pokapoka63

[esdeedee]

[color=\"purple\"]Help!!!
Based on the prior posts on the subject of hijackers, I've been trying to fix my problem. I can't seem to get past the Hijack this process. I know the problem is in the registry file but can't stop it from reloading.

Since this is my work pc I'd rather not let the Network Administrator know about this.  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />
I am not the administrator so I wasn't able to restart in safe mode either.

Thanks

Here's my most recent log file after a restart:[/color]
-----------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:52:25 PM, on 8/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\etb\pokapoka63.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\sdorsey.IDTMARKETING\Desktop\removaltools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://msdn.microsoft.com/vfoxpro/downloads/updates.asp
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://clk.atdmt.com
O15 - Trusted Zone: http://s7.Website Removed.com
O15 - Trusted Zone: http://toolbar.msn.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.photobucket.com
O15 - Trusted Zone: http://www.tickercentral.com
O15 - Trusted Zone: http://*.us.rd
O15 - Trusted Zone: http://s42.yousendit.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123169884502
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = idtmarketing.com
O17 - HKLM\Software\..\Telephony: DomainName = idtmarketing.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = idtmarketing.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = idtmarketing.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--------------- http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

[esdeedee]

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

[guestolo]

There are no guarantees this will work without you having Adminstrative privileges
But try the following

Download LQfix.exe and place it on your desktop.
Doubleclick LQfix.exe and click install.
This will create a new folder called LQfix on your desktop.
Open the folder and doubleclick ClickThis.bat
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.

Afterwards, run Hijackthis again and post a fresh log

[esdeedee]

I downloaded & ran LQfix.exe. Then I re-ran Hijackthis and here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:39:55 PM, on 9/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\imapi.exe
C:\Documents and Settings\sdorsey.IDTMARKETING\Desktop\removaltools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://msdn.microsoft.com/vfoxpro/downloads/updates.asp
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://clk.atdmt.com
O15 - Trusted Zone: http://s7.Website Removed.com
O15 - Trusted Zone: http://toolbar.msn.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.photobucket.com
O15 - Trusted Zone: http://www.tickercentral.com
O15 - Trusted Zone: http://*.us.rd
O15 - Trusted Zone: http://s42.yousendit.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123169884502
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = idtmarketing.com
O17 - HKLM\Software\..\Telephony: DomainName = idtmarketing.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = idtmarketing.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = idtmarketing.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe


NO more pokapoka63
But before I do the happy dance, is that it?

[guestolo]

I don't see any part of Yahoo toolbar installed

I would fix these next entries if Yahoo is not intentionally set up as the default search engine

Run another scan with Hijackthis and put a tick next to the following items

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com

O15 - Trusted Zone: http://*.us.rd

Also, remove any other items in the 015 entries if you didn't intentionally add them to your trusted sites

If possible
You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2 as well

If you can't install them, you should have the Adminstrator do it

[FightBackAgainstSpyware]

http://www.EnternetMedia.com/

This is the company that made the spyware.

Just call their advertising department and tell them off, cause they deserve it.

They will mail you an uninstall file.


---


This software is EXTREMLY INTRUSIVE!  It attatches itself to your system files so that once loaded into memory it cannot be simply removed and deleted.
If you attempt to delete from dos then you wont be able to remove it from windows services that are not accessable from dos.


---


Registrant:
Domains by Proxy, Inc.

DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com (http://www.godaddy.com)
Domain Name: ENTERNETMEDIA.COM
Created on: 22-Mar-04
Expires on: 22-Mar-06
Last Updated on: 19-Sep-04

Administrative Contact:
Private, Registration [email protected]
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599
Technical Contact:
Private, Registration [email protected]
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599



---


This is the company that their web hosting is done though.

Call them and give a full report on the what their software has done to your PC and ask that their account be terminated.

We need to take a reactive stance on spyware.  It is time for these attacks to end!

The GOOD thing about spyware is that they all need clients to make money which means they have a way to be contacted.

You can find them through whois lookups.


---


I suggest that anyone who is upset about how these people have wasted your time and aggrivated you with popup windows stealing focus from whatever you were doing, copy this post and go search google for "pokapoka62 forum" and post it as a response in several forums.  Get the word out there about who is doing this and how to stop them.

Copy this to notepad and save it.