Post by: Nate on April 05, 2005, 05:15:44 AM
Scan saved at 3:04:41 AM, on 4/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Naythin\Local Settings\Temporary Internet Files\Content.IE5\QDTQJYX0\stinger[1].exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Naythin\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
O1 - Hosts: auto.search.msn.com 127.0.0.1127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AFF89AB2-2807-4B12-AD4C-5743E6F9E3C6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [D2TradeHack] C:\WINDOWS\System32\D2TradeHack.exe
O4 - HKLM\..\Run: [ShowNews] C:\Program Files\EstelleReyna\Updater.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Tnf] C:\WINDOWS\System32\Drm.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [Ren] C:\WINDOWS\Hgl.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Tnf] C:\WINDOWS\System32\Drm.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Ren] C:\WINDOWS\Hgl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O13 - DefaultPrefix: http://www.big-search.org/best.php?url= (http://\"http://www.big-search.org/best.php?url=\")
O13 - WWW Prefix: http://www.big-search.org/best.php?url= (http://\"http://www.big-search.org/best.php?url=\")
O13 - Home Prefix: http://www.big-search.org/best.php?url= (http://\"http://www.big-search.org/best.php?url=\")
O13 - Mosaic Prefix: http://www.big-search.org/best.php?url= (http://\"http://www.big-search.org/best.php?url=\")
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 66.197.161.149
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball/miniclipGameLoader.dll (http://\"http://www.miniclip.com/inflaterball/miniclipGameLoader.dll\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe\")
O20 - Winlogon Notify: D2TradeHack - C:\WINDOWS\SYSTEM32\D2TradeHack.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Post by: guestolo on April 05, 2005, 12:01:40 PM
Can I also have you register to the forum
Thanks
Please Read This (http://\"http://www.thetechguide.com/forum/index.php?showtopic=14623\")
After registering, please supply a fresh Hijackthis log to this post
Post by: Nate on April 05, 2005, 04:29:14 PM
Scan saved at 2:25:13 PM, on 4/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\D2TradeHack.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ntddetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Naythin\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
O1 - Hosts: auto.search.msn.com 127.0.0.1127.0.0.3 iframeprofit.com
O1 - Hosts: 127.0.0.3 www.iframeprofit.com
O1 - Hosts: 127.0.0.3 www.loadcash.biz
O1 - Hosts: 127.0.0.3 loadcash.biz
O1 - Hosts: 127.0.0.3 traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.traffic2cash.biz
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 www.iframedollars.biz
O1 - Hosts: 127.0.0.3 iframedollars.biz
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AFF89AB2-2807-4B12-AD4C-5743E6F9E3C6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [D2TradeHack] C:\WINDOWS\System32\D2TradeHack.exe
O4 - HKLM\..\Run: [ShowNews] C:\Program Files\EstelleReyna\Updater.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O13 - DefaultPrefix: http://www.big-search.org/best.php?url= (http://\"http://www.big-search.org/best.php?url=\")
O13 - WWW Prefix: http://www.big-search.org/best.php?url= (http://\"http://www.big-search.org/best.php?url=\")
O13 - Home Prefix: http://www.big-search.org/best.php?url= (http://\"http://www.big-search.org/best.php?url=\")
O13 - Mosaic Prefix: http://www.big-search.org/best.php?url= (http://\"http://www.big-search.org/best.php?url=\")
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 66.197.161.149
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball/miniclipGameLoader.dll (http://\"http://www.miniclip.com/inflaterball/miniclipGameLoader.dll\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe\")
O20 - Winlogon Notify: D2TradeHack - C:\WINDOWS\SYSTEM32\D2TradeHack.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Post by: guestolo on April 05, 2005, 05:33:17 PM
download Startdreck.zip startdreck.zip (http://\"http://www.niksoft.at/php/dl.php?f=startdreck.zip\")
UNZIP to a folder. DoubleClick: 'StartDreck.exe'
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.
Use the "save" tab, to save, name and post this log
Copy and Paste the contents of that log back here
Could you also
Download and save to Desktop DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")
Start the Program and click the Run Locate.com
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.
Click the Make a Log of what was found button
Post back this log
Along with a fresh Hijackthis log
Post by: Nate on April 05, 2005, 11:54:22 PM
`InprocServer32=C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
»Files
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+408=\SystemRoot\System32\smss.exe
+464=\??\C:\WINDOWS\system32\csrss.exe
+496=\??\C:\WINDOWS\system32\winlogon.exe
+540=C:\WINDOWS\system32\services.exe
+552=C:\WINDOWS\system32\lsass.exe
+712=C:\WINDOWS\system32\svchost.exe
+764=C:\WINDOWS\System32\svchost.exe
+844=C:\WINDOWS\System32\svchost.exe
+872=C:\WINDOWS\System32\svchost.exe
+1052=C:\WINDOWS\system32\spoolsv.exe
+1244=C:\WINDOWS\System32\svchost.exe
+1304=C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
+1584=C:\WINDOWS\system32\D2TradeHack.exe
+1780=C:\WINDOWS\Explorer.EXE
+1940=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
+1956=C:\Program Files\iTunes\iTunesHelper.exe
+1964=C:\WINDOWS\System32\ntddetect.exe
+2012=C:\Program Files\interMute\SpySubtract\SpySub.exe
+228=C:\Program Files\iPod\bin\iPodService.exe
+252=C:\WINDOWS\System32\x3yy\anlogefj.exe
+1520=C:\Program Files\Internet Explorer\IEXPLORE.EXE
+1464=C:\StartDreck\StartDreck.exe
»Application specific
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"________________________________________________
1,247 items found: 1,247 files (1 H/S), 0 directories.
Total of file sizes: 262,280,797 bytes 250.13 M
Administrator Account = True
--------------------End log---------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:50:41 PM, on 4/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\D2TradeHack.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ntddetect.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\StartDreck\StartDreck.exe
C:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rockclimbing.com/ (http://\"http://www.rockclimbing.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Naythin\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [D2TradeHack] C:\WINDOWS\System32\D2TradeHack.exe
O4 - HKLM\..\Run: [ShowNews] C:\Program Files\EstelleReyna\Updater.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 66.197.161.149
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball/miniclipGameLoader.dll (http://\"http://www.miniclip.com/inflaterball/miniclipGameLoader.dll\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe\")
O20 - Winlogon Notify: D2TradeHack - C:\WINDOWS\SYSTEM32\D2TradeHack.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Post by: guestolo on April 06, 2005, 12:00:16 AM
Thanks
Post by: Nate on April 06, 2005, 12:25:21 AM
StartDreck (build 2.1.7 public stable) - 2005-04-05 @ 22:20:14 (GMT -07:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as Naythin at MAFIA-CQJWXACFS
»Registry
»Run Keys
»Current User
»Run
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*ntddetect=C:\WINDOWS\System32\ntddetect.exe
*x3yy=C:\WINDOWS\System32\x3yy\anlogefj.exe
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
*nwiz=nwiz.exe /install
*D2TradeHack=C:\WINDOWS\System32\D2TradeHack.exe
*ShowNews=C:\Program Files\EstelleReyna\Updater.exe
*ViewMgr=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*iTunesHelper=C:\Program Files\iTunes\iTunesHelper.exe
*ntddetect=C:\WINDOWS\System32\ntddetect.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*ntddetect=C:\WINDOWS\System32\ntddetect.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*ViewBarBHO.BHO.1/{A7327C09-B521-4EDB-8509-7D2660C9EC98}
`InprocServer32=C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
»Files
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+408=\SystemRoot\System32\smss.exe
+464=\??\C:\WINDOWS\system32\csrss.exe
+496=\??\C:\WINDOWS\system32\winlogon.exe
+540=C:\WINDOWS\system32\services.exe
+552=C:\WINDOWS\system32\lsass.exe
+712=C:\WINDOWS\system32\svchost.exe
+764=C:\WINDOWS\System32\svchost.exe
+844=C:\WINDOWS\System32\svchost.exe
+872=C:\WINDOWS\System32\svchost.exe
+1052=C:\WINDOWS\system32\spoolsv.exe
+1244=C:\WINDOWS\System32\svchost.exe
+1304=C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
+1584=C:\WINDOWS\system32\D2TradeHack.exe
+1780=C:\WINDOWS\Explorer.EXE
+1940=C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
+1956=C:\Program Files\iTunes\iTunesHelper.exe
+1964=C:\WINDOWS\System32\ntddetect.exe
+2012=C:\Program Files\interMute\SpySubtract\SpySub.exe
+228=C:\Program Files\iPod\bin\iPodService.exe
+252=C:\WINDOWS\System32\x3yy\anlogefj.exe
+1864=C:\Program Files\Internet Explorer\IEXPLORE.EXE
+1720=C:\StartDreck\StartDreck.exe
»Application specific
Post by: guestolo on April 06, 2005, 01:07:47 AM
RKfiles.zip>>Ensure you unzip this
We'll need this later
[attachment=116:attachment]
====Download and Install this small program
to help clean your temp folders,cookies, recylebin, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
==Download CWShredder.exe from my signature below and save it to a folder of your choice
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Find and delete these files or folders if found
C:\WINDOWS\System32\ntddetect.exe <-file
C:\WINDOWS\System32\ntddetect.dat
C:\WINDOWS\system32\op32mp.log
C:\WINDOWS\system32\unic2_32.dll
C:\WINDOWS\desktop.html
C:\WINDOWS\Web\desktop.html
C:\WINDOWS\System32\x3yy <-folder
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Naythin\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.big-search.org/clickpps.php (http://\"http://www.big-search.org/clickpps.php\")
I don't know what the next 2 are related too, have hijackthis fix them
This will just disable them on startup
O4 - HKLM\..\Run: [D2TradeHack] C:\WINDOWS\System32\D2TradeHack.exe
O4 - HKLM\..\Run: [ShowNews] C:\Program Files\EstelleReyna\Updater.exe
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 66.197.161.149
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
==Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't restart or log off yet
Double click on run.reg that you unzipped earlier..The same folder you unzipped Rkfiles.zip too>>and allow to merge to the registry
Stay in that folder you unzipped RKFiles.zip too
Double click on RKFiles.bat and wait for the it too finish
It will create a log
Save it>>we will need it later, by default it will save too C:\Log.txt
Open CWShredder.exe and click the FIX button, let it fix what it finds
Restart back to Normal mode
Don't open a browser yet
Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything was unchecked
Post back a fresh Hijackthis log
Fresh startdreck log
Log from Rkfiles.bat>>C:\Log.txt
Could you also go to this site please
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\System32\D2TradeHack.exe<--this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results
Can you scan this file too
C:\Program Files\EstelleReyna\Updater.exe