Help, virus prolem not detected by avast

Help. My computer has been infected by a virus. My son was trying to read his email and AVAST kept saying there was a virus. The numbskull shut down avast and firewall and installed a game attached to the email.

Now my laptop is screwed. :-[

Avast doesn’t detect anything, and infact got shutdown. It installed some kind of app (according to regedit in the run section) called pokepoke64.exe or s.th. like that and some kind of spyware crap too surf sentry or s. th…

The thing keeps re-appearing. I’ve logged in to safe mode as Admin and tried scanning with avast and adaware but it doesn’t remove it or find it. There are some other strange entries too in registry (see http://www.bungert.co.uk/stephen/Reg.GIF). Also a windows keep appearing from empnads.com and www.advnt01.com with porn crap. Also my PC shuts down after a minute because some process gets shutdown that windows needs. This can’t be that blaster worm problem. I have the patch for that from MS.

Is there anyway to remove it or where can I send this ‘game’ to. I’d like s.o. at avast to ‘play’ with it.

Stephen Bungert
Windows XP home SP2
256MB RAM
AVAST 4.6.691


now all kinds of viruses and trojans are getting downloaded, there’s also a strange toolbar in internet explorer.

I don’t want to have to re-install windows. I already have to do that to my wife’s PC, she has a similar problem with poping up window porn and now a slow computer too.

Someone pleas help.

Win32:Dialer-410 [Trj]
This virus keeps downloading itself every few minutes

  1. UNPLUG your internet cable before your PC gets more messed-up.
  2. From another PC download ewido security suite & Microsoft antispyware & install it on the infected PC (you’ll find links at http://spyros.atspace.com)
  3. Make a boot-time scan with avast, then scan with the other two (better in safe mode).
  4. Submit any findings to virus@avast.com in a password protected file, don’t forget to include the password in the mail’s body.
  5. Report any findings in this thread.

PS: Also scan with hijackthis and post the log file.

Remove the infected file link.

And you should never post an infected link again for obvious reasons.

Sorry about that.

Scanned with avast at boot. Found nothing.

Scanned with ewido which found and removed over 70 infected items.

Scanned with MS Anti-Spyware. 4 items found.

Entry in run (System service66, C:\WINDOWS\etb\pokapoka66.exe) is still there. Tried with AdAware. It couldn’t remove this either. Keeps re-appearing at every boot.

www.bungert.co.uk/stephen/VIRUSPROBLEM.zip Log files

I’ll send the source of the viruses to ALWIL

A system service has been created that has higher rights than the administrator, so you can’t remove it. Seems to be generated by a rootkit at very low level.

Ewido is able to remove rootkits (as I found out). Please also send the pokapoka file to them (automated process if in the quarantaine folder). They frequently update and might come with a solution.

I’ve no idea what a root kit is. Are you saying the only way to remove it i to re-install windows?

No, don’t reformat as yet.

There is another, very well hidden program on your computer that acts during startup.

You might try with HijackThis to remove the registry keys involved, but they will probably come back.

What is the result of scanning again with Ewido in the windows safe mode ?

Remember to disable the System Restore, so the viruses are not restored.

http://en.wikipedia.org/wiki/Rootkit

If you have got a rootkit or two then your PC security has been compromised. Ideally you should back everything important, make sure they are clean and format your hard drive.

Remember to disable the System Restore, so the viruses are not restored.

With Ewido Security Suite it does not seem necessary to disable XP system restore. Although there is still no manual, it is pretty clear that the program goes “where no human user could go before”. As with Kaspersky AV, a system crash may occur, but dead they are. Even if hidden in the File Allocation Tables
Of course, there are more security programs today with such capabilities. Especially designed to deal with Trojan technology and not meant as a replacement for ordinary virusscanners 8)

Stephen Bungert,
I just took a look at your log files. Try fixing these two entries with HijackThis:

O4 - HKLM..\Run: [System service66] C:\WINDOWS\etb\pokapoka66.exe
C:\WINDOWS\etb\pokapoka61.exe

Hi Stephen

I find the best way of removing garbage like this is too just search Google with the file name (thats the hard bit youve done finding the name) in quotes “pokapoka61.exe”
This way you’ll find real help from people that have removed the actual virus rather than guessing or just recommending their favourite spyware program !

See this post.it helped this guy…http://forums.spywareinfo.com/lofiversion/index.php/t55362.html

Also search 'remove “pokapoka61.exe” and that kinda thing, soon you’ll find out how to get rid

Good luck
Andy :slight_smile: