I found this thread after doing some google searches for a goofy bug I've got.
http://daniweb.com/techtalkforums/thread30034.html

I'm getting the usual popup advertisments and have a search bar that won't budge with Adaware, Spybot, etc.

I've run HiJackThis and am trying to find the files talked about in the above post but I can't locate them in System32 even if I've got Show Hidden Folders selected.

O4 - HKLM\..\Run: [System service70]C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitervm32.exe

Any info would be greatly appreciated. Thanks
-T


Here's my entire HJT log fwiw:

Logfile of HijackThis v1.99.1
Scan saved at 3:12:36 PM, on 9/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.enterthesearch.com/sp2.php
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitervm32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?920319057858
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Hi,
Download LQfix.exe and place it on your desktop.
Doubleclick LQfix.exe and click install.
Leave the default settings. If you change them, the fix will fail.
Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.


Download Ewido and install it. Then run, you will receive a warning message saying "Database not found", click "OK" for this. Next in the main screen, click "Update" and click "Start Update".
After the update process, click on the "Scanner" button in the left menu, then click on the "Complete System Scan" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.

After this, post a fresh HijackThis log along with the Ewido log.

Thanks for taking the time to help me out. I'll go ahead and do that tomorrow morning and get back.

-T

Thanks guys! It worked for me.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.