Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

PokaPoka70.exe [RESOLVED]

Started by NeueZiel , Sep 26 2005 09:32 PM

This topic is locked

#1
NeueZiel

Posted 26 September 2005 - 09:32 PM

Member

Member
28 posts

First time here.. thank god I found this place..

Logfile of HijackThis v1.99.1
Scan saved at 11:28:49 PM, on 9/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Si Meter\SiMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Madotate\madotate.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\etb\pokapoka70.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.easysearch4you.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.easysearch4you.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.easysearch4you.com/sp2.php
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Si Meter] C:\Program Files\Si Meter\SiMeter.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Madotate] C:\Program Files\Madotate\madotate.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104114049189
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#2
Rawe

Posted 26 September 2005 - 10:51 PM

Visiting Staff

Member
4,746 posts

Hello and welcome!

Please download miekiemoes' LQfix here:

LQFix

and place it on your desktop.
Doubleclick LQfix.exe and click "Install".
This will create a new folder called LQfix on your desktop.
Open the folder and doubleclick ClickThis.bat
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.

Post a fresh log. :tazz:

#3
NeueZiel

Posted 26 September 2005 - 10:54 PM

Member

Topic Starter
Member
28 posts

Done.

Logfile of HijackThis v1.99.1
Scan saved at 12:54:49 AM, on 9/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Si Meter\SiMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Madotate\madotate.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.easysearch4you.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.easysearch4you.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.easysearch4you.com/sp2.php
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Si Meter] C:\Program Files\Si Meter\SiMeter.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Madotate] C:\Program Files\Madotate\madotate.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104114049189
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4
Rawe

Posted 26 September 2005 - 11:03 PM

Visiting Staff

Member
4,746 posts

Please print these instructions out, or write them down, as you can't read them during the fix.

First;

Please download Ewido Security Suite it is a free version of the program.

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update Ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT run a scan yet.

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Now open Ewido and do a scan of your system.

Click on scanner
Click on Complete System Scan and the scan will begin.
Clean anything it finds.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close Ewido.

Reboot into normal mode and post the Ewido log. :tazz:

#5
NeueZiel

Posted 26 September 2005 - 11:39 PM

Member

Topic Starter
Member
28 posts

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:36:02 AM, 9/27/2005
+ Report-Checksum: 91532EEB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}\TypeLib\\ -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{037C47A1-A5EB-4A81-82DD-7615EF5E7BEE}\TypeLib\\ -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2531390A-1AA6-4F8D-8224-82808F81406E}\TypeLib\\ -> Spyware.eZula : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-1229272821-1844823847-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-1229272821-1844823847-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\mike@mysearch[2].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Mike\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Mike\Local Settings\Temp\istsv_.exe -> TrojanDownloader.IstBar.ig : Cleaned with backup
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\HHKS176M\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\QF6RY1ER\silent_jocker[1].exe -> TrojanDropper.Agent.vr : Cleaned with backup
C:\Documents and Settings\Mike\msdirectx.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\Documents and Settings\Mike\My Documents\LSLMCLTSetup-dm.exe -> Spyware.Trymedia : Cleaned with backup
C:\RECYCLER\NPROTECT\01660958.EXE -> TrojanDropper.Agent.vr : Cleaned with backup
C:\RECYCLER\NPROTECT\01661088.js -> TrojanDownloader.IstBar.ad : Cleaned with backup
C:\WINDOWS\etb\pokapoka70.exe -> Spyware.EliteBar : Cleaned with backup

::Report End

#6
Rawe

Posted 26 September 2005 - 11:42 PM

Visiting Staff

Member
4,746 posts

Copy the part in bold below into notepad. Save it as unlegacy.reg (set filetype to "All Files")

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]

Double-click the file you made and confirm you want to merge it with the registry.

Next..

1) Please download the Killbox by Option^Explicit.

2) Save it to your desktop.

3) Run Killbox.exe.

4) Select "Delete on Reboot".

5) Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\Windows\System32\lockx.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

Reboot.

Post a fresh HiJackThis log once finished. :tazz:

#7
NeueZiel

Posted 26 September 2005 - 11:50 PM

Member

Topic Starter
Member
28 posts

It seems to be reviving itself or something, it just turned off windows firewall, which is what happened when i first got it.

Logfile of HijackThis v1.99.1
Scan saved at 1:55:18 AM, on 9/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Si Meter\SiMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\Madotate\madotate.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\etb\pokapoka70.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.1stsearchportal.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.1stsearchportal.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.1stsearchportal.com/sp2.php
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Si Meter] C:\Program Files\Si Meter\SiMeter.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Madotate] C:\Program Files\Madotate\madotate.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\\\etb\\pokapoka70.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104114049189
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by NeueZiel, 26 September 2005 - 11:58 PM.

#8
NeueZiel

Posted 26 September 2005 - 11:59 PM

Member

Topic Starter
Member
28 posts

yeah and I also noticed that there is a tool bar in explorer now .... blah..

I also keep getting pop ups to this and norton keeps denying viruses that keep trying to come

file://localhost/C:/DOCUME~1/Mike/LOCALS~1/Temp/6arab3.html
file://localhost/C:/DOCUME~1/Mike/LOCALS~1/Temp/6arab2.html
file://localhost/C:/DOCUME~1/Mike/LOCALS~1/Temp/6arab4.html

etc..

Edited by NeueZiel, 27 September 2005 - 12:17 AM.

#9
Rawe

Posted 27 September 2005 - 12:21 AM

Visiting Staff

Member
4,746 posts

Ok, let's try this then.

First, delete your current LQfix batch and do this:

Download miekiemoes' LQfix batch here:
LQfix.zip
Unzip it to the desktop but do NOT run it yet.

Update Ewido.

Download the latest version of Ad-Aware from HERE (if you already have Ad-Aware installed, make sure that it is the latest version 1.0.6 and always go online and update it before you run it).

If it's NOT the version 1.0.6, can you then uninstall your current version/delete folder: C:\Program Files\Lavasoft & empty recycle bin. Finally install the latest version.

1) Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon, Click "connect", Click "OK", Click "Finish".)

Exit the program, we'll run it later.

IF you are having problems with the updating, get the manual updates here; http://download.lava...public/defs.zip

Please download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Save the .exe file to your desktop, don't run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site;
http://www.pchell.co.../safemode.shtml

Once in Safe Mode, launch HiJackThis and run a scan with it. Check the following objects for removal:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.1stsearchportal.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.1stsearchportal.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.1stsearchportal.com/sp2.php
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\\\etb\\pokapoka70.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [stratas] lockx.exe

Close ALL open windows except for HiJackThis and hit FIX CHECKED. Close HJT.

Launch Ad-aware again.

2) Set up the Configurations as follows:

Click the Gear wheel at the top of the Ad-Aware window
Click General > Safety & Settings: Check (Green) all three.
Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

3) Click on "Proceed"
4) Click on "Scan Now"
5) Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6) Select "Search for low-risk threats"
7) Run the scanner using the Full Scan (Perform full system scan) mode.
8) When the scan has completed, select Next.
9) In the Scanning Results window, select the "Scan Summary" tab.
10) Check the box next to every "target family" for removal.
11) Click "Next", Click "OK".
12) Close the program.

Next, please run LQfix.bat

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Now open Ewido and do a scan of your system.

Click on scanner
Click on Complete System Scan and the scan will begin.
Clean anything it finds.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close Ewido.

At this point, navigate to and delete the following file if present:

C:\Windows\System32\lockx.exe

Empty recycle bin.

When finished, reboot into normal mode.

Then post the Ewido log here along with a fresh HiJackThis log. :tazz:

#10
NeueZiel

Posted 27 September 2005 - 12:30 AM

Member

Topic Starter
Member
28 posts

Do you know of any other way to download cure it besides ftp?

College internet blocks lots of ports and ftp

#11
NeueZiel

Posted 27 September 2005 - 01:19 AM

Member

Topic Starter
Member
28 posts

hijack this Logfile of HijackThis v1.99.1
Scan saved at 3:18:16 AM, on 9/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Si Meter\SiMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\Madotate\madotate.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ati2sgag.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\imapi.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Si Meter] C:\Program Files\Si Meter\SiMeter.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Madotate] C:\Program Files\Madotate\madotate.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104114049189
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-------------------------------------------

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:13:53 AM, 9/27/2005
+ Report-Checksum: 5E4B6137

+ Scan result:

C:\Documents and Settings\Mike\Application Data\Opera\Opera\profile\cache4\opr0GZ47.js -> TrojanDownloader.IstBar.ad : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Mike\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\21VCTGJE\silent_jocker[1].exe -> TrojanDropper.Agent.vr : Cleaned with backup
C:\Documents and Settings\Mike\msdirectx.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\RECYCLER\NPROTECT\01661715.EXE -> TrojanDropper.Agent.vr : Cleaned with backup

::Report End

#12
Rawe

Posted 27 September 2005 - 06:38 AM

Visiting Staff

Member
4,746 posts

Looks pretty good.

Please download and run blacklite
F-Secure Blacklight: http://www.f-secure....light/try.shtml
leave [X]scan through windows explorer checked,
click > scan > If any items are found click > next and reboot.

How to use F-Secure Blacklight
http://www.europe.f-...lacklight/help/

Post a fresh HiJackThis log and let me know how's the system running. :tazz:

#13
NeueZiel

Posted 27 September 2005 - 10:41 AM

Member

Topic Starter
Member
28 posts

without running that blacklight its running back like its overclocked self.

I purposefully downloaded that virus so I could help my sister, who was dumb enough to click on one of those aim worms..

Thanks for the help man, greatly appreciated!

Edited by NeueZiel, 27 September 2005 - 10:42 AM.

#14
Rawe

Posted 28 September 2005 - 06:42 AM

Visiting Staff

Member
4,746 posts

How's things running now? :tazz:

#15
NeueZiel

Posted 28 September 2005 - 08:03 AM

Member

Topic Starter
Member
28 posts

Its running fine, nothing on it at all.

As well as the one at home... LOL

try explaining what you told me to do to a computer illiterate mother for like 2 hours over the phone he he..

Anyways within like... 3 hours my computer will be running even better when I put my new ASUS x800 Pro into it and then it will run even better when I bios mod the card and unlock a total of 16 pipelines and turn it into a x800 XT PE =D

Edited by NeueZiel, 28 September 2005 - 08:04 AM.