Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hey Guys,
Here is my hijack this logfile. I get a popup from www.atoque.com everytime I close out Internet Explorer. Can someone check it out, and let me know what I should get rid of?
Thank you.Pete
Logfile of HijackThis v1.97.2
Scan saved at 7:05:05 PM, on 2/20/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\1598_Fiberlink\Fgrd.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.exe
C:\WINNT\System32\RunDll32.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\WINNT\System32\lbc.exe
C:\Program Files\1598_Fiberlink\FgrServ.exe
C:\Program Files\Cisco systems\VPN Client\vpngui.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\FowlerPT\My Documents\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [lbc] C:\WINNT\System32\lbc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco systems\VPN Client\vpngui.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: paldpack - http://tag/PAWeb/paldpack/paldpack.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab
O16 - DPF: {C1145550-A454-11D4-9020-00D0B7239081} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{990E74C8-D336-4E6D-81FD-B554A7F75DFA}: Domain = enterprisenet.org nmrlan.net us.enterprisenet.org nielsenmedia.com vnulinks.org nmrcrx.net stat.nielsenmedia.com vnuinc.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{990E74C8-D336-4E6D-81FD-B554A7F75DFA}: NameServer = 10.9.10.71,10.38.69.32
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2AD56C9-13C1-495A-B132-F9FDA022218A}: Domain = nielsenmedia.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nielsenmedia.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nielsenmedia.com
Have you done the basic work for yourself???
http://www.computing.net/windowsxp/wwwboard/forum/87147.html
http://www.computing.net/security/wwwboard/forum/6433.html
Good luck
V...
0 
Valerie,
Yes. I have tried the links you mentioned. I wouldn't have posted a "hijack this" log without trying to get rid of stuff myself. I'm sorry I didn't make that clear.
With Spybot, the only thing that was found was Wild Tangent. And that is for java based games, correct?
I updated and ran Adaware, I removed the 4 tracking cookies that were found. That was it.
CW Shredder: Nothing was present with this tool either.
Any other input guys? Once again... I get www.atoque.com pop ups once I close out IE. Thanks for your help. Sorry I didn't tell about what I had initially tried.Thanks again.
Pete
0
Valerie,
Yes. I have tried the links you mentioned. I wouldn't have posted a "hijack this" log without trying to get rid of stuff myself. I'm sorry I didn't make that clear.
With Spybot, the only thing that was found was Wild Tangent. And that is for java based games, correct?
I updated and ran Adaware, I removed the 4 tracking cookies that were found. That was it.
CW Shredder: Nothing was present with this tool either.
Any other input guys? Once again... I get www.atoque.com pop ups once I close out IE. Thanks for your help. Sorry I didn't tell about what I had initially tried.Thanks again.
Pete
0
Pete:
READ THIS IMPORTANT NOTE: I AM NOT AN EXPERT USER OF HIJACK THIS, THEREFORE I AM NOT DEEMED AND SHOULD NOT BE CONSIDERED A TRUSTED SOURCE FOR INFORMATION REGARDING ITS USE. THIS POST IS INTENDED ONLY FOR USERS WHO UNDERSTAND HOW TO USE HIJACK THIS. IF YOU DO NOT KNOW HOW TO USE THIS PROGRAM, I IMPLORE YOU NOT TO USE THIS POST AS THE BASIS FOR MAKING ANY MODIFICATIONS TO YOUR SYSTEM. HAVING WRITTEN THIS WARNING, THIS POST SERVES TO AFFIRM THAT NEITHER THE HOSTING ENTITY OF THIS POST NOR I SHALL BE HELD ANY IN PART RESPONSIBLE FOR MODIFICATIONS YOU MAKE TO ANY MACHINE WHICH RESULTS IN LOSS OF DATA, LOSS OF APPLICATION USE OR FUNCTIONALITY, MACHINE FAILURE OR ANY OTHER FAILURE OF A MACHINE.
That said, whatever atoque.com is, I hate it with passion...
I just resolved this problem on a machine and wanted to spread the word; I don't know if anyone has solved it yet... What you have on your machine is a worm, and it's a doozy. It's difficult for even Hijack This to identify it completely, but it is really the only thing that I have found so far that came even close to addressing this horrible piece of adware...
This is a worm application that was installed on your machine either through accepting a browser installation or through an application or game that otherwise appeared to be safe (have not identified it)...
The application is in the c:\windows\system32 folder. What is the name of the app causing the problem? I can't tell you, because the name changes literally every time it is run, which means every time you run Internet Explorer. In fact, this is what it does:
1. Installs initially (by you, probably unintentionally).
2. Adds a line similar to the following to your registry:
O4 - HKLM\..\Run: [AFRCDLGS] C:\WINDOWS\System32\AFRCDLGS.exe
(The closest one I see in the above log from you is:
O4 - HKLM\..\Run: [lbc] C:\WINNT\System32\lbc.exe
And although that might be a valid app, even if that was the worm it has unfortunately but surely changed its name by now...)
3. You close your browser and, bam, you get pop-ups... but that's not all...
4. The next time you open Internet Explorer, that registry key tells the app to run, and it does, literally changing the name of the .exe itself (from lbc.exe to some other random file name, no specific count of alphanumeric characters), removing the registry key for the old app name and adding a new one for the new name!
5. You end up closing your browser window, you get pop-ups, and, close those, then, inevitably, you realize you are in the cycle of pop-up hell as the next time you open up IE you get the damned pop-ups again...
So how do you solve the problem when you don't know the name of the file!!!
I have managed to solve this problem with relative reliability (so far, anyway). Here's how:
1. Run Hijack This and do a search. Notice the registry entries as logged by Hijack This. Pay particular attention to the ones found in the C:\Windows\System32 folder, with entries which begins with an 04. These 2 references are the first clues to let you know you have found the worm app.
2. Go to c:\windows\system32. Show the window with details so you can see both name and SIZE of the files. SORT BY SIZE. Start looking at the .exe files identified above.
3. Is the file 64kb in size? When you mouse-over the file, is it from a company called 'tmax'? If yes, you have found the worm. But watch out; there is probably more than one bad file in that folder. Look for all files from tmax with that file size to find them all. You won't believe the names which show up.
4. To get rid of the bug, stop the worm's running process, delete all those .exe files in the system32 folder, get rid of the registry entries, and you're done, BUT...
5. If you want to be adventurous and test if this is actually a worm (this is optional, obviously, but proof of how evil programmers can be), do the following:a. Delete the registy entry using the infected file. Stop the running process for the file. Delete all files by tmax EXCEPT one of them. Now, execute that one file, and watch as it adds a new registry entry with a completely different file name(beginning in the hijack this log with 04), and renames itself, then kicks the process off to pop those pop-ups as soon as you close your browser. Arrrgh! I hate how insidious people can be! And the worst part is, they get MONEY from advertisers every time you close your browser!
To clean it off again, go back to step 4.
Finally, to be thorough, for anyone doing a google search on this evil problem, let me put some text in here so that the post will appear in search results as a relevant item to resolving this issue (hopefully for good!)
atoque atoque.com www.atoque.com
popups when I close my browser
pop-ups when I close my browser
tmax
If I go to atoque.com all I get is United States 68.49.97.228
help!
file name randomly changes
bug wormHiJack This can be downloaded at http://www.soft32.com/download-HijackThis-19015-5.html or http://www.soft32.com/download_19015.html
0
Well Done Wilson !,
your method worked great!
You must have only just posted it.. I was struggling for hours trying to download Hijackthis( Meijn is off line)and various other Spyware stuff.Thanks
Dave
0
O4 - HKLM\..\Run: [poolsss] C:\WINNT\System32\poolsss.exe
Thats the one file Ive found so far that matches your specific instructions.
So you said "get rid of registry entries".
Without sheer mockery and in my face laughter, do ya think you could tell me how?Thanks Wilson.
0
Well, Here's what happened. I ran hijack this and "fixed checked" on that poolsss.exe file (64kb and from tmax). Then I went to delete it, and it wouldn't let me because it was in use. I did a McAfee Virus scan on said file, and it wouldn't let me clean it. It did however say that it was a known trojan file.
I tried deleteing file in safe mode, but it was no longer to be found. Ugh.
So... I'm not sure if I got it for good, but I am not getting any popups right now. For anyone else with the problem... the file that Wilson told me to look for was at the very end of my System32 folder (when in details mode). The absolute very last entry.
Wilson, thanks for your help. If I get this annoyance again, at least I know where to look.
Thanks again.
0
Pete:
Although mockery abounds on technical chat boards, I find it has no place, so you won't have to deal with that from me. (:
READ THIS IMPORTANT NOTE: I AM NOT AN EXPERT USER OF CTRL+ALT+DEL or Task Manager, THEREFORE I AM NOT DEEMED AND SHOULD NOT BE CONSIDERED A TRUSTED SOURCE FOR INFORMATION REGARDING ITS USE. THIS POST IS INTENDED ONLY FOR USERS WHO UNDERSTAND HOW TO USE CTRL+ALT+DEL and Task Manager. IF YOU DO NOT KNOW HOW TO USE THIS PROGRAM, I IMPLORE YOU NOT TO USE THIS POST AS THE BASIS FOR MAKING ANY MODIFICATIONS TO YOUR SYSTEM. HAVING WRITTEN THIS WARNING, THIS POST SERVES TO AFFIRM THAT NEITHER THE HOSTING ENTITY OF THIS POST NOR I SHALL BE HELD ANY IN PART RESPONSIBLE FOR MODIFICATIONS YOU MAKE TO ANY MACHINE WHICH RESULTS IN LOSS OF DATA, LOSS OF APPLICATION USE OR FUNCTIONALITY, MACHINE FAILURE OR ANY OTHER FAILURE OF A MACHINE.
It appears you did have the right file (poolsss.exe), but it changed it's name if you managed to execute it. That is why it showed up as the very last file in your system32 folder; I forgot to mention that when you sort by size, if you execute the file, after executed, the name will change, and because the name changes Windows removes the file from the current listing of files in the folder and adds it back with the new name, but when it adds it back it puts it at the bottom because it doesn't update the sort. This means, as you discovered, it just plops the file at the bottom of the list of files. To see the file again, or with a new name, sort by size again (just click the tab to sort by size) and file a new file from tmax at 64kb...
As you stated, the reason you weren't able to delete the file was because it was a currently executing process. That means, that, like any other application running on windows, like Internet Explorer, Word, etc., when the app is running in memory, Windows marks it as being in use, and to keep itself from crashing, Windows doesn't allow you to delete the file until it stops running. This means that you have to stop it. This is not so straight-forward to do since the app runs in the background without any icon indicator of it's being run (since they want to trick you), but it's fairly easy to stop it. (And if you reboot your machine, it's probably not running prior to you opening Internet Explorer, but once you do, it's already running and needs to be stopped manually).
To find and stop the app, hold down CTRL+ALT+DEL, click Task Manager, click the Processes tab, and find the app in this list. If you don't see it, it's not running or it has a different name than you think it has. If you see it, select it and click the End Process button to stop it. Then try to delete the file.
0
Hi Wilson,
I followed your instructions and for the first time in weeks I don't have those annoying pop-ups. I had turned off System Restore on my XP, prior to stopping the application (323H.exe for me) and deleting. I'm not sure if that is necessary or not. Like Pete, I'm not sure how to delete the entry from my registry so I'm not sure if the problem will resurface in time. Anyway thanks for posting good advice, it really helped me!Rob
0
following Wilson's advice I have now fixed my computer after suffering with the atoque.com hell!
thank you Wilson
lucy
0
Help me PLEASE!!! Here is my hijack this logfile. I get a popup from www.atoque.com everytime I close out Internet Explorer. Could someone let me know what I should get rid of?
Thanx
Logfile of HijackThis v1.97.7
Scan saved at 2:19:02 PM, on 20/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\RAM Idle LE\RAM_XP.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\mp22B98t.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Documents and Settings\Neil\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.spidersearch.com/frame_results.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.spidersearch.com/frame_results.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.spidersearch.com/frame_results.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SQUpdatesChecker] C:\Program Files\Sqwire\uc.exe
O4 - HKLM\..\Run: [Launcher] "C:\Program Files\KFH\cl\launcher.exe" /P
O4 - HKLM\..\Run: [MemoryMeter] C:\Program Files\MemoryMeter\MemoryMeter.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Neil\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_XP.exe
O4 - HKLM\..\Run: [ICQ Net] C:\WINDOWS\winlogon.exe -stealth
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [erv] C:\WINDOWS\System32\erv.exe
O4 - HKLM\..\Run: [mp22B98t] C:\WINDOWS\System32\mp22B98t.exe
O4 - HKLM\..\Run: [tkctrsa] C:\WINDOWS\System32\tkctrsa.exe
O4 - HKCU\..\Run: [PopupWar] C:\Program Files\PopupWar\PopupWar.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - HKCU\..\Run: [aČ] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks11_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1071556862221
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {3C5BA506-6C30-4738-9CED-797ACADEA8DC} - http://www.sqwire.com/toolbar/SQLoader.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {5A3C6507-730A-43B2-8EAC-4C430F2EF35E} (PortfolioManager Class) - https://portfoliomanager.westpac.com.au/portfoliomanager/portfoliomanager.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/444/nCaseInstaller.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37649.1145833333
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/SonyPicturesGameDownloader.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://play.toontown.com/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/proclaim/NSupd9x.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
Carole
0
hi, my computer is also infected by the atoque virus/spyware or whatever it is suppose to be. I am not much of a computer person. Is there anyone willing to put the process of removing the atoque software in simple words/steps. It will be greatlly appreciated. Thank-you.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
