		

> Download Hijack this.  Run it and post the log, maybe there is something running at startup that needs to be deleted.




I had this same issue, after I tryed to delete it as most every person here has, after reading this thread, i went out and bought Spysweeper out of frustration, only i still have this very annoying little icon in my lower right hand corner bar that is a flashing red circle, crossed out, like a do not enter thingy, that changes to a green.. what looks like a 3/4 circle with an ear on the uper right side of it.. i cant really see it to well, but it gives a pop up ever ~3-4mins, in a red bordered, light blue backgrounded small box about 1"x1" saying:
"Your computer is infected!  
Critical System Error!  
System detected virus activities. They may cause critical system failure. Please, use antimalware software to clear and protect your system from parasite programs. Click here to get all available software."

I dont think i have clicked on it since im not sure what it is, i have NEVER seen it befor.

As Polaris573 has said here is a copy of my Hijackthis log. I know there is alot of crap on here, but as long as I can use this comp for what i need i dont mind, but this is just an anoyying little thing i have here.

Any help would be much appreciated!





Logfile of HijackThis v1.99.1
Scan saved at 10:38:24 PM, on 5/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Thomas' Folder\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WebrootDesktopFirewall] C:\Program Files\Webroot\Desktop Firewall\WebrootDesktopFirewall.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10908.dll' missing
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Webroot Desktop Firewall Log Server (WebrootDesktopFirewallLogServer) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFLogService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe


----------



## chron (May 23, 2006)

yea I hear dat! lol. When I was growing up I would constantly take risks with the family computer trying to learn as much as I could. I remember I was 9 when we bought our first computer. It was dos and we got flight simulator for it, TOTALLY WICKED! For some reason I opened up the computer and started messing with jumper settings. My reason: I was trying to connect to the internet! ROFL. 

yea, needless to say I corrupted some data and we took it and got it upgraded to windows 95 and added a cd rom! 

I wish I could go back in time and teach my younger self all the basics to computers. Its so sad to think how ignorant I once was. 

But oh well, perhaps that first F up is what has driven my unrelenting quest for computer knowlage, no matter what type it is.


----------



## SolumTECH (May 23, 2006)

step 8 on my first post covers removing Fyhhxw.dll 
that gets rid of the problem legie just posted

"flashing red circle, crossed out, like a do not enter thingy, that changes to a green.. what looks like a 3/4 circle with an ear on the uper right side of it."


----------



## Legie (May 23, 2006)

I tryed to do what you say for Step 8 but i dont have a file called Fyhhxw.dll 
Any other names it goes by? or <gulp> has it been shifty and changed its name already somehow?


----------



## SolumTECH (May 23, 2006)

im pretty sure that part of the program wont replicate..but if you dont have the file you are probably going to have to go into system32 and start checking the time stamp on all the dills
try this
1.start\search\open the "Look in" drop down menu\browse\change search dir to system32
2. search for dill and see what comes up. when i did this just now i didnt find any dills in the folder
3.if you see any dills in your search results check the time they were created if the virus caused it the date/time will be the exact moment of infection

also check the file properties on your system32 folder make sure you can see hidden files
=( its all i can think of right now


----------



## mitamex (May 23, 2006)

*Any Other Ideas*



			
				SolumTECH said:
			
		

> Get rid of it once and for ALL(atmclk.exe)
> i am running WINDOWS 2000 but this should work for 2k also
> 
> files that must be removed
> ...





Just did it and the ^%$#^*&^(* icon still there... i'm running XP Home, already look for all those files are they are no there, when i do the "del fyhh..... " said the file is not there...
HELP... Anyone???


----------



## SolumTECH (May 25, 2006)

the file that makes the stupid pop up must be different in xp. but i would guess that it still is in the system 32 folder


----------



## stranger103mbp (May 27, 2006)

Mercenary4 said:
			
		

> Have you tried MS's Beta: Windows Defender2 or MS's Beta: Windows Live Safety Center? They may work, or not. Never had any infections on my rigs (well except my wifes rig, go figure), but still run these new Beta security software from MS for giggles and grins.
> 
> The Windows Defender Beta 2.0 runs before log on, so it may work. Once you do manage to clean out the malware, clean your registery to ensure complete removal.



Windows defender detects the changes and allows them without asking a thing. Same with F-secure. Only thing that helped was SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) lots of thanks to usctrojansfan04 

Cheers to all


----------



## Legie (May 28, 2006)

Ok so i searched for any dll files that were created/edited on the date of when i got the virus, i found one called   ojb.dll or something.. i cant recall what it was now, i just used killbox to delet it, have yet to restart computer to see if anything happend. but yes, i guess i should have mentioned that im running XP home. I have been working out of town for the past week and will be again this week but i'll try my best to check out these posts.

Thanks again!


----------



## SolumTECH (May 28, 2006)

hope it worked man good luck


----------



## kato506 (May 28, 2006)

usctrojansfan04 said:
			
		

> Hey Pheonix_789, I used to have the same problem. Here's the solution:
> 
> Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
> Extract the content (a folder named SmitfraudFix) to your Desktop.
> ...



Just wanted to say a massive Thank you. just got a laptop, two days later.... Spy Quake, four days of trying to get rid and i found this post- worked a treat- so thanks again


----------



## Legie (May 28, 2006)

SolumTECH said:
			
		

> hope it worked man good luck




Nope, i still have that little annoying "your system is infected" thing poping up  

There was another .dll that had been changed since then... while i was out of town.. i'd have to re-search again to see what it was called.. could that be it? even though it had been modified since then?

Its called sbnudh.dll  any idea what this is?

*edit*  Also, im not sure if its since last night when i deleted that one .dll file or what, but my comp seems to freeze up every 10mins or so, nothing works, i can hit the window's key to get the start bar to open but nothing works when i click on it, and i have to manualy turn off my comp, it also seems that after i made this first part of this post, using my 'search' my comp crashed.. so i tested it again, and now my comp crashes when i use Search. So im thinking im going to have to reformat this damn thing, unless i can get this fixed today or tomorrow.. Can anyone tell me how to fully format? if i recall using the window's boot cd doesnt fully format.. i may be wrong though.

thanks yet again!


----------



## SolumTECH (May 29, 2006)

thats some bad news man if you are wondering what a particular file does just punch it into google and someone will know...if you have to reformat make sure to save all your pics and documents =/ you cant get that back...have you tried system restore..xp can restore itself to an earlyer date it creates a restore point everytime you shutdown or install something so if you can guess when you got the bug you can just reset to b4 that...at leased i hope it works that way im still trying to find an activation code for my xp


----------



## Legie (May 29, 2006)

Ok so, after taking SolumTECH's advise i googled the file sbnudh.dll  not sure why i never thought to do this   This file IS part of SpyFalcon, so i restarted in safe mode, still wouldnt let me delete it, so i used my trusty KillBox and took care of it, for me this WAS the file that was causing that annoying little pop up window! so, now i have no more pop up window!  

Thanks to everyone who had some input! cheers!  

Oh, here's the link to the site i went to in reguards to the file:  http://www.pcadvisor.co.uk/forums/index.cfm?action=showthread&threadid=243261&forumid=1


----------



## SolumTECH (May 29, 2006)

@#%$ yeah dude im so glad you finally got it


----------



## mrmagu28 (May 30, 2006)

*Holy Crap It Worked!!!!*



			
				Comporit said:
			
		

> I was so desperate, I googled the name of dcomcfg.exe file!  This forum came up and thanks to usctrojansfan04, I can go to sleep and have my computer for another day.  The thought of reformatting was horrible.
> 
> Thanks, usctrojansfan04!




I downloaded the file ran it, rebooted in safe mode, ran #2, rebooted and it got rid of the virus which my piece of crap norton or counterspy could not get rid of. Sure it detected it but norton wanted to get rid of it for $39. No thanks, the internet community like this has to stick together to get rid of pests like this. Big companies suck!! Thanks so much, my 3 day nightmare was over in 5 mins.


----------



## mrmagu28 (May 30, 2006)

*Thanks, you saved my pc from being reformatted!!*

I downloaded the file ran it, rebooted in safe mode, ran #2, rebooted and it got rid of the virus which my piece of crap norton or counterspy could not get rid of. Sure it detected it but norton wanted to get rid of it for $39 with some joe schmo in india. No thanks, the internet community like this has to stick together to get rid of pests like this. Big companies suck, they want you to buy their sw but yet they charge you extra to remove what they should be catching and removing in the first place!! Thanks so much, my 3 day nightmare was over in 5 mins.


----------



## regg187 (May 30, 2006)

I just got fixin the same thing on my dads laptop. TUNEUP UTILITES 2006 free 30 trial took care of it in the registry cleaner section. I told him to buy it at the end of the 30 day period. between adaware and T.U. they can fix almost anything.


----------



## staci_123 (May 30, 2006)

*Attempting to fix this on my PC now.*

I have the dcomcfg.exe, atmclk.exe, regperp.exe and the red/green circle in my tray with the frequent red box message trying to get me to buy their malware - d@m^ them!!!   

I am going to try the suggestions here, but have a couple questions:
1.  I can't seem to figure out how to get my PC started in safe mode.  I've tried all of the function keys during startup but it just keeps trucking and logs me in to my normal desktop.
2.  Where can I find the StartMgr.exe and the Killbox programs that I read about earlier in this thread?
3.  Is Prevx necessary if I get those two programs?  I also installed Windows Defender, Spybot, and AdAware (none of them removed my pests).
4.  Spybot found a "Zlob" file that it said it fixed twice yet it keeps coming back.  I linked it to the dcomcfg.exe file when I googled it.  Do you think I will be able to get rid of this once and for all if I disable System Restore and run Spybot in safe mode?  Or do I need to do something else for it as well?

I hate this!  What morons are actually clicking on these popups and giving money to the people who have infected their PC?!?!?  Someone must be or they'd give up on these Trojans...   

Thanks for the advice!


----------



## mrmagu28 (May 30, 2006)

*Here's what I did.*

I rebooted, hit F8 a bunch of times and it finally got to the screen where I could choose Safe Mode. I built my pc 5 years ago and it runs great. What kind of pc do you have? Some say hit F5 or Del....depends what system you have. I ran the SmitFraudfix.zip file and it cleaned my system in 5 mins. I did not download anything else. Although I might download the TUNEUP UTILITES 2006 to clean my registry. Still looking this up to see if it a good program. I have used spybot and it was stuck in a cycle. It found them then cleaned them then found them and cleaned them again. 

I also ran housecall, (http://www.trendmicro.com/hc_intro/default.asp), mcafee (Stinger) http://vil.nai.com/vil/stinger/default.aspx  but did not find anything. Try these things and see if they work for you.


----------



## staci_123 (May 31, 2006)

I have a 1.2 GHz Celeron Gateway.  I'm actually planning to replace it and upgrade soon but will be giving this PC to my mom (she has my old one from 10 years ago and it is OBSOLETE!!!)  Plus I don't want to lose my data in the mean time!

Thanks, I'll try holding down F8 and see if that works then I was going to run the SmitFraudfix.zip.  i'll let you know how it goes!


----------



## esteban (May 31, 2006)

*Successfully deleted dcomcfg.exe*

Hi,
I had tried all kinds of software to delete dcomcfg.exe and they did not work. Only using your link to SmitfraudFix and following the simple instructions worked out.  I did not need to do it under Safemode.  After rebooting, all the undesired files were deleted.  So far, I have not seen any of the popups I used to get and my webpage is not redirected to their site anymore.  I did not get your message indicating it had an error in cleaning the files. Thank you for the advice.  I wish others having the same problem could read this before downloading all the software (free or not) claiming they will delete it and most often, they don't.

Esteban





			
				usctrojansfan04 said:
			
		

> Hey Pheonix_789, I used to have the same problem. Here's the solution:
> 
> Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
> Extract the content (a folder named SmitfraudFix) to your Desktop.
> ...


----------



## SolumTECH (May 31, 2006)

i used these utilities to clean my computer if you want to see my post on page 5 i have  detailed instructions on how i removed it
Smitfraudfix is great but it didnt take care of of the green red "your computer is infected" pop up you will probably have to delete that manually the file resides in system32 folder and in windows 2000 (my computer) it is called fyhhxw.dll. on Legie's computer (windows xp) it is called sbnudh.dll
dl links
trendmicro's house call doesnt work for this virus/malware i had to dl the trial version of their antivirus
trendmicro antivirus -click try- http://www.trendmicro.com/buy/us/personal.asp
security task manager - http://www.neuber.com/taskmanager/download.html
smitfraudfix -zip file- http://siri.geekstogo.com/SmitfraudFix.php

just use windows search to see if you have sbnudh.dll or fyhhxw.dll if you do either delete them in the command prompt(see my post for instructions) or like Legie use killbox(i dont know anything about the program but he used it and it worked)


----------



## oldcrusty72 (Jun 3, 2006)

Guys,
 I just signed up to say thankyou for your help to rid myself of this problem, I too had done a search and came up with your site. I'm sorry i don't have much of an idea about software so i most likely wont be able to return the favour in the near future, but i will definately check with you guys first if i have any more problems. 

Thanks again, Tim


----------



## drbobgold (Jun 7, 2006)

I am about to try smitfraud, but if you are in a hurry to deal with atmclk.exe and dcomcfg.exe, I too found that I could not delete them for "Access Denied".  However, I was able to rename each of them from the command prompt page, although I think I could have done it from windows explorer as well.  I just change .exe to .old, and at least the yellow triangle and its popups disappeared.


----------



## SolumTECH (Jun 7, 2006)

that was a really good idea changing the file extension, i never thought about that when i had the same problem. You could of just used del, the command prompt doesnt care about anything really..even if the file is in use. and if that doesnt work for some reason you can boot to the command prompt

my post on page 5 is a detailed path to getting rid of all the viruses and residuals that come along with this malware


----------



## manami (Jun 9, 2006)

Thank you all I have had same problems with atmclk.exe, regperp.exe  and dcomcfg.exe  and thanks to  this forum I have solve it.
Did`t have to go in safe mode at all just download PREVX1 v1.2.0.48  and program did it all for me. It is free to download and to use for 30 days.  
I hope my comment is helpfull to some one like yours was to me.
Thank you all again


----------



## Annihil4t0r (Jun 10, 2006)

*Removed!  W00t!!!!*

OMG I got it removed.  Download the latest version of spybot at http://www.safer-networking.org/en/mirrors/index.html  and then make sure you nab ALL the updates.  For some wierd reason, I had to restart before it would install the updates.   When you're done updating, do the following:

1)Immunize the system
2)Do a system scan and delete anything it finds.  I believe it should ask you if it wants to run on the next restart.  Say yes.
3)Restart and let it do it's scan.  When it's done, delete it, and I would recommend double checking the immunize.
4)Open the process manager after everything appears to be booted up, and check if atmcld.exe and dcomcfg.exe are there.  If not, you can optianally go to c:\windows\system32 and delete the files.  Unfortunatly, I haven't found what keeps trying to recreate these exes, and it might just be there doing nothing until somebody finds it.

and BTW, the reason why Spybot works is because of the Tea Timer and the Immunization.  The immunization will prevent it from coming back.  Tea Timer will always alert you when there is a change that takes place that has a posibility of being spyware or a hijack.  It's kinda like an internal firewall that requires it's hand to be held at every decision and learns only if you tell it to.


----------



## DonD78217 (Jun 11, 2006)

*Fixed it with SmitfraudFix*

Messed with almclk.exe & dcomcfg.exe for 3 days.  This forum solved it for me with SmitfraudFix.  Went to google and entered the URL so I could have the site translated.  D/L ed file and it worked like the message says it will.  just be patient as it works slowly.


----------



## Comporit (Jun 12, 2006)

*Trojans and viruses that cased windows to pop up*



			
				Comporit said:
			
		

> I still get a window that pops up that says Windows Temp with a black screen, which then shuts by itself.
> 
> Does anyone have any suggestion on how to get rid of that?




I just wanted to share that I downloaded the 30 day free trial version of Kaspersky Internet Security and it eliminated all those pop ups and other annoyances.  www.kaspersky.com -- seeing is believing; I never would have thought until I tried it myself.


----------



## mengel (Jun 13, 2006)

*ATMCLK file*

Thanks for this useful advice... you really saved the day for me since I was getting more and more frustrated with the pop-ups, etc.  Against my better judgement and expecting even more problems, I downloaded the SmitfraudFix - what a breeze.

Thanks usctrojansfan04





			
				usctrojansfan04 said:
			
		

> Hey Pheonix_789, I used to have the same problem. Here's the solution:
> 
> Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
> Extract the content (a folder named SmitfraudFix) to your Desktop.
> ...


----------



## gt4awd (Jun 13, 2006)

*Had tons of problems...*

I have had the computer I am using right now for over five years without getting even one spyware/malware/trojan. The reason is because I would use Nortan Firewall and have all browser fuctions, scripts, active x, etc... on prompt status. In your IE settings or whatever browser you use set active scripting to prompt, and never allow scripts on a site you do not trust. Active scripting is what allows those spyware/maleware/trojans/worms to be installed on your system when visiting a malicious website. These will mostly be hacking, and porno websites.
      I recently got DSL after using slow 56k forever and decided I did not want to leave active scripting on prompt because it was slowing loading times down, and getting annoying to click all the time. After I few days I forgot all about it, visited a free porn site, and had this malware installed onto my computer. It does not fully install or run until you restart, and during the same day I ran windows update. After restarting and seeing the two new icon's on the desktop, and then seeing the popup window stating my security was compromised. I decided it must be one of the updates that were installed. 
       After searching the new process names that I found, I realized it was malware. I was updating to SP2 at the time though, and it was going very slow... I think this malware might actually start to slow down your computer. I decided to exit the SP2 installation while it was installing, run the "SmitfraudFix" program, and then restarted the SP2 install. That was a bad idea, and when I restarted the computer it just constantly restarted over, and over. I found that the OS was completely currupt, and no special boot options could get into the OS.
       Not having a Windows XP cd at the time, I had no way of fixing the computer. A week or so later I bought my new computer, which came with a XP cd. After running the "repair" mode on XP install the computer got into windows explorer but was unable to load the desktop, or display any GUI's at all except for Windows Task Manager. You will get the error ' File: "RTL8139.sys" on RTL8139/810X Family Fast Ethernet NIC Driver Disk is needed. ' or something very similar about Ethernet while running the repair mode (when it is installing drivers) and also when windows loads.
        After windows not properly loading the first time, I restarted and ran the repair mode agian. The second time around fixed the problem, and windows loaded properly. After you get into windows it will load drivers depending on what is connected to the computer. For instance your mouse will not work at first, and you will see a dialogue box saying drivers are being installed (if it is a USB mouse). After that windows will automatically restart, and your almost ready. Now you have to reinstall the Ethernet NIC Driver. 
         To do this put in the windows XP cd, and go to Start/Search, search on the cd for the ".sys" file the error says you need. Once it finds the file, right click on it, copy the file, and paste it in the "C:\windows\system32\Drivers" folder. Now go to My computer, Properties, Hardware Device Manager, Network Adapters, Update Driver. Click "No. Not at this time." for the Automatic Update search, click "Install from a list or specific location", and then "Do not search. I will choose file to install".
         In the Network adapter box select the name of your Adapter. Mine had two listed, the "RTL8139 Family Fast Ethernet" and another that was the same but had "RTL8139/810X". The 810X was for SP2, which obviously completely messed up, and isnt even enabled on my computer. There must still be a lot of its files though, but for now windows is working properly.
        After doing that your computer will be fixed. To avoid all this though dont exit SP2 while it is installing . None of the problems listed above were due to the "SmitfraudFix" program, and the program did remove the malware. It took me almost two weeks to see if it worked though. . So if your stuck with a computer that just constantly restarts this post should help you fix it I guess. Sorry it is so long, and thanks to these forums for helping me remove the malware. Also, big thanks to the programmer of the "SmitfraudFix".


----------



## avt (Jun 13, 2006)

atmclk.exe , dcomcg.exe
Answer is:-

smitfraudfix -zip file- http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Just doule clikc the SmitfraudFix.cmd and follow the prompts


----------



## c0mput3rg33k (Jun 14, 2006)

Thanks usctrojansfan04 - I had the same problem and SmitfraudFix was the only thing that worked. I run my own IT business and this program will definitely be on my utility disk. Thanks Heaps.  




			
				usctrojansfan04 said:
			
		

> Hey Pheonix_789, I used to have the same problem. Here's the solution:
> 
> Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
> Extract the content (a folder named SmitfraudFix) to your Desktop.
> ...


----------



## pbjoerke (Jun 17, 2006)

I have had problems with *atmclk.exe, regperp.exe and dcomcfg.exe* for some days.
The most terrible and annoying spyware I have met.
I started with the tips about *PREVX*, as it sounded easy and capable. I never got it working though. It started with an error about C++. When continuing I had to click OK on about 10 error messages. (I never have these problems with all other programs I have installed)
I gave up and tried the *SmitfraudFix* instead. I worked very well without running in safe mode. My IE works smoother in than it does before the latest fraud. The only thing happened was that my background image was reset to default.
So, I agree with many people here, Thanks to the author of Smitfraud.


----------



## hellorsanjeev (Jun 20, 2006)

*Excellent Tool*

Oh Cool ! I luv to see it again and again. I spent almost 2 days to get ride of these errors like atmclk but nothing was successful. The virus used to open bad and pron sites anytime. But then I read about this tool. Oh boy, it was a fun to execute it. It deleted all the viruses at once.

Hats off to the author this tool, I really appreciate his knowledge  

Regards,
Sanjeev @ Induslogic Inc.


----------



## smittyre (Jun 23, 2006)

*SmitfraudFix*



			
				usctrojansfan04 said:
			
		

> Hey Pheonix_789, I used to have the same problem. Here's the solution:
> 
> Please download SmitfraudFix (by S!Ri) (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
> Extract the content (a folder named SmitfraudFix) to your Desktop.
> ...



I had the problem and used this to resolve it, it worked great.  Note I did not run into the error above.  I would recommend running the "Search" several times untill all bad files are removed.


----------



## Sledgehammerhyena (Jun 26, 2006)

*I have another solution!*

What I did to get rid of the  evil  spyware:

I use XP Professional. Firstly I removed the SpyFalcon thing using "Add/Remove Programs". Then I logged out.

1. - I logged in and immediately pressed ctrl + alt + del and clicked on the task manager option.

2. - I waited until the processes that are associated appeared. (dcomcfg.exe, regperf.exe, atmclk.exe)

3. - I then right clicked on them and chose "End Process Tree".

4. - That fixed them straight up. I was then free to delete them from the system32 folder and the registry and "POOF" they were gone.

NOTES: When waiting for the processes to appear, the main thing to look out for is regperf.exe. That is the process that you want to end mainly. Beware though. It will dissapear in a short amout of time and then it is too late. Yo will have to log in and out again for a second attempt.

I have a question. How do you delete the rest?

How do you get rid of the Icon down in the tray that has a picture of a red circle with a strike through alternating with a green wheelchair? Its caption is "Virus Alert!" And it keeps making random things appear that say "Your computer is infected!" It is so annoying.

Thanks you guys for the helpful info that led me to get rid of the pesky little virus-things on my own. Saviours 

Mum/Dad would have been very pissed off if they had seen the random porn that kept appearing. So im saved!

Cheers


----------



## sanfin (Jun 27, 2006)

*Thanks usctrojansfan04!*

Hey usctrojansfan04,
I was almost thinking of formatting but your advice was more then useful!
Thank you so much!
Cheers,
Paolo


----------



## driftwood (Jul 1, 2006)

*thanks!*

i noticed this problem last nite and tried a system restore to get rid of the two processes , didnt allow me to do it. then today i looked at these forums , and DL'd the SmitFraudFix and ran it as stated , allowed to reboot (wait awhile) and it deleted the two files perfectly!!! thanks to creator


----------



## usctrojansfan04 (Jul 13, 2006)

Glad to be of help to everybody!


----------



## movermanwa (Jul 19, 2006)

Finally something that works on these buggers. Downloaded, saved to desktop, rebooted into Safe Mode, ran the search, then ran clean, rebooted and bingo it was all gone.


----------



## drimades (Oct 25, 2006)

I've used SmitFraudFix and it deletes the file dcomcfg.exe but it still reappears after some time when I connect to the Internet? What can I do?


----------



## Comporit (Oct 25, 2006)

*That's odd*

It permanently deleted the files on my system but my system was riddled with so many trojans and other viruses it was only part of the problem.  I changed from NIS to KIS (Kaspersky Internet Security), which I first downloaded from www.kaspersky.com for a one month free trial.  The KIS cleaned and still maintains my system and I avoided having to reformat.  Good luck to you!


----------



## Rol87 (Jun 10, 2007)

*HELP!!!!ahhhh!*

hey,
 sorry for digging this from the grave. But I have been having some problems with some pop ups I have tryed spybot and smitraudfix but no luck the pop up that allways pops up is "outerinfo" can someone help me on this one I did have more pop ups but now i have way less than before. One other thing why i reboot I get this rundll message and its "uxvuicww.dll" it says that the module could not be found. 

HELP!!!


----------



## Namslas90 (Jun 10, 2007)

@Rol87, have you run MRT yet?


----------



## Rol87 (Jun 10, 2007)

*no*

no whats that?


----------



## Namslas90 (Jun 10, 2007)

Rol87 said:


> no whats that?



Windows Maliciouse Removal Tool.  Click start > run > enter 'mrt' then click ok.  Make sure windows has been updated though, to get latest virus/spyware/malware ID's.


----------



## Rol87 (Jun 10, 2007)

umm.. it says: "windows can not find "mrt"


----------



## Namslas90 (Jun 10, 2007)

Rol87 said:


> umm.. it says: "windows can not find "mrt"



Go to Microsoft update/downloads and get it, it's free!!


----------



## theonetruewill (Jun 11, 2007)

Did anyone think of just using CCleaner (deleting the startup registry entries)?
Then going to Control Panel > Admin tools > Services, and disabling the services which weren't legitimate.
Then using Unlocker (which you finally did - good one) to delete the damn things.

Very simple...

Also get a better Antivirus:shadedshu

Nod32 free trial anyone???


----------



## Rol87 (Jun 11, 2007)

*help*



theonetruewill said:


> Did anyone think of just using CCleaner (deleting the startup registry entries)?
> Then going to Control Panel > Admin tools > Services, and disabling the services which weren't legitimate.
> Then using Unlocker (which you finally did - good one) to delete the damn things.
> 
> ...




hey what do you mean?


----------



## theonetruewill (Jun 11, 2007)

Rol87 said:


> hey what do you mean?



Do you mean, help please explain OR I think your a n00b what the hell do you know about shit?

CCleaner > Tools > Startup > delete the startup entry. If you don't know which one Google it, but I've always been able to tell. If your a newbie, look it up first.

Then Control Panel > Admin tools > Services and right click on the right one (Google if necessary)> Properties and disable the service at startup and currently.

Then get a file unlocker (Unlocker Assistant/Gipo Move on boot) and destroy those viruses in your system32 folder. (C:\WINDOWS\system32 - it's where most viruses generally hide)

Then get the Nod32 trial and install it.

Then go to scan but with all the scanning options enabled like in the attached picture.

If however you were taking the piss - just die.


----------



## Namslas90 (Jun 11, 2007)

Check this out, then bookmark it;

156 windows commands

http://www.fixmyxp.com/content/view/20/42/


----------

