PDA

View Full Version : Eeeek! It's a spyware epidemic!



tony_young480
05-10-2005, 02:43 PM
My friend's computer just suffered a major spyware epidemic, however, after running Spybot (100 and something spyware programs), I saw some suspicious files in the startup: systm.pif, updates.pif, pokapoka73.exe, and a toolbar remained on IE, it had no particular, when I right-click it comes up with every toolbar name except that one. Hopefully, HiJackThis will cure all those evil spyware programs.

Anyone know what systm.pif, updates.pif, pokapoka73.exe, zqltxd.exe, Xsyn.pif and spoollv.exe is?

P.S. You guys should really upgrade vBulletin!

Speedy Gonzales
05-10-2005, 02:57 PM
Some trojans/viruses depending on what it is, just create random filenames.

Thats what those files, are, most probably.

Looks like spoollv.exe is part of some adware or trojan.

I would do a scan with hijackthis and tick those entries (and maybe others), and reboot.

tony_young480
05-10-2005, 03:03 PM
Here's my log if anyone needs to see it:

Logfile of HijackThis v1.99.1
Scan saved at 3:01:03 p.m., on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\rising\rav\CCenter.exe
C:\Program Files\rising\rav\RavMonD.exe
C:\WINDOWS\spoollv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\systm.pif
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\updates.pif
C:\WINDOWS\System32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\etb\pokapoka73.exe
C:\WINDOWS\System32\ctfmon.exe
c:\merijn.org\hijackthis\hijackthis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: μ?Ве(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [System service73] C:\WINDOWS\\\etb\\pokapoka73.exe
O4 - HKLM\..\RunServices: [RavMon] C:\Program Files\rising\rav\RavMon.exe /AUTO
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{5264FFD8-991E-489D-8684-F7D44034D440}: NameServer = 202.27.184.3,202.27.184.5
O23 - Service: Rising Process Communication Center (RsCCenter) - rising - C:\Program Files\rising\rav\CCenter.exe
O23 - Service: Rising Realtime Monitor Service (RsRavMon) - rising - C:\Program Files\rising\rav\RavMonD.exe

RsRavMon is an antivirus program, along with anything else that starts with Rav or rising.

P.S. Those weird startup entries just won't go away!

Metla
05-10-2005, 03:10 PM
heh heh heh

pokapoka was spawned by satan.

Battled this one last week, hit it with everything, Ripped half the gizzards out of it with Hijackthis, stomped it with Nod32 and ewido, tickeled it with Spybot and Ad-Aware, Not to mention a fair bit of manual configuration and heavy handed deleting, process killing and registry editing.

Got rid of it in the end, Don't quite know how though.

Good luck.

tony_young480
05-10-2005, 03:14 PM
Heh... My computer got infected with pokapoka too... I scanned it with Spybot and badda-bing, badda-boom, it was gone!

Metla
05-10-2005, 03:17 PM
Its listed as a running service in your hijack log.

Reboot and check again.

tony_young480
05-10-2005, 03:18 PM
I found a solution... The elitebar remover from simplytech.it! Well... that's what it said from the broadband reports website. Now I have a whole floppy disk full of spyware removal goodies!

pctek
05-10-2005, 03:19 PM
My friend's computer just suffered a major spyware epidemic, however, after running Spybot (100 and something spyware programs),
Nah, thats nothing. My record for a customers PC was 1069.

Metla
05-10-2005, 03:21 PM
I found a solution... The elitebar remover from simplytech.it! Well... that's what it said from the broadband reports website. Now I have a whole floppy disk full of spyware removal goodies!

Now I remember how i removed it, I uninstalled the toolbar,.....DOH.

Prescott
05-10-2005, 03:33 PM
i removed 774 viruses once from a friends computer, they were some quite nasty once, all the netsky ones, mydoom.... man that was slow...

Safari
05-10-2005, 03:36 PM
I found a solution... The elitebar remover from simplytech.it! Well... that's what it said from the broadband reports website. Now I have a whole floppy disk full of spyware removal goodies!

http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/EliteToolbar-Remover.shtml

godfather
05-10-2005, 03:37 PM
http://www.broadbandreports.com/forum/remark,14451579


Has a remove tool for it