Jump to content


- - - - -

casinopalazzo and coolsearch


  • Please log in to reply
61 replies to this topic

#21 Guest_JeRzy_*

Guest_JeRzy_*
  • Guests

Posted 08 June 2004 - 06:54 PM

I have been fighting with Casino Palazzo for couple of days and it seems that I have finally found the solution.

1. Download free program named "Spybot - Search&Destroy". It is anti-spyware/adware/anyothercrapware utility.
2. Run it, get the updates and check for problems. Remove the problems.
3. Enter "Tools" menu in the program.
4. Enter "System Startup" in the "Tools" menu.
5. Read carefully what programs are started with your Windows. You can disable or even delete the ones which are not supposed to be there.
6. In case of Casino Palazzo, most probably, you should disable (or delete) the program qttasks.exe. It is Quick Time related program which runs the scheduled tasks - in this case, the task is to add the icon of your desktop and to change your start page. It seems that CWS and other hijackers, including Casino Palazzo use it to respawn.
7. Enter "Tools" again and then enter "IE Tweaks".
8. You can lock your start page (and other settings) against changes.

I hope this instruction will be helpful. Good luck!

#22 Guest_Alex, Germany_*

Guest_Alex, Germany_*
  • Guests

Posted 10 June 2004 - 10:03 AM

Hi there,

I had also the problem with CasinoPalazzo. It lasts about 2 weeks or more to got rid of it. I tried also Ad-Aware, CWSShredder Spybot S&D and HiJackThis but CP was still on my pc. :angry:

I found that everytime the popup shows up, a ????.dat file (? means a letter from a-z) was generated in this folder:
c:\dokumente und einstellungen\alex\lokale einstellungen\temp
I guess on english machines the tree looks like this:
c:\documents and settings\username\local settings\temp

Also a copy of this file was generated in c:\windows\prefetch and was changed into a file with a *.pf extension, but the ????.dat string was still visible in the filename. But anyway, also removing all the dat files didn't bring the breakthrough.

I have WinXP and running several profiles on my pc for my family members. I found that it's important to login in each profile and repeat all the steps with ad-aware and cwsshredder and so on.

I found also an entry in the registry in a section called "whitelist" which is part of the google toolbar. An URL (vu-games.com) was entered. I removed it manually. Finally I deinstalled google toolbar to make sure, that this is not the leak. The CasinoPalazzo popup still apears after this.

I did an online scan with Norton Antivirus (directly executed from the Norton website). It found a trojan in the file wmplayer.exe.tmp and deleted the file. I'm not sure, but i think Norton told me that the name of the trojan is noran.trojan.

I don't know what of my actions solved the problem finally. But scanning the system with Norton was one of my last actions. Also using ad-aware and cwsshredder again and again.

One more hint:
My CP-bug appears directly after I had problems with a hijacker called www.myexexex.com. All searchpage and startpage entrys in the registry was renamed to this URL. After installing Spybot Search&Destroy the "teatimer.exe" gave my a message, that an *.exe file is trying to make an entry in the registry in one of the runonce-sections. I found this file in my Temporary Internet Files folder. To delete this file I logged in into another profile. When you are logged in into your own profile, not all temporary internet files are visible for you.

I hope this is a valuable information for some of you and will help you to get rid of this [censored].

Greetings from Germany
Alex

#23 Guest_BJM_*

Guest_BJM_*
  • Guests

Posted 10 June 2004 - 01:33 PM

I've tried everything to get rid of casinopalazzo.com popups.  Each time it pops up, the site leaves a desktop icon on my computer with names such as "sex," "XXX hardcore," etc.  Also I keep getting coolsearch.com popups. Can you help me please

Hello! Just delete the notepad.COM in your windows/system232 directory. I had the same problem (not being able to view the HTML sourcecode anymore, for example) and found help in a German web forum. When I deleted the notepad.COM (not the notepad.EXE, of course), everything is right again.

Hope I have helped, Jan, Dortmund, Germany

Jan,

I've had the same problem with this pop-up and had indeed this notepad.com file on my system (win2k). Btw to remove it I did have to use the task manager to end the proces, it cannot be search. Your tip seems to have helped because this casinopalazzo pop-up (and others) doesn't appear anymore. So, thanks for the tip!

Bert

PS Are there more files that should be deleted?

#24 Guest_BJM_*

Guest_BJM_*
  • Guests

Posted 10 June 2004 - 01:36 PM

I've tried everything to get rid of casinopalazzo.com popups. Each time it pops up, the site leaves a desktop icon on my computer with names such as "sex," "XXX hardcore," etc. Also I keep getting coolsearch.com popups. Can you help me please

Hello! Just delete the notepad.COM in your windows/system232 directory. I had the same problem (not being able to view the HTML sourcecode anymore, for example) and found help in a German web forum. When I deleted the notepad.COM (not the notepad.EXE, of course), everything is right again.

Hope I have helped, Jan, Dortmund, Germany

Jan,

I've had the same problem with this pop-up and had indeed this notepad.com file on my system (win2k). Btw to remove it I did have to use the task manager to end the proces, it cannot be search. Your tip seems to have helped because this casinopalazzo pop-up (and others) doesn't appear anymore. So, thanks for the tip!

Bert

PS Are there more files that should be deleted?

Oops, sorry I meant to write:
it cannot be deleted when it's active.

#25 [email protected]_*

Posted 13 June 2004 - 12:18 AM

Cool Search is now classified as a trojan by most AV companies.

Follow this link for CS Shredder, I scanned this with NAV and it appears too have worked for win ME and XP home.

www.securityworm.com/software/homepc/ adware/cwshredder--remove-coolsearch.html

You may need to reinstall Windows Media Player after this is run..

#26 Guest_gustone_*

Guest_gustone_*
  • Guests

Posted 16 June 2004 - 05:25 AM

please i need help. everytime i start windows casinopalazzo appears and an "on-line show" icon is installed on desktop. I have tried many things but the problem still remains. Please HELP

Logfile of HijackThis v1.97.7
Scan saved at 2:36:21 , on 16/6/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mshdss.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regmon.exe
C:\WINNT\system32\msict.exe
C:\WINNT\System32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crm.artisys.gr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [regmon] C:\WINNT\system32\regmon.exe
O4 - HKLM\..\Run: [msict] C:\WINNT\system32\msict.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = artisys.dns
O17 - HKLM\System\CCS\Services\Tcpip\..\{C612D2A6-1CCA-4D05-99CD-3A62156DF595}: NameServer = 193.92.150.3,194.219.227.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = artisys.dns
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = artisys.dns

#27 Guest_Neville_*

Guest_Neville_*
  • Guests

Posted 16 June 2004 - 07:22 AM

Hi to solve the Casinopalazzo problem I noticed a file called ####.dat in the process window of the task manager in XP. I searcehd for this file and found it in the temp directory. I deleted the whole temp directory and I don't seem to have a problem now.

#28 Guest_gustone_*

Guest_gustone_*
  • Guests

Posted 16 June 2004 - 10:22 AM

the main problem seems to be that there is a file "on-line.exe" which starts on the task manager and then disappears, which installs the icon on my desctop. Although i have tried to find the file, this seems impossible. If anyone knows where it is and how to delete it would be excellent

#29 Guest_Guest_Bill_*

Guest_Guest_Bill_*
  • Guests

Posted 18 June 2004 - 06:55 AM

I read through several forums on the problem for Casinopalazzo. When I would start my pc, my browser would open automatically, going to the casinopalazzo page, and creating the sex icon on my desktop. After trying several of the suggestons, I finally went through the files in my windows directory. I found one called sex.exe. I deleted that file, when I next booted up, the auto launch of my browser did not occur, and has not since attempted to access the casinopalazzo site. Find that file, in my case, sex.exe, delete it, and the problem will go away.

#30 Guest_Jake_*

Guest_Jake_*
  • Guests

Posted 23 June 2004 - 02:53 PM

for XP go to control panel -> other control panel options -> Java Plugin and one of the tabs is browser, uncheck IE...viola - fixed! (well, at least for me :D)

#31 Guest_jihad_*

Guest_jihad_*
  • Guests

Posted 24 June 2004 - 05:22 PM

i dont know if it has anything to do with CasinoPalazzo,
theres a file called web.exe, try renaming it to web.ex_ or deleting it...
dunno

#32 Guest_Taps_*

Guest_Taps_*
  • Guests

Posted 25 June 2004 - 04:23 AM

Hello there, i got this casinopalazzo stuff one week ago. I've tried to search for casinopalazzo in the registry, but i only appears in the "typed urls" folder, as i typed it to email the site's support (they havent replied...). No notepad.com either.i've also tried Jerzy's solution with spubot search and destroy (actually the BEST anti spyware ive tried, my pc is really cleaner now).the casinopalazzo page opened when i tried to open a file with notepad.now the casinopalazzo page doesnt lauch any more,but notepad cannot be executed,and the "pleasure zone" icon is still being created.
Thanks for your help.

#33 Guest_Taps_*

Guest_Taps_*
  • Guests

Posted 25 June 2004 - 12:00 PM

ther casinopalazzo page is still launched :((((((

#34 Guest_Kermit Dudley_*

Guest_Kermit Dudley_*
  • Guests

Posted 25 June 2004 - 11:16 PM

felt compelled to share this, I dont claim that it will work for you, but I did a scan with ad-aware's latest file (but i didnt use spybot cwshredder or hijack - just trusty ole adaware) it found nothing, but

C:\Documents and Settings\User\.jpi_cache\jar\1.0


I found some very nasty stuff, including web.exe but it was in a ZIP FILE! so this may be the problem or at least this should point us in the right direction, it appears to be a java-related exploit. The troubling thing is that i'm behind a firewall, all my windows updates were taken, so my java-machine should be secure. Another disappointment thanks to Microsoft. When I ran web.exe a smut site came up, asked me if i wanted to install more smut-ware, and all my IE windows started to revert to smut sites.

Oh one more thing about CasinoPalazzo, that model that appears on the right side of the pic is actually a guy, look closely at the neck - women's shoulders form a right-angle at the neck, men's arch upward :lol:

#35 Guest_Taps_*

Guest_Taps_*
  • Guests

Posted 26 June 2004 - 07:21 AM

I've noticed this, the model is really horrible. i wonder how can people can build such sites, do they think ppl are going to trust their filthy flash games?

#36 Guest_Allen_*

Guest_Allen_*
  • Guests

Posted 26 June 2004 - 06:38 PM

Sorry, I didn't know how to post a message so I ended up starting a new topic. So forgive me if you see this same post somewhere else. But I've done a hijackthis scan and please advise me what processes to kill. I am not sure how hijackthis works. But I am fighting casinopalazzo pop-ups.

Logfile of HijackThis v1.97.7
Scan saved at 5:38:20 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\POP\PopFilter.exe
C:\WINDOWS\System32\taskngr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Allen1\My Documents\My Music\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 -