Jump to content


- - - - -

casinopalazzo and coolsearch


  • Please log in to reply
61 replies to this topic

#21 Guest_JeRzy_*

Guest_JeRzy_*
  • Guests

Posted 08 June 2004 - 06:54 PM

I have been fighting with Casino Palazzo for couple of days and it seems that I have finally found the solution.

1. Download free program named "Spybot - Search&Destroy". It is anti-spyware/adware/anyothercrapware utility.
2. Run it, get the updates and check for problems. Remove the problems.
3. Enter "Tools" menu in the program.
4. Enter "System Startup" in the "Tools" menu.
5. Read carefully what programs are started with your Windows. You can disable or even delete the ones which are not supposed to be there.
6. In case of Casino Palazzo, most probably, you should disable (or delete) the program qttasks.exe. It is Quick Time related program which runs the scheduled tasks - in this case, the task is to add the icon of your desktop and to change your start page. It seems that CWS and other hijackers, including Casino Palazzo use it to respawn.
7. Enter "Tools" again and then enter "IE Tweaks".
8. You can lock your start page (and other settings) against changes.

I hope this instruction will be helpful. Good luck!

#22 Guest_Alex, Germany_*

Guest_Alex, Germany_*
  • Guests

Posted 10 June 2004 - 10:03 AM

Hi there,

I had also the problem with CasinoPalazzo. It lasts about 2 weeks or more to got rid of it. I tried also Ad-Aware, CWSShredder Spybot S&D and HiJackThis but CP was still on my pc. :angry:

I found that everytime the popup shows up, a ????.dat file (? means a letter from a-z) was generated in this folder:
c:\dokumente und einstellungen\alex\lokale einstellungen\temp
I guess on english machines the tree looks like this:
c:\documents and settings\username\local settings\temp

Also a copy of this file was generated in c:\windows\prefetch and was changed into a file with a *.pf extension, but the ????.dat string was still visible in the filename. But anyway, also removing all the dat files didn't bring the breakthrough.

I have WinXP and running several profiles on my pc for my family members. I found that it's important to login in each profile and repeat all the steps with ad-aware and cwsshredder and so on.

I found also an entry in the registry in a section called "whitelist" which is part of the google toolbar. An URL (vu-games.com) was entered. I removed it manually. Finally I deinstalled google toolbar to make sure, that this is not the leak. The CasinoPalazzo popup still apears after this.

I did an online scan with Norton Antivirus (directly executed from the Norton website). It found a trojan in the file wmplayer.exe.tmp and deleted the file. I'm not sure, but i think Norton told me that the name of the trojan is noran.trojan.

I don't know what of my actions solved the problem finally. But scanning the system with Norton was one of my last actions. Also using ad-aware and cwsshredder again and again.

One more hint:
My CP-bug appears directly after I had problems with a hijacker called www.myexexex.com. All searchpage and startpage entrys in the registry was renamed to this URL. After installing Spybot Search&Destroy the "teatimer.exe" gave my a message, that an *.exe file is trying to make an entry in the registry in one of the runonce-sections. I found this file in my Temporary Internet Files folder. To delete this file I logged in into another profile. When you are logged in into your own profile, not all temporary internet files are visible for you.

I hope this is a valuable information for some of you and will help you to get rid of this [censored].

Greetings from Germany
Alex

#23 Guest_BJM_*

Guest_BJM_*
  • Guests

Posted 10 June 2004 - 01:33 PM

I've tried everything to get rid of casinopalazzo.com popups.  Each time it pops up, the site leaves a desktop icon on my computer with names such as "sex," "XXX hardcore," etc.  Also I keep getting coolsearch.com popups. Can you help me please

Hello! Just delete the notepad.COM in your windows/system232 directory. I had the same problem (not being able to view the HTML sourcecode anymore, for example) and found help in a German web forum. When I deleted the notepad.COM (not the notepad.EXE, of course), everything is right again.

Hope I have helped, Jan, Dortmund, Germany

Jan,

I've had the same problem with this pop-up and had indeed this notepad.com file on my system (win2k). Btw to remove it I did have to use the task manager to end the proces, it cannot be search. Your tip seems to have helped because this casinopalazzo pop-up (and others) doesn't appear anymore. So, thanks for the tip!

Bert

PS Are there more files that should be deleted?

#24 Guest_BJM_*

Guest_BJM_*
  • Guests

Posted 10 June 2004 - 01:36 PM

I've tried everything to get rid of casinopalazzo.com popups. Each time it pops up, the site leaves a desktop icon on my computer with names such as "sex," "XXX hardcore," etc. Also I keep getting coolsearch.com popups. Can you help me please

Hello! Just delete the notepad.COM in your windows/system232 directory. I had the same problem (not being able to view the HTML sourcecode anymore, for example) and found help in a German web forum. When I deleted the notepad.COM (not the notepad.EXE, of course), everything is right again.

Hope I have helped, Jan, Dortmund, Germany

Jan,

I've had the same problem with this pop-up and had indeed this notepad.com file on my system (win2k). Btw to remove it I did have to use the task manager to end the proces, it cannot be search. Your tip seems to have helped because this casinopalazzo pop-up (and others) doesn't appear anymore. So, thanks for the tip!

Bert

PS Are there more files that should be deleted?

Oops, sorry I meant to write:
it cannot be deleted when it's active.

#25 [email protected]_*

Posted 13 June 2004 - 12:18 AM

Cool Search is now classified as a trojan by most AV companies.

Follow this link for CS Shredder, I scanned this with NAV and it appears too have worked for win ME and XP home.

www.securityworm.com/software/homepc/ adware/cwshredder--remove-coolsearch.html

You may need to reinstall Windows Media Player after this is run..

#26 Guest_gustone_*

Guest_gustone_*
  • Guests

Posted 16 June 2004 - 05:25 AM

please i need help. everytime i start windows casinopalazzo appears and an "on-line show" icon is installed on desktop. I have tried many things but the problem still remains. Please HELP

Logfile of HijackThis v1.97.7
Scan saved at 2:36:21 , on 16/6/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mshdss.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regmon.exe
C:\WINNT\system32\msict.exe
C:\WINNT\System32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crm.artisys.gr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [regmon] C:\WINNT\system32\regmon.exe
O4 - HKLM\..\Run: [msict] C:\WINNT\system32\msict.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = artisys.dns
O17 - HKLM\System\CCS\Services\Tcpip\..\{C612D2A6-1CCA-4D05-99CD-3A62156DF595}: NameServer = 193.92.150.3,194.219.227.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = artisys.dns
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = artisys.dns

#27 Guest_Neville_*

Guest_Neville_*
  • Guests

Posted 16 June 2004 - 07:22 AM

Hi to solve the Casinopalazzo problem I noticed a file called ####.dat in the process window of the task manager in XP. I searcehd for this file and found it in the temp directory. I deleted the whole temp directory and I don't seem to have a problem now.

#28 Guest_gustone_*

Guest_gustone_*
  • Guests

Posted 16 June 2004 - 10:22 AM

the main problem seems to be that there is a file "on-line.exe" which starts on the task manager and then disappears, which installs the icon on my desctop. Although i have tried to find the file, this seems impossible. If anyone knows where it is and how to delete it would be excellent

#29 Guest_Guest_Bill_*

Guest_Guest_Bill_*
  • Guests

Posted 18 June 2004 - 06:55 AM

I read through several forums on the problem for Casinopalazzo. When I would start my pc, my browser would open automatically, going to the casinopalazzo page, and creating the sex icon on my desktop. After trying several of the suggestons, I finally went through the files in my windows directory. I found one called sex.exe. I deleted that file, when I next booted up, the auto launch of my browser did not occur, and has not since attempted to access the casinopalazzo site. Find that file, in my case, sex.exe, delete it, and the problem will go away.

#30 Guest_Jake_*

Guest_Jake_*
  • Guests

Posted 23 June 2004 - 02:53 PM

for XP go to control panel -> other control panel options -> Java Plugin and one of the tabs is browser, uncheck IE...viola - fixed! (well, at least for me :D)

#31 Guest_jihad_*

Guest_jihad_*
  • Guests

Posted 24 June 2004 - 05:22 PM

i dont know if it has anything to do with CasinoPalazzo,
theres a file called web.exe, try renaming it to web.ex_ or deleting it...
dunno

#32 Guest_Taps_*

Guest_Taps_*
  • Guests

Posted 25 June 2004 - 04:23 AM

Hello there, i got this casinopalazzo stuff one week ago. I've tried to search for casinopalazzo in the registry, but i only appears in the "typed urls" folder, as i typed it to email the site's support (they havent replied...). No notepad.com either.i've also tried Jerzy's solution with spubot search and destroy (actually the BEST anti spyware ive tried, my pc is really cleaner now).the casinopalazzo page opened when i tried to open a file with notepad.now the casinopalazzo page doesnt lauch any more,but notepad cannot be executed,and the "pleasure zone" icon is still being created.
Thanks for your help.

#33 Guest_Taps_*

Guest_Taps_*
  • Guests

Posted 25 June 2004 - 12:00 PM

ther casinopalazzo page is still launched :((((((

#34 Guest_Kermit Dudley_*

Guest_Kermit Dudley_*
  • Guests

Posted 25 June 2004 - 11:16 PM

felt compelled to share this, I dont claim that it will work for you, but I did a scan with ad-aware's latest file (but i didnt use spybot cwshredder or hijack - just trusty ole adaware) it found nothing, but

C:\Documents and Settings\User\.jpi_cache\jar\1.0


I found some very nasty stuff, including web.exe but it was in a ZIP FILE! so this may be the problem or at least this should point us in the right direction, it appears to be a java-related exploit. The troubling thing is that i'm behind a firewall, all my windows updates were taken, so my java-machine should be secure. Another disappointment thanks to Microsoft. When I ran web.exe a smut site came up, asked me if i wanted to install more smut-ware, and all my IE windows started to revert to smut sites.

Oh one more thing about CasinoPalazzo, that model that appears on the right side of the pic is actually a guy, look closely at the neck - women's shoulders form a right-angle at the neck, men's arch upward :lol:

#35 Guest_Taps_*

Guest_Taps_*
  • Guests

Posted 26 June 2004 - 07:21 AM

I've noticed this, the model is really horrible. i wonder how can people can build such sites, do they think ppl are going to trust their filthy flash games?

#36 Guest_Allen_*

Guest_Allen_*
  • Guests

Posted 26 June 2004 - 06:38 PM

Sorry, I didn't know how to post a message so I ended up starting a new topic. So forgive me if you see this same post somewhere else. But I've done a hijackthis scan and please advise me what processes to kill. I am not sure how hijackthis works. But I am fighting casinopalazzo pop-ups.

Logfile of HijackThis v1.97.7
Scan saved at 5:38:20 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\POP\PopFilter.exe
C:\WINDOWS\System32\taskngr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Allen1\My Documents\My Music\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Allow Popups - C:\Program Files\POP\WhiteGetUrl.js
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Toggle Image (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectk...flowActiveX.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7922.8925694444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtange...ic/wtwdinst.cab

#37 Guest_Guest_Dan_*

Guest_Guest_Dan_*
  • Guests

Posted 26 June 2004 - 10:14 PM

I think one important item that has been missed and may explain why some removal techniques aren't working is the possibility that some of you may be using Windows XP or ME. These OS's may need to have their system restore <b>disabled</b>in order for the cleansing to take effect.

I just put a new install of XP on a system and did some browsing to test the network connections.. wandered into some bad sites and got hammered as I had yet to apply any antivirus and patches or disable java script. I picked up the CoolWeb, Casino, auto dialer, a couple browser jacks, and a couple bugs...it was friggin ugly... couldn't even browse. I installed SpyBot, Adaware, CWShredder, Anti-CWshredder killer (some CoolWeb baddies can work around CWshredder), Hijack This and MacAfee antivrus.

Try booting into safe mode and disabling the system restore. Run antivirus and then SpyBot, Adaware, CWshredder Killer and CWshredder, and Hijack This. Now be sure to go into the "advanced options" on these programs when available as the "standard" scans may not find everything. I found this especially true with the antivirus as I had to set it to scan for "potentially unwanted" and "joke programs" in order to find some of them. I found crap all through the registry, system32, Docs & settings, programs folder, and even few more in C:\ that none of the programs detected- the bastards were breeding like rabbits.

You will find that you may not be able to delete some files as they are in use- quarantine them and set it to delete them after reboot (try using explorer to reach the location and manually delete them first). I noticed that additional items were created and installed upon reboot (especially in the registry) and it took three times of performing the above steps to finally rid myself of everything- you may have to manually delete registry settings each time as well.

Hopefully you guys won't have it as bad as I did, but if you have XP and do not disable the system restore before cleaning, you might just be killing time.

#38 Guest_Kermit Dudley_*

Guest_Kermit Dudley_*
  • Guests

Posted 27 June 2004 - 09:00 PM

Hey guys, I think I got it. this whole problem is caused by the version of coolwebsearch known as cws.yexe

I am running XP pro and have had a very difficult time removing it, but I *tentatively* think i got it. My version was running itself as services.exe, but it was NOT located in c:\windows\system32\system\ it WAS located in c:\windows\inetdata\services.exe CAUTION, if you are a newbie, BE VERY CAREFUL, DO NOT DELETE C:\WINDOWS\SYSTEM32\SERVICES.EXE THIS WILL WRECK YOUR SYSTEM. They do this on purpose. Start task manager and view running processes. Sort by process name, then look for services.exe, I guarantee you will have at least ONE entry, but if yours is infected like mine was, you will have TWO, once that says services.exe and the next column will say SYSTEM, then another services.exe process will have a column that says *user* for whatever your login name is, THIS IS CWSHREDDER, but dont try killing it because it wont let you.


to remove it from XP,

1) download cwshredder, put it on your desk top

2) unplug your ethernet cable or phone line so its NOT PHYSICALLY POSSIBLE to access the internet. (I dont know if this is necessary or not, but this is what I did, since it may be able to download itself again, but this way guarantees its not possible. If youre really paranoid, go into IE and delete your temporary internet files)

3) restart computer, right before it gets ready to boot, hit F8 a few times, and boot into SAFE MODE

4) run cwshredder, it should find cws.yexe or cws.msconfig (or similar) go ahead and remove it, but it will just reappear the next time you reboot.


5) run regedit (start->run, regedit), save the registry to a backup somewhere, then search for services.exe, go slowly ESPECIALLY if youre a newbie, this can mess up your machine. if it finds a match to services.exe delete it IF AND ONLY IF the path leading to it is anything BUT c:\windows\system32.exe again, i'm saying DO NOT delete the registry key IF IT DOES point to c:\windows\system32\services.exe.

C:\windows\system32\services.exe is the GOOD GUY, on my system the BAD GUY was c:\windows\inetdata\services.exe but inevitably other people might have different references. There were approximately 4 or 5 references to the BAD GUY on my system, I dont remember for sure.

6) go into c:\windows\inetdata or wherever you found the BAD GUY and delete this file, services.exe

7) run msconfig, (start->run->msconfig) look at system.ini at the bottom it should say [windows];msconfig load= [path to BAD GUY] uncheck this box.


8) run cwshredder again, do it up to 3 or 4 times until it says system completely clean. If it doesnt, then you must have a different variant of CWS on your system, sorry.

9) reboot and run windows normally (not safe mode) run cwshredder and make sure it says system is clean. open up IE (even though you still dont have internet access) and change your home page. plug your internet connection back in (phone line or ethernet cable, whichever you use) and make sure internet still works, surf a few sites, reboot again and run CWS again to be sure its gone. If it says clean you should be devoid of this parasite.

I take full responsibility for what happened, I got this from looking at smut sites. Norton AV even came up and said I was infected with trojan.byteverify, but it said it was unable to remove it. Some research I did indicated that trojan.byteverify is a virus caused by a security bug in microsoft VM (virtual machine for java), but I took all the updates from windowsupdate. I am still investigating how I am able to get infected this way.

Finally, try not to feel to angry. If youre not tech savy, dont feel bad about yourself. I'm a senior computer science major and it took me several days to figure this one out. Try not to hold anger towards the [insert your favorite expletive here] people who develop this software. Of course if we just knew where they lived ............. but we DON'T so dont get angry about it. Compare this to computer virii. virii are written by teenage kids (or the equivalent) who spend their free time writing goofy programs and they want their 2.5 minutes of fame. Scumware is written by people who are motivated by money. Thus there is a much stronger drive to produce scumware and make it as difficult to remove as possible, hence scumware is (now becoming) more difficult to control than virii. It shouldnt be a surprise at all. Also consider that AV companies such as Norton and MacCaffee have to handle scumware very niggardly, because if some 80 yr old retarded judge (but I repeat myself) or jury in BFE nebraska happens to rule that some particular scumware such as CWS is a legitimate business application, those companies (norton and mccaffee) could get sued to oblivion. I can hardly blame them for not wanting to take that chance. The best thing to do, if you have had it with this nonsense, is to get a mac, or switch to linux. I wish all of you the best in your endeavours B)

#39 Guest_Kermit Dudley_*

Guest_Kermit Dudley_*
  • Guests

Posted 27 June 2004 - 09:07 PM

by the way, I forgot to mention that I had system restore turned off ( do that first before anything else) when I got rid of CWS on my system. I dont know if that is necessary or not. Hope I'm able to help at least one person. :)

#40 Guest_Guest_John_*

Guest_Guest_John_*
  • Guests

Posted 28 June 2004 - 08:47 AM

I am having the same problem with Casinopalazzo. I have done Adaware (updated verssion) and CWShredder. They got rid of some stuff, but made no difference to CP problem. I also updated IE. Anyway, here is my Hijack logfile. Any help very much appreciated:

Logfile of HijackThis v1.97.7
Scan saved at 15:37:29, on 28/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\SBPCI\CTMIX32.EXE
C:\WINDOWS\TBPANEL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\PROMOTIONS\HPPROMO.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\WININET32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\JOHN'S STUFF - WILL WIPE HARD DISK IF OPENED. OH [censored], JUST DID IT, SORRY!!\HIJACKTHIS.EXE
C:\PROGRAM FILES\OPERA75\OPERA.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CreativeMixer] C:\SBPCI\ctmix32.exe /T
O4 - HKLM\..\Run: [Gainward] c:\windows\TBPanel.exe /A
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 2500 series] "C:\PROGRAM FILES\HP\DIGITAL IMAGING\PROMOTIONS\HPPROMO.exe" /N "psc 2500 series" -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\intralaunch.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...AB?37907.411875
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

Thanks,

John