Spyware/Malware/Adaware Infections

reknaw--Forgive me, I did not read your Post#16 thoroughly. BitDefender does say it has deleted atmclk.exe.
Did you reboot after that?
It could be that the latest BitDefender scans are finding atmclk.exe in their own delete file.

 

Here's the latest HJT.......Ewido just has about 10 cookies .....should I delete them ?

Logfile of HijackThis v1.98.0
Scan saved at 7:49:16 PM, on 28/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Labtec\Wireless Mouse\MulMouse.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe "
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84 "
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Labtec Mouse Software 2.0.lnk = C:\Program Files\Labtec\Wireless Mouse\MulMouse.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: PUFLITE - http://brockvillerealestate.point2homes.biz/Photo/Control/PUFLITE.CAB
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

 

Hi Pete. Think you mis-read the the way I posted the cookie files. I wrote Cookies Scanned - 91.... didn't think I had 40736 that was traces scanned

Disk Space in Mb = 10 View files = 308

I have to go into work this morning (GMT-5 hours) and will try and do the rest there and post the HTJ (new version) then

 

Pete... I haven't deleted anything yet but managed to download the newer HJT and ran it for you to view the results... and yes I do have an home page set up on Internet (www.kenallen.ca)
Off to work now - will check back later from there
.....................
Logfile of HijackThis v1.99.1
Scan saved at 7:41:57 AM, on 29/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Labtec\Wireless Mouse\MulMouse.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HJT2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe "
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84 "
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Labtec Mouse Software 2.0.lnk = C:\Program Files\Labtec\Wireless Mouse\MulMouse.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: PUFLITE - http://brockvillerealestate.point2homes.biz/Photo/Control/PUFLITE.CAB
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

Thanks a million Pete....you too Welsh Jim. Very much appreciated, don't know what I'd do without you guys.

BTW, I had another problem under Control Panel Logon.... whatever we did here fixed that as well - I can now open it the normal way Start/Control Panel

 

ive been infected with atmclk.exe aswell ive done a google search on it
(that was also how i found out about this forum)
and at the top of the list was a program called prevx1
and this can remove it or at least block it
http://fileinfo.prevx.com/QQe6a218715669-ATMC14789543/ATMCLK.EXE.html
thats a link to its data base which gives you details about atmclk.exe
and there is a link to download the software from there
i also get lots of popups trying to get me to download some
antivirus software and it has a warning sign in the taskbar.

Hope this helps
Tristan

 

Also i have used AVG free, Ad-aware, Spybot S & D,
Trend Micro Anti-spyware, XoftSpy and Windows Defender (beta 2)
and i removed everything i found with those, also i tried using
secure shredder to delete the files but they were always busy
i couldn't find them anywhere in the startup list

Tristan

 

"atmclk.exe "

for those of you still having problems with this viral .exe file, pleae read below:

This file is part of the "spyfalcon.com" set of tools. its purpose is to mimmic that of a normal windows message telling you your system is infected. After clicking on the windows that pop up, you will find yourself at a site that will offer to fix the problem for you , at a cost. DO NOT GIVE THEM YOUR CREDIT CARD!

Heres the skinny on our little friends here:

Spy falcon is a company owned by:

Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: SPYFALCON.COM

Registrant:
SunShine Ltd
David Taylor (david.alant@gmail.com)
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154

Creation Date: 16-Jan-2006
Expiration Date: 16-Jan-2007

Domain servers in listed order:
ns1.antispydns.biz
ns2.antispydns.biz
ns3.antispydns.biz


Administrative Contact:
SunShine Ltd
David Taylor (david.alant@gmail.com)
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154

Technical Contact:
SunShine Ltd
David Taylor (david.alant@gmail.com)
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154

Billing Contact:
SunShine Ltd
David Taylor (david.alant@gmail.com)
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154

Status:ACTIVE

EST Domains claims no responsibility for the content and claims they are only the regestrant. What they are saying is that they will take the money from these people every time they bill them, even though they dont agree with what they are doing.

The FBI has told me that there is not much they can do since the owner is over-seas.

So, for now, I am looking into other avenues of ways to nail them. I seem to be the only one who is outraged enough to try and do soemthing about these fools. Their 3+ year reign of terror is about to end.

What you can expect:

Pop-Ups for dating sights
Key Loggers that go through so many hops you cant track em past Seattle
Domain Registries that change every month, and sometimes every day
Anoying warnings that your system is infected
Comprimised data throughout your system, etc.
Only way I was able to get rid of it was using Prevx1, available for a free trial, just google it.

Besides that, I welcome any and all info you have about this group in hopes that I or my Attorneys might be able to find an angle to get em here in the US and bring em to justice. Isn't installing files on a computer without consent still illegal?

 

I sent this email off to some UK based thing that deals with this sort of stuff dont know who bacause it has dissapeared out of my drafts folder.
This is the scam email going round they hack into someones hotmail account and send the email below.
I also got rid of it using prevx1

'Dear Sir/Madam

There is a virus that comes off a website it is sent in an email from someone you know who has you on their contacts list this is a copy of what the email is like

Subject:help

Hi! How are you?
You know I've created my own website!
Can you check how it works?
It's http://republika.pl/myavi
Can you see video?
Bye!

I have found some background information on the website

Domain object:
domain: republika.pl
registrant's handle: ont_o39419 (CORPORATE)
nservers: dns.onet.pl.[213.180.128.240]
dns2.onet.pl.[217.97.201.240]
dns.astercity.net.
created: 1999.06.25
last modified: 2006.01.23
registrar: Grupa Onet.pl SA
ul. Starowislna 48
31-035 Krakow
Polska/Poland
+48. 12 2600200
bok@onet.pl

Subscribers Contact object:
company: Onet.pl SA
street: Starowislna 48
city: 31-035 KRAKOW
location: PL
handle: ont_o39419
last modified: 2006.01.23
registrar: Grupa Onet.pl SA
ul. Starowislna 48
31-035 Krakow
Polska/Poland
+48. 12 2600200
bok@onet.pl

Yours Sincerely
Tristan'

 

found some more information on David Taylor he owns spywarequake.com
a website that contains software to remove the spyware he put on your machine in the first place

Whois Record for Spywarequake.com
Page Information
Website Title: SpywareQuake - Technologically Advanced Spyware Removal Program
Record Type: Domain Name
Indexed Data
Alexa Trend/Rank: 50,867 (1 Month) 106,567 (3 Month)
Server Data
Server Type: nginx/0.3.35
IP Address: 195.225.177.7
IP Location: - Netcathosting
Response Code: 200
Blacklist Status: Clear (history)
SSL Cert: No valid SSL on this Host
Website Status: Active
Registry Data
ICANN Registrar: ESTDOMAINS, INC.
Created: 2005-11-27
Expires: 2007-11-27
Registrar Status: ACTIVE
Whois Server: whois.estdomains.com
Name Server: DNS2.SPYWAREQUAKE.INFO
Whois Record


Registration Service Provided By: ESTDOMAINS
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: SPYWAREQUAKE.COM

Registrant:
SunShine Ltd
David Taylor ()
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154

Creation Date: 27-Nov-2005
Expiration Date: 27-Nov-2007

Domain servers in listed order:
dns5.spywarequake.info
dns4.spywarequake.info
dns3.spywarequake.info
dns2.spywarequake.info
dns1.spywarequake.info


Administrative Contact:
SunShine Ltd
David Taylor ()
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154

Technical Contact:
SunShine Ltd
David Taylor ()
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154

Billing Contact:
SunShine Ltd
David Taylor ()
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154

Status:ACTIVE

 

i also found this on a site

SpyAxe replacement: SpyFalcon

The name SpyAxe, top rogue anti-spsyware app of 2005, brings up anger and frustration for its many victims but now SpyFalcon has burst on the scene looking like a replacement for SpyAxe. SpyFalcon, just like SpyAxe, is being installed along with trojans through exploits. A screenshot can be seen here at SunbeltBLOG. Nick's Computer Security blog has instructions for ridding your computer of SpyFalcon in case you landed here looking for help with it.

The domain whois shows:

Registrant:
SunShine Ltd
David Taylor ()
U-12 Gamma Commercial Complex # 47
Rizal Highway cor. Manila Ave Subic Bay
Olongapo City
null,98101
PH
Tel. +206.9543154

Creation Date: 16-Jan-2006
Expiration Date: 16-Jan-2007

Domain servers in listed order:
ns1.antispydns.biz
ns2.antispydns.biz
ns3.antispydns.biz

I wouldn't be surprised if the information is false. The IP address 195.255.176.79 belongs to Netcathost in the Ukraine and hosts 2 other domains spyfalconupdate.com and updateyourwindows.com (links to whois) and the IP address is blacklisted by spamhaus.

 

Hope we can get something over this guy and get him locked up

Supposed anti-spyware program SpyAxe is installed by a trojan named zlob.cy (aka Trojan-Downloader.Win32.Zlob) according to F-Secure. SpyAxe showed up on the scene about two months ago and has earned quite a name for itself. SpyAxe manages to appear on users' desktops without any notice or consent, as seen here, with a warning that your computer is infected with spyware. F-Secure says:

SpyAxe is nice enough to detect the Trojan that downloads it, but it won't disinfect it unless you pay for a SpyAxe license, $49.50 U.S. (plus a nonimal $2.95 transaction fee). I wouldn't dare pay for a licensed copy to verify that removal is actually done, but I have my doubts.

F-Secure says this infection is growing rapidly:

[…] there seems to have recently been a huge spike in the distribution of Zlob. We found a way to see how many unique registration IDs have been handed out by the site Zlob registers with. Most of the day, there seemed to be about 1,000 new infections per hour, but now that the U.S. is waking up & powering on their computers, that number has risen to about 2,500 infections per hour.

Instructions for removing SpyAxe using a free tool called SmitRem written by anti-spyware community developer noahdfear can be found at bleepingcomputer.com. SmitRem removes the Trojan-Spy.HTML.Smitfraud.c malware infection and its variants, AntivirusGold, PSGuard Spyware Remover, SpySheriff, Spy Trooper, SpyAxe, and Security Toolbar. SmitRem has been downloaded 252,652 times according to the web page, an indication of how widespread this infection is. An example of a HijackThis log with SpyAxe and the Smitfraud infection can be seen here.

The SpyAxe website has a contacts page. If you've been a victim, consider letting them know how you feel about it. The website says the company is located in New Zealand, but the domain name spyaxe.com is registered to Sun Shine Ltd. with a Seattle address.

Domain Name: SPYAXE.COM

Registrant:
SunShine Ltd
David Taylor
187th Ave, 5
King County
Seattle
Washington,98101
US
Tel. +206.9543154

The site's IP address 195.255.176.68 belongs to Netcathosting in the Ukraine, and the domain registrar is ESTdomains, which I believe is closely related to ESThost, a group known to host a large number of CoolWebSearch sites running exploits. ESThost is also closely related to a California ISP/hosting company Atrivo, also known to host a large number of CWS sites. Note the IP is currently blacklisted by Spamhaus. Four other domains reside on that IP address, almanah.biz, nospywaresoft.com, spyaxe.net and spyaxesupport.com. Links go to the whois lookup for the domain, not the domain itself.

No doubt SpyAxe will earn a top spot on Spyware Confidential's top ten rogue anti-spyware list to be posted soon. See anti-spyware spread by spyware for information on apps very similar to SpyAxe.

 

Last time we wrote about a rebrand of SpyAxe called SpywareStrike, this time we alert you to SpyFalcon courtesy of Sunbelt-Software. First, if you think you're infected, read our removal tutorial on the whole SpyAxe issue. And there is an interesting twist... the webhost provider is dishing out the WMF Exploit!

This domain was registered on 16-Jan-2006 by David Taylor under the guise of SunShine Ltd. It uses the "ANTISPYDNS.BIZ" domain for its DNS traffic. The domain is hosted by NetcatHosting who owns its IP: 195.225.176.79. What is interesting even more about the netblock is this...



This hosting company has a wmf file available for download listed (do not download this!):

traff4ppc.biz/parthner3/xpl.wmf

Guess what, yes you got it... this is the Win32/Exploit.WMF trojan. This webhosting company is hosting some nefarious stuff and should be shut down immediately. Responsible upstream providers ought to shut off the juice for them.

If you haven't heard about the WMF Exploit, or want to see a full FAQ about it, then read this article. Other sites are hosted at NetcatHosting which I didn't research for this article (although by association I'd be very wary):Last time we wrote about a rebrand of SpyAxe called SpywareStrike, this time we alert you to SpyFalcon courtesy of Sunbelt-Software. First, if you think you're infected, read our removal tutorial on the whole SpyAxe issue. And there is an interesting twist... the webhost provider is dishing out the WMF Exploit!

This domain was registered on 16-Jan-2006 by David Taylor under the guise of SunShine Ltd. It uses the "ANTISPYDNS.BIZ" domain for its DNS traffic. The domain is hosted by NetcatHosting who owns its IP: 195.225.176.79. What is interesting even more about the netblock is this...



This hosting company has a wmf file available for download listed (do not download this!):

traff4ppc.biz/parthner3/xpl.wmf

Guess what, yes you got it... this is the Win32/Exploit.WMF trojan. This webhosting company is hosting some nefarious stuff and should be shut down immediately. Responsible upstream providers ought to shut off the juice for them.

If you haven't heard about the WMF Exploit, or want to see a full FAQ about it, then read this article. Other sites are hosted at NetcatHosting which I didn't research for this article (although by association I'd be very wary):

 

Hi Pete,
I thought I'd try running BitDefender on line scan on my Desktop P.C as well. I have not been having any problems with it..... I was amazed that 3 or 4 Trojans showed up and were deleted.

I've used to always use Norton's AntiVirius until recently switching to AVG on all 3 of my computers. My question now, is if BitDefender is locating Virius that AVG is missing, should I be buying the BitDefender AntiVirus software and using it ?

What are you using ?

Thanks again for all you're help - no doubt I'll be be calling on your services again