closing .exe

bigsaucybob

bigsaucybob

New Member
I have some spyware on my comp, when I go to task manager I know its this atmclk.exe that is causing the problem.

When I go to C:/Windows/System 32 I see atmclk.exe right there. I cant delete it because its in use.

Is there anyway to disable it or force it to be deleted?

I have Zone Alarm Security Suite if it matters.
 
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
 
SmitFraudFix v2.60

Scan done at 12:19:59.14, Tue 06/13/2006
Run from D:\Documents and Settings\Jarret M\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» D:\


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32

D:\WINDOWS\system32\atmclk.exe FOUND !
D:\WINDOWS\system32\dcomcfg.exe FOUND !
D:\WINDOWS\system32\hp???.tmp FOUND !
D:\WINDOWS\system32\hp????.tmp FOUND !
D:\WINDOWS\system32\ld????.tmp FOUND !
D:\WINDOWS\system32\ot.ico FOUND !
D:\WINDOWS\system32\regperf.exe FOUND !
D:\WINDOWS\system32\simpole.tlb FOUND !
D:\WINDOWS\system32\stdole3.tlb FOUND !
D:\WINDOWS\system32\ts.ico FOUND !
D:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Jarret M\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\JARRET~1\FAVORI~1

D:\DOCUME~1\JARRET~1\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 
You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download, install, and update the free version of Ewido Anti-Malware:
  1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
  4. After the update finishes, the status bar at the bottom will display "Update successful"
  5. Exit Ewido. DO NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

After SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)
  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido

Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido report and a new HijackThis log.
 
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:39:03 PM, 6/13/2006
+ Report-Checksum: 119FC554

+ Scan result:

HKLM\SOFTWARE\Classes\MEDIATICKETSINSTALLER.MediaTicketsInstallerCtrl.1 -> Adware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources\CLSID -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources\CurVer -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WinRes.WindowsResources.1 -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaTickets -> Adware.PurityScan : Cleaned with backup


::Report End

I cant find the other report.
 
Logfile of HijackThis v1.99.1
Scan saved at 6:07:12 PM, on 6/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\ZoneLabs\isafe.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~2\WNSXS~1\ping.exe
D:\Program Files\??curity\explorer.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\AIM\aim.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - D:\WINDOWS\winres.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [69878dfe.exe] D:\WINDOWS\system32\69878dfe.exe
O4 - HKLM\..\Run: [ATICCC] "D:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [69878dfe.exe] D:\Documents and Settings\Jarret M\Local Settings\Application Data\69878dfe.exe
O4 - HKCU\..\Run: [Sen] "D:\PROGRA~2\WNSXS~1\ping.exe" -vt yazr
O4 - HKCU\..\Run: [Wktpzav] D:\Program Files\??curity\explorer.exe
O4 - Global Startup: Workspace Macro Pro Hotkeys.lnk = D:\Program Files\Workspace Macro Pro 6.0\WMPHotkeys.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=5071
O20 - AppInit_DLLs: D:\WINDOWS\system32\iexplore.dll D:\WINDOWS\system32\ntvdm.dll
O20 - Winlogon Notify: wineil32 - D:\WINDOWS\SYSTEM32\wineil32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - D:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe



Well I got rid of one type of the spyware, but some other came now.
 
How did you get this stuff so quickly? I think you need an antivirus.

Save these instructions to a new Notepad document for use in safemode later.

1) Please download the
Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

D:\Program Files\??curity\explorer.exe
D:\PROGRA~2\WNSXS~1\ping.exe
D:\WINDOWS\system32\69878dfe.exe
D:\WINDOWS\system32\iexplore.dll
D:\WINDOWS\system32\ntvdm.dll
D:\WINDOWS\SYSTEM32\wineil32.dll

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Run Hijackthis and select "Do a system scan only", place a check by the following entries.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - D:\WINDOWS\winres.dll (file missing)
O4 - HKLM\..\Run: [69878dfe.exe] D:\WINDOWS\system32\69878dfe.exe
O4 - HKCU\..\Run: [69878dfe.exe] D:\Documents and Settings\Jarret M\Local Settings\Application Data\69878dfe.exe
O4 - HKCU\..\Run: [Sen] "D:\PROGRA~2\WNSXS~1\ping.exe" -vt yazr
O4 - HKCU\..\Run: [Wktpzav] D:\Program Files\??curity\explorer.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTick...cab?refid=5071
O20 - AppInit_DLLs: D:\WINDOWS\system32\iexplore.dll D:\WINDOWS\system32\ntvdm.dll
O20 - Winlogon Notify: wineil32 - D:\WINDOWS\SYSTEM32\wineil32.dll

Close all open windows and browsers, and hit "Fix Checked".

Then reboot and post a new Hijackthis log.
 
You must log in or register to reply here.
Back
Top