Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pokapoka70.exe and other problems...


  • This topic is locked This topic is locked
3 replies to this topic

#1 pinkpanther21

pinkpanther21

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 29 September 2005 - 09:18 PM

hey...i got this through a link that someone sent me on aim, and in addition to making my aim go crazy and sending the virus to everyone on my buddy list, my computer sometimes randomly shuts off or restarts, and has been acting up...i noticed that pokapoka70.exe keeps showing up on my processes and i'm assuming that has something to do with it...and after running adaware, norton, cwshredder, and an online scan things are still acting up....the spyware removal programs also couldn't delete some of the things they found...lastly, it opens tons of IE popups, even though i usually use mozilla....anyway, here's the hijackthis log...thank you so much in advance for your help, really appreciated

Logfile of HijackThis v1.99.1
Scan saved at 7:33:46 PM, on 9/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\3DNA\Resources\3dnasys.exe
C:\WINDOWS\system32\windir32.exe
C:\Program Files\ProSiteFinder\ProSiteFinder.exe
C:\WINDOWS\etb\pokapoka70.exe
C:\WINDOWS\kxifr.exe
C:\WINDOWS\system32\Qklyrl.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\InetGet\Adperform180safull.exe
C:\WINDOWS\system32\windir32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\Irtbje.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\3DNA\Resources\multicap3dna.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\3DNA\3DNA_Desktop\3DNA_Desktop.exe
C:\Documents and Settings\Lynn\Local Settings\Temp\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgbhp.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adshttp.com/servlet/ajrotator/12844...L?zone=enternet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [3DNADesktop] "C:\Program Files\3DNA\Resources\3dnasys.exe" -open
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\Run: [ProSiteFinder] "C:\Program Files\ProSiteFinder\ProSiteFinder.exe"
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [0mle] C:\WINDOWS\kxifr.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Xyrqgi.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Irtbje.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\InetGet\Adperform180safull.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000080.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUMENTS AND SETTINGS\LYNN\DESKTOP\cwshredder-2.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:26 AM

Posted 04 October 2005 - 08:34 AM

Welcome to the BleepingComputer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:26 AM

Posted 04 October 2005 - 10:54 AM

We have some work to do.

Step 1

WARNING!! The EliteToolbarRemover should be run from safe mode only. It will not be able to delete files in use by Windows so running it from a regular windows session is useless. A readme is included with complete details on the tool and the malware it removes.

Please download EliteToolbar Remover
  • Unzip it to its own folder but Do Not run the tool yet.
  • Restart your computer and boot into Safe Mode. The tool MUST be run in safe mode.
  • Run the ETRemover, restart your computer in normal mode when finished.
Step 2

Please download FxIstbar
  • The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.
  • The removal tool may terminate Internet Explorer and Windows Explorer. It is recommended that users save their work and log out of these programs before running the removal tool.
  • The removal tool will not delete some harmless Temporary Internet files, which Adware.Istbar created, in C:\Documents and Setings\Administrator\Local Settings\Temporary Internet Files. These can be manually deleted using the following steps:
    • Start Internet Explorer
    • Click Tools > Internet Options.
    • In the Temporary Internet Files section, then click the Delete Files button.
    • Check Delete all offline content, and then click OK.
  • The Removal tool will not reset any changes made to settings in Internet Explorer. To restore default settings in Internet Explorer it is necessary to perform the following actions:
    • Click Start > Settings > Control Panel
    • Select Internet Options
      c. Select the Programs tab
    • Click Reset Web Settings
    • Click OK
    • Exit Control Panel
Step 3

To help prevent further infection, please download SpywareBlaster which will
  • Add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  • Prevent the installation of ActiveX based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
  • SpywareBlaster can help keep your system spyware free and secure, without interfering with the "good side" of the web.
  • And unlike other programs, SpywareBlaster does not have to remain running in the background.
Step 4

Please download CleanUp! CleanUp! is a powerful and easy to use application that removes temporary files created while surfing the web, empties the Recycle Bin, deletes files from your temporary folders and more. Open CleanUp, click on Options. Make sure that the following are checked:
  • Empty Recycle Bins
  • Delete cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • CleanUp! All Users
The others are optional. Do not run it yet.
*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders; it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp.

Step 5Step 6

How to use Ad Aware to remove Spyware <= Please check this link for instructions on how to download, install and then use adaware. Run this program as soon as possible.

How to use Spybot to remove Spyware <= Please check this link for instructions on how to download, install and then use spybot. Run this as soon as possible as it may catch things that Ad Aware misses.

Step 7

Please download and install Ewido Security Suite v3.5
If Ewido finds something that you KNOW is legitimate (watch for alerts that have the word "Heuristic" in them these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch Ewido by double clicking the "e" icon on your desktop.
  • The program will now go to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK.
  • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click Update.
    • Then click on "Start Update".
    • The update will begin and a progress bar will show the updates being installed. If you are having problems with the updater, use Update Ewido
    • After the update finishes, the status bar at the bottom will display "Update successful"
  • After the updates are installed do the following:
    • Click on Scanner and select "Settings"
    • Under the bottom section "What to Scan?" select "Scan every file"
    • Select "OK" and you will return to scanning options
    • Click on "Complete System Scan" [This can take a while to complete so please be patient]
    • While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then UNCHECK "Perform action on all infections" and click "OK". Note: You will have to watch the scan all the way through and delete items manually
  • After the scan has completed, Ewido will create a report.
  • There will be a button located on the bottom of the screen named "Save report". Click "Save report" [to your desktop] and post it in your next response.
  • Exit Ewido Security Suite when done.
  • Note: Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days (which is the reason we uncheck them during installation). You can use Ewido as an on demand scanner (recommended) but you will have to manually update the definition file each time you scan by clicking on “Update” and “Start Update”.
Step 8

When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, please write down the filenames and locations and post that in your reply.

Step 9

Please post a new HiJackThis Log.

Edited by suebaby41, 04 October 2005 - 10:58 AM.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:10:26 AM

Posted 27 October 2005 - 07:44 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users