Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Get This - I can't even run Hijackthis!


  • Please log in to reply

#1
Mitnek

Mitnek

    New Member

  • Member
  • Pip
  • 6 posts
So I've run into the pokapoka70.exe problem as many other people have.

I've already reformatted my computer 2 times but I guess it doesn't actually format the registry? I've read through the starter threads and used ad-aware, clean up, hijackthis, startuplist, LQfix.

I did not get to install windows XP SP1. When I tried to do it just now, the window closes on its own. I tried it again a few times, same thing happened. So I figured I'd run HiJackthis again and IT closes as soon as it opens too. Task manager also instantly shuts down.

I've currently switched over to FireFox instead of MSIE.

I'm currently running an AMD 1.4 T-bird, 768 DDR RAM, a 20 gig WD Primary HD (the one i've been formatting), and a 40 gig Seagate Secondary HD (which I've kept intact, it has multimedia mainly).

I'm not really sure what to do right now. Is there a way to do a true format that actually cleans off my whole drive?
  • 0

Advertisements


#2
Mitnek

Mitnek

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Just reformatted, going to post new logs here.

XP SP1 is now installed.

Edited by Mitnek, 01 October 2005 - 07:02 PM.

  • 0

#3
Mitnek

Mitnek

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Startuplist and Hijackthis are reports were done now. The ewido suite scan was done in safe mode after rebooting through LQfix and using cleanup40.

StartupList report, 10/1/2005, 10:45:10 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Administrator\Desktop\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\winjava.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 2,417 bytes
Report generated in 0.030 seconds

Logfile of HijackThis v1.99.1
Scan saved at 10:45:20 AM, on 10/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\winjava.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: SMSS - Unknown owner - C:\WINDOWS\smss.exe (file missing)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:39:07 AM, 10/1/2005
+ Report-Checksum: 44D84C22

+ Scan result:

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned without backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Error during cleaning
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned without backup
C:\WINDOWS\system32\wins\DLLHOST.EXE -> Worm.Welchia.a : Cleaned without backup
C:\WINDOWS\system32\li32.exe -> Trojan.Crypt.d : Cleaned without backup
C:\WINDOWS\system32\winampp.exe -> Backdoor.Bifrose.d : Cleaned without backup
C:\WINDOWS\system32\spooIsv.exe -> Backdoor.PoeBot.d : Cleaned without backup
C:\WINDOWS\system32\uamqwv.exe -> Backdoor.PoeBot.d : Cleaned without backup
C:\WINDOWS\system32\explorer.exe -> Backdoor.PoeBot.d : Cleaned without backup
C:\WINDOWS\smss.exe -> Backdoor.SdBot.xd : Cleaned without backup
C:\System Volume Information\_restore{998D66F0-9591-478B-899A-68F06F894974}\RP1\A0001062.exe -> Trojan.EliteBar.c : Cleaned without backup
C:\System Volume Information\_restore{998D66F0-9591-478B-899A-68F06F894974}\RP3\A0003294.dll -> Trojan.EliteBar.c : Cleaned without backup
C:\System Volume Information\_restore{998D66F0-9591-478B-899A-68F06F894974}\RP3\A0003441.exe -> Trojan.EliteBar.c : Cleaned without backup
C:\System Volume Information\_restore{998D66F0-9591-478B-899A-68F06F894974}\RP3\A0003444.dll -> Trojan.EliteBar.c : Cleaned without backup
C:\System Volume Information\_restore{998D66F0-9591-478B-899A-68F06F894974}\RP3\A0003458.exe -> Trojan.EliteBar.c : Cleaned without backup
C:\System Volume Information\_restore{998D66F0-9591-478B-899A-68F06F894974}\RP3\A0003459.dll -> Trojan.EliteBar.c : Cleaned without backup
C:\System Volume Information\_restore{998D66F0-9591-478B-899A-68F06F894974}\RP3\A0003467.exe -> TrojanProxy.Bobax.m : Cleaned without backup
C:\System Volume Information\_restore{998D66F0-9591-478B-899A-68F06F894974}\RP3\A0003468.exe -> TrojanProxy.Bobax.m : Cleaned without backup


::Report End

Edited by Mitnek, 01 October 2005 - 11:47 AM.

  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Can you take everything of the ignorelist in HijackThis and post the full log please?

Regards,
  • 0

#5
Mitnek

Mitnek

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I don't understand :tazz:
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Your HijackThis log is too short to br coming from a real computer.

On the other hand that may be the rootkit at work.

*Click here to download Killbox by Option^Explicit.
*Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\winjava.exe
C:\WINDOWS\smss.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: SMSS - Unknown owner - C:\WINDOWS\smss.exe (file missing)


Boot back to normal and copy the part in bold below into notepad. Save it as unlegacy.reg (set filetype to "All Files")

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Java]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Java]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Java]

Doubleclick the file you made and confirm you want to merge it with the registry.
Reboot once more and post a new HiJackThis log.

Regards,
  • 0

#7
Mitnek

Mitnek

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey Metallica,

Sorry my internet has been down for two weeks :/ I just got it hooked up again today.

I just went ahead and reformatted the system, and it 'seems' ok at the moment. I'm using symantec antivirus and Zone Alarm. So far everything seems ok, although one day my computer kept slowing down because the liveprotection kept detecting a repeated worm attack and deleting it. It seems to be gone now.

Thanks for your help
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP