Logfile of HijackThis v1.99.1
Scan saved at 19:14:50, on 2005-09-16
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\Program\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
D:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\htpatch.exe
C:\Program\ISTsvc\istsvc.exe
C:\WINDOWS\etb\pokapoka67.exe
D:\Program\Lavasoft\AD-AWA~1\Ad-Watch.exe
D:\Program\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\cmd.exe
D:\Program\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Download\HijackThis.exe
D:\Program\TRENDM~1\INTERN~1\TSC.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clickhere4search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.clickhere4search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.clickhere4search.com/sp2.php
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows Installer] C:\WINDOWS\System32\ntdll.exe
O4 - HKLM\..\Run: [Windows Spooler] C:\WINDOWS\System32\spoolsv32.exe
O4 - HKLM\..\Run: [Windows DLL Host] C:\WINDOWS\System32\dllhost32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [yRp9fgD] C:\WINDOWS\yreurbjh.exe
O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka67.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [AWMON] "D:\Program\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125444159436
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://81.163.188.10/AxisCamControl.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program\Delade filer\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\Program\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\Program\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\Program\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: wampapache - Unknown owner - d:\wamp\apache\Apache.exe" --ntservice (file missing)
O23 - Service: wampmysqld - Unknown owner - d:\wamp\mysql\bin\mysqld-nt.exe
Trend Micro PC-Cillin keeps telling me that C:\WINDOWS\etb\xud_67.dll is the trojan TROJ_POKAPOKA.D and that it has deleted it over and over again..
However, If I run a scan it cant find anything.
If i have SpyBot TeaTimer running, my screen get's filled with regestry-changes.
Ad-aware's Ad-Watch also get spammed.
If I scan with Ad-Aware, I get a "restart in 60 seconds"-error in C:\WINDOWS\SYSTEM32\services.exe as soon as it identyfies a module.
With SpyBot I can clean some adware and the rest on the next startup.
Both Ad-Aware and SpyBots windows-styled buttons, radiobuttons, checkboxes and such have dissapeared or been moved so it gets har to use the programs.
And also SpyBot has recently become totaly unuseful due just about everything seems to generate a memory error.
cmd.exe uses alot of CPU and TSC.EXE uses alot of CPU and Memory.
Also I sometimes get a popup or two.
Note that all **** comes back no matter how many diffrent methods I use to delete and remove both files and registrvalues.
I think that's all info I can get you.. hopefully you can help, I realy don't feel like useing "the complete clean method" =P
Scan saved at 19:14:50, on 2005-09-16
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\Program\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
D:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\htpatch.exe
C:\Program\ISTsvc\istsvc.exe
C:\WINDOWS\etb\pokapoka67.exe
D:\Program\Lavasoft\AD-AWA~1\Ad-Watch.exe
D:\Program\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\cmd.exe
D:\Program\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Download\HijackThis.exe
D:\Program\TRENDM~1\INTERN~1\TSC.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.clickhere4search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.clickhere4search.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.clickhere4search.com/sp2.php
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows Installer] C:\WINDOWS\System32\ntdll.exe
O4 - HKLM\..\Run: [Windows Spooler] C:\WINDOWS\System32\spoolsv32.exe
O4 - HKLM\..\Run: [Windows DLL Host] C:\WINDOWS\System32\dllhost32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [yRp9fgD] C:\WINDOWS\yreurbjh.exe
O4 - HKLM\..\Run: [System service66] C:\WINDOWS\etb\pokapoka66.exe
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [System service67] C:\WINDOWS\etb\pokapoka67.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [AWMON] "D:\Program\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125444159436
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://81.163.188.10/AxisCamControl.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program\Delade filer\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - D:\Program\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - D:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - D:\Program\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\Program\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: wampapache - Unknown owner - d:\wamp\apache\Apache.exe" --ntservice (file missing)
O23 - Service: wampmysqld - Unknown owner - d:\wamp\mysql\bin\mysqld-nt.exe
Trend Micro PC-Cillin keeps telling me that C:\WINDOWS\etb\xud_67.dll is the trojan TROJ_POKAPOKA.D and that it has deleted it over and over again..
However, If I run a scan it cant find anything.
If i have SpyBot TeaTimer running, my screen get's filled with regestry-changes.
Ad-aware's Ad-Watch also get spammed.
If I scan with Ad-Aware, I get a "restart in 60 seconds"-error in C:\WINDOWS\SYSTEM32\services.exe as soon as it identyfies a module.
With SpyBot I can clean some adware and the rest on the next startup.
Both Ad-Aware and SpyBots windows-styled buttons, radiobuttons, checkboxes and such have dissapeared or been moved so it gets har to use the programs.
And also SpyBot has recently become totaly unuseful due just about everything seems to generate a memory error.
cmd.exe uses alot of CPU and TSC.EXE uses alot of CPU and Memory.
Also I sometimes get a popup or two.
Note that all **** comes back no matter how many diffrent methods I use to delete and remove both files and registrvalues.
I think that's all info I can get you.. hopefully you can help, I realy don't feel like useing "the complete clean method" =P