[RESOLVED] Pokapoka??

[lgbpop]

Was doing a favor for a neighbor today, came across 3 running processes on a WinXP/SP2. Had run TrojanHunter, ewido, AdAware, CWShredder; installed and ran SpywareBlaster and AntiVir. Cleaned out a LOT of junk. These 3, though, stayed: Pokapoka62, pokapoka63, and pokapoka65. Haven't seen these before. Nothing detected them, but they're in plain sight. HJT looked clean otherwise, but that can be deceiving I know. There were no obvious signs of Nail or similar bad boys. Anyone know of these and what they are? I'd have gone online from there, but they had dial-up and I was pressed for time. I'm going back next Tuesday the 13th, can upload info then if I need to. If it means anything, they have AOL, and I was fighting pop-up barrages every 5 minutes after last reboot. Thx in advance.

[fink]

From what I can gather searching around they're a newly discovered virus.

Try doing online scans here..

http://housecall.trendmicro.com/

and/or here...

http://www.ravantivirus.com/scan/

to see what they can find.

[crunchie]

Try this.

Please download miekiemoes' LQfix batch here:
http://www.downloads.subratam.org/LQfix.zip
Unzip it to the desktop but do NOT run it yet.
It may be best to to right click on the link and select 'Save As' and save it to your desk top.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please run LQfix.bat. When finished, restart your computer in normal mode.

==

Would be a good idea to post an hijackthis log.

[lgbpop]

Thx fink & crunchie, I'll do the LQFix next visit. I thought of Google after posting here (duh), found a French site (http://forum.telecharger.01net.com/t...t_63-393080/me) that had this info. (Faible=low, moyenne=medium, dommage doesn't directly translate; means misfortune.)

kisskool21

Posté le 28/08/2005 14:31:57
Voici le rapport je l'ai pris sur la version imprimable.
merci de votres aide

Type: Trojan
Alias: No Alias Found
Dans la nature: Oui
Destructif: Non
Langue: English
Plate-forme: Windows 98, ME, NT, 2000, XP, Server 2003
Codé: Non

Évaluation globale des risques Faible
Infections signalées: Faible
Dommages potentiels: Moyenne
Distribution potentielle: Faible

Description:

Upon execution, this Trojan creates the folder etb within the Windows folder. It then creates several folders and drops several files within the etb folder. It sets its files and folders to the file attribute hidden to avoid detection.

It also creates a registry entry to enable its automatic execution at every system startup.

This Trojan injects NT_HIDE63.DLL, which is detected by Trend Micro as ADW_ELITEBAR.N, to running processes on the system.

This Trojan opens a search engine and inputs various search strings. It also causes unwanted ads to appear.

Description créée: 2005-08-19

[bulldogpc]

This is the Elite Toolbar. Go to the website listed below and install the Elite Tool Bar Removal tool. Be sure to run the update option from the FILE menu before you run the scan. Also boot your PC into Safe Mode and run the tool...

http://www.softpedia.com/get/Interne...-Remover.shtml

I remove this Spyware all the time with this tool and it works everytime....

Bulldog

[lgbpop]

Thx Bulldog, I'll give it a try next time I run into it. I was at the "patient's" house today. Found folder "etb" hidden in Windows and deleted it, then ran ewido, Registry Mechanic and AdAware in Safe mode. I finished with an HJT scan which showed no trace of it, so I restarted into Normal mode, scanned again, restarted once more then scanned one last time. It was gone as of 3:30 today. Haven't found anything more on line about it, so maybe it's not as bad as I thought. Never saw EliteToolbar in Add/Remove Programs list as I'd expected to.

[jcrisp]

Thanks crunchie! LQfix removed pokapoka.

"Elite Toolbar Removal Tool" did not work for me.

[Artaijo]

Thanks for the Tips removing PokaPoka.

For some reason, it managed to slow my internet connection down to 7kps (from 51.2). After removing, its been running like new again.


**Update**
It didnt work, It came back.

I give up, i cant get rid of this.. im going to format the computer.

[wagner]

Thanks for the info on LQfix..... worked like a charm!

[lgbpop]

UPDATE

Have used LQFix for two clients since it was suggested. Seems to work just fine! Thanks again.