Jump to content


- - - - -

casinopalazzo and coolsearch


  • Please log in to reply
61 replies to this topic

#41 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 28 June 2004 - 11:32 AM

I've now also tried action with Spybot, which does nothing (like the other 3 very self-congratulatory ad-aware type things I've tried). Also, the elaborate searches on the Registry, suggested by another contributor, does nothing. This is very frustrating. Having spent about 24 hours messing around with software that claims it will fix everything, I've become sceptical about it all. Any other suggestions? Would uninstalling IE completely work?

#42 Guest_Urney_*

Guest_Urney_*
  • Guests

Posted 28 June 2004 - 01:19 PM

1) cut down on porn :rolleyes:

2) run cwshredder to find out what variant you have

3) lighten up

#43 Guest_synged_*

Guest_synged_*
  • Guests

Posted 28 June 2004 - 02:06 PM

I also have been battling casinopalazzo. I am running windows XP and IE 6. I have noticed in the C:/WINNT/system32 folder their is at least 2 .exe files associated with this bug: reinstall.exe & telnetxp.exe. From my best guessing, the reinstall.exe program does exactly that, it checks to see if the shortcut is placed in your desktop and if it doesn't exist it reinstalls. The telnetxp.exe seems to telnet to other servers and fetches the program from that server to your computer. I am running a firewall and have blocked incoming and outgoing traffic to this site and I get alerts from the firewall when this traffic occurs. Both of these programs also use the same icon which is used as the desktop icon which for me came up with the title "Best Online Casino". I have deleted these two .exe files and I am still waiting to see the results. By the way, I also ran scans with Norton's Antivirus and Lavasoft's Adaware (Version 6.181) and neither have picked these up at this time. I did prematurely delete these, as I should have looked at the code to see what indeed was going on. Hope this helps somewhat and will update with my results.

DSB

#44 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 28 June 2004 - 05:36 PM

Thanks DSB, that's useful - will also keep you posted with any success. Am trying various other things.

#45 Guest_synged_*

Guest_synged_*
  • Guests

Posted 29 June 2004 - 03:30 AM

Here is another update on this issue. The telnetxp.exe file has been reinstalled on my computer, but the reinstall.exe file has not. My firewall also blocked another attempt at reconneting to 2 sites with the IP addresses 66.230.167.185 & 66.230.167.193. More importantly, I did a search to find the telnetxp.exe instances:
TELNETXP.EXE-069FCC56.pf C:\WINNT\Prefetch
telnetxp.exe C:\WINNT\system32

After more digging around and checking my firewall logs, I have come up with this. There are 2 files located in C:\WINNT\system32:
telnetxp.exe
taskngr.exe

There are also 2 files located in C:\WINNT\Prefetch:
TELNETXP.EXE-069FCC56.pf
TASKNGR.EXE-1F4A3A74.pf

According to my firewall logs the 2 .exe files run together.
Web Activity:
Date Time: 6/28/2004 11:59:11 PM
User: Supervisor
URL: http://66.230.167.185/z/taskngr.exe

Web Activity:
Date Time: 6/28/2004 11:59:10 PM
User: Supervisor
URL: http://66.230.167.185/z/telnetxp.exe

Web Activity:
Date Time: 6/28/2004 11:59:06 PM
User: Supervisor
URL: http://66.230.167.185/z/2106/2106.php

My last guess is that the .pf files are the ones which keep creating the .exe files and thus causing all the annoyance. I am not exactly sure how the 2106.php file is used yet. Anyone else have a guess? Not sure if there are more files involved at this time.

DSB

#46 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 29 June 2004 - 07:31 AM

Ok, this is good info and a great example synged. When you guys do scans with your software (hijacker, etc) and it comes up with filenames and registry entries, you should do a google search for them and it will help you determine whether it's a needed file or not. Sometimes the files are named after a real file but placed in a location the real file isn't supposed to be in. You will need to search your hard drives(start button- search files/folders) <b>and</b> registry (start button- run- type in regedit) for all items with these names. This is what I meant when I had to delete registry entries after each clean. Each time I deleted something and rebooted it would create other files with different names (sometimes in the same location, sometimes not). I would rescan again with all my software, find the new entries and search my drives/registry, explore the paths and delete them.(note:right clicking on the files and viewing the properties not only may show you the paths to spawn points but it also shows the creation date so you can know for sure if the file was just created)

After about three times of doing this I was finally able to rid myself of the bastards.

#47 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 29 June 2004 - 11:27 AM

hi,

i had the same problems with that casinopalazzo-stuff, but i could solve it that way... maybe it helps you too.

System: win2k
control panel -> java console -> uncheck internet explorer -> restart pc -> now locate "jsconsole.dll" in c:\windows\system32. on my system this file was a trojan. rename or delete it.

after deleting this file, i had no more troubles with cp or other pages...

make sure, that there are no more redirects to myexexex.com in your registry.

#48 Guest_visE_*

Guest_visE_*
  • Guests

Posted 29 June 2004 - 05:06 PM

Hey guys,

I too have been infected with the Casino Palazzo spyware and think it is the worst thing that has ever been created spyware wise. I think the most important thing to remember when you are removing this spyware device, is to have your System Restore turned to OFF. Mine had mistakenly been unchecked, leaving the System Restore feature ON.

After I took this feature off, I ran CWShredder. It found CWS.Mole and removed it. I then ran Ad-Aware 6. This found about 14 total files (about 6 hours ago it had found 20 or so, and I safely removed them and the desktop icon. It reappeared shortly thereafter. I was then browsing the web with my girlfriend in the room, when a porn pop-up hijacked my system, right when she was looking at the monitor. Anyways..). I removed all of these files, and then ran Hijackthis. Everything looked as it had for the past day or so here.

I then rebooted my computer, and ran Hijackthis, Ad-aware, and CWShredder again. All of these turned up ZERO results (except Hijackthis, which remained the same throughout). Hope this helps...

-visE

#49 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 30 June 2004 - 07:26 AM

PS Are there more files that should be deleted?

notepad.com
taskngr.exe (not taskmgr.exe)
telnetxp.exe

But this still doesn't help.

#50 Guest_Allen_*

Guest_Allen_*
  • Guests

Posted 02 July 2004 - 10:44 PM

Somebody recommended going into java console and unchecking it. Try it, it might work. A while before I came across the Casino Palooza problem. I am not a computer tech guy. So messing registries gets really confusing and can be dangerous if you delete something accidentally. SO I went to Java Console and unchecked internet explorer: control panel -> java console -> uncheck internet explorer -> restart pc ->then I ran CWshredder, spybot, then Adware 6. I don't know when it dissappear. But all I know is that now, it doesn't show up anymore. Before there was other pop ups that accompany the casino palooza, now none at all.

#51 Guest_Steven Moors_*

Guest_Steven Moors_*
  • Guests

Posted 03 July 2004 - 11:33 AM

hello, i believe to have a similar problem in that my notepad program is totally messed up, it has an icon that is a purple background with a yellow cross - the same icon that the pleasure zone program has, and whenever i run notepad it asks to connect to the internet i have allowed it to do so 1nce and the casino palooza site came up whenever i run notepad, the pleasure zone icon appears on desktop,

I am really a computer noob and am seeking help with this 1

thanx all

#52 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 04 July 2004 - 05:00 PM

I have finally got rid of CasinoPlaza! (from Windows 98 system). None of the things suggested here worked exactly, but CW SHredder kept coming up with an 'Exploiter' file. I searched this on Google, and got a piece of software called DSOStop (a very small and quick program) which stopped the Exploiter thing coming up. After that things seem fine. I also (before this) got rid of some files with Hijack this, from towards the end of the 04 bit of the list (called winnit.exe and something else winrun.exe or something which I can't remember the bame of, sorry). But the giveaway (for an computer fool like me) was the fact that both sounded very important, but were created a week ago (BTW they were both in the Windows file on the C drive - but could only be deleted by Hijack this, not a standard delete), so can't have been so crucial, right? Anyway, I'm pretty sure that the combination of these things got the adware thing. Oh, and I also deleted the sexdial.exe thing in there too (which puts the icon on the desktop, and dials up Casinoplazza), although that thing was able to recreate itself in the past, before the other steps I mentioned.

Funny how this solution is so different to the other (very various) ways people have got rid of this thing. It seems to me that 'actual' viruses are pretty tame compared to this thing - when you get one of those, someone just makes a patch and it's OK, right? This thing takes hours of messing about, and really slows down and messes up your computer. IE doesn't work anymore, but then Opera is the only way now, I think...

Thanks for those who helped me get there - I hope my 'cure' might be of some use to someone...

#53 Guest_Death to all Malware coders!_*

Guest_Death to all Malware coders!_*
  • Guests

Posted 04 July 2004 - 06:25 PM

Just wondering what kinda trouble this could bring on me if i send this to these jerks?

"DO NOT HESITATE TO TELL US ANYTHING YOU'D LIKE"

That's quoted from your own website, and from the forums I've been reading, I'm pretty sure I speak for a significant number of other internet users - You sick bastards might want to look into purchasing some guns and blowing each other away - scum like you should be shot! Your adware/spyware/malware crap or whoever is writing the code that you use to FORCE your "services" on people is just plain sick!

To get rid of your pop-ups and a number of others I had to re-install my OS and all apps.
Thanks so much for wasting a day of my life.

Bunch of GOOFS!

#54 Guest_Jimi_*

Guest_Jimi_*
  • Guests

Posted 10 July 2004 - 12:00 AM

A simple cure for Casinopalazzo. It kept knocking me off line and I had to spend 5 minutes reconnecting to my Internet provider, but the CP bug appears every 8 to 10 minutes so I had an 8 minute 'window' for downloads. Sorry for being wordy but this is what I downloaded and the order in which I ran them. I got the latest version of Ad-Aware 6.181. It loaded over my older version (6.162) and found 32 bugs my older version didn't recognise.
Google.com then type CWShredder. On dial up it's a 2 minute load. Then Google again and get Hijackthis. Run Ad-Aware first. It will miss the CP bug but it really speeds up your CPU so it can handle the evasive manuvers of the bug. It replicates itself as you are deleting it.
Then run the CWShredder. Let it kill the 80 or so file paths it finds. Then run Hijackthis. It will warn you that some files it found are needed for legitimate programs. Of the 30 or so names it found I UNclicked 4 near the bottom of the page. They had to do with word processing and faxing so I left them alone. All the files it deleted went into my Norton Protected Bin so later, if I need a deleted file I can unerase. I won't empty the Norton Bin for a few months just to make sure I haven't deleted a neccessary file unrelated to the CP bug.
Ad-Aware...CWShredder...Hijackthis, in that order. I played Freecell for an hour with no Pop-Up, then I spent an hour in my favorite chatroom; no Pop-Up.
Sometimes the 'simple cure' works best, especially for non-techy people like me.
Best of luck,
James
Albion6000Email Removed

James,

Your 'Simple Cure' did the trick. Thanks!

#55 Guest_BigRonFH_*

Guest_BigRonFH_*
  • Guests

Posted 19 July 2004 - 10:07 AM

A simple cure for Casinopalazzo. It kept knocking me off line and I had to spend 5 minutes reconnecting to my Internet provider, but the CP bug appears every 8 to 10 minutes so I had an 8 minute 'window' for downloads. Sorry for being wordy but this is what I downloaded and the order in which I ran them. I got the latest version of Ad-Aware 6.181. It loaded over my older version (6.162) and found 32 bugs my older version didn't recognise.
Google.com then type CWShredder. On dial up it's a 2 minute load. Then Google again and get Hijackthis. Run Ad-Aware first. It will miss the CP bug but it really speeds up your CPU so it can handle the evasive manuvers of the bug. It replicates itself as you are deleting it.
Then run the CWShredder. Let it kill the 80 or so file paths it finds. Then run Hijackthis. It will warn you that some files it found are needed for legitimate programs. Of the 30 or so names it found I UNclicked 4 near the bottom of the page. They had to do with word processing and faxing so I left them alone. All the files it deleted went into my Norton Protected Bin so later, if I need a deleted file I can unerase. I won't empty the Norton Bin for a few months just to make sure I haven't deleted a neccessary file unrelated to the CP bug.
Ad-Aware...CWShredder...Hijackthis, in that order. I played Freecell for an hour with no Pop-Up, then I spent an hour in my favorite chatroom; no Pop-Up.
Sometimes the 'simple cure' works best, especially for non-techy people like me.
Best of luck,
James
Albion6000Email Removed

James,

Your 'Simple Cure' did the trick. Thanks!

I tried the AdWare-CWshredder-HiJackthis cure. It didn't work. I'm desperate! This Casinopalazzo-crap is really bad!!!!!!!!!!!!! Help!!!

#56 Guest_douglasray_*

Guest_douglasray_*
  • Guests

Posted 20 July 2004 - 11:01 AM

I know it sounds naive, but in my desperation I wrote to [email protected] to inquire about this problem. Below is their resonse. I have not tried anything them mentioned.

----

Disclaimer of Casino Palazzo


This is an auto responder email from Casinopalazzo.com.

It's about the virus problems you are having. Please, read it carefully but don't reply.
------------------------

Hello

We really apologize for this big nuisance.

We represent Casinopalazzo.com as a company and they wanted to let you know the following:

"Casino Palazzo is not responsible for infecting the players" computers with viruses.

On the contrary, our policy is to please all our players by giving them all services we can provide.

We are against all kind of spam or any form of bringing traffic illegally. This is for sure due to Russian hackers among others, that got affiliated to our revenue program and that created a harmful tool to get more visits towards his sites.

You can report him to the authorities, if you consider.
Obviously, we closed his account with us and started legal actions to prosecute him.
There are 3 more but we don't know yet their URL.

Maybe they are the same person. In case you have more information about this hacker, we'd be grateful if you could pass it on.

We think that the problem comes because the trojan is now installed inside the dialer you were using when the pop-up appeared. If it's the case, we recommend you to remove that dialer to see if the pop-ups cease to appear. More about the removal of this popup:
there are several tools cleaning computers from unpleasant pop-ups. You can always download free Ad-aware 6.0 at their site www.lavasoftusa.com/support/download or any anti spy bot you can find at Google, like Spybot (s&d) by Patrick M. Kolla. Unfortunately we can't guarantee it will remove it but it's worth trying.

In case the trojan has made change your home page, you can always do the following:

1) right click on the Internet Explorer icon on your desktop.
2) Click on Properties
3) Change the url on the line for the Home Page, at the top of the page.

We have received some feedback from users that managed to get rid of this problem. We advice you to get CWShredder Version 1.59.0.
You can download it for free from http://www.spywareinfo.com/~merijn/You can also try help forums, specially http://www.cybertechhelp.com. Several people have recommended visiting their site.
Some threads seem to have ended solving the matter succesfully, as http://www.cybertech...ead.php?t=39028 and http://www.cybertech...ead.php?t=36894 or even this one regarding sexdial:
http://www.dslreport...08243~mode=flat If that helps, have a try with the tips included on the following boards too: http://www.lavasofts...36660~mode=flat
More info about how to remove this virus has come from another player. He managed to remove it by doing that but no-one can guarantee it's going to work.

We just copy below his tips:
"I've stopped most of the problem by doing the following:

In C:\Windows I have deleted:
1. usermigratedstar.bin
2. dial32.exe
3. d1dial.exe

In C:\Windows\Temp I have deleted:
1. svchost.exe
2. incredifindBHOlog.temp
3. wmetracelog.log
4. ist_install.exe

I am not advising others to do the same, but this seemed to work for me. After this I ran a number of programs, each seemed to find new things to correct.

I ran:
Spybot, Adaware Vr. 6, ScanSpyware and Register Mechanic. In each case I allowed the software to automatically perform the recommended function."

We really hope this will help you to get rid of this virus.

Sincerely

#57 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 21 July 2004 - 12:23 AM

It seems that there are many versions of the 'casinopalazzo'' pop-ups.
Mine is the pop-up window which appears after opening and closing the Internet Explorer for about 7 or 8 times. Then there is also a file created on the desktop folder.

After reading the replies, mine is similar to the one which has sex.exe file in windows\system32 folder.
Then I have searched the web, and found the solution.

Here is the copy of the solution:

********

First, make sure, there's no process named IEXPLORE.EXE running


1

Delete these files:

* C:\WINNT\system32\msacrohlp.dll
* C:\WINNT\system32\sex.exe
* C:\WINNT\system32\mscgp32.dll
* The sex-shortcut on your desktop


("WINNT" is your system root - can be "Windows" too)


And if there:

* C:\Documents and Settings\User\Local Settings\Temp\backup-{some numbers here}.dll

(has the same size as msacrohlp.dll

just a note:
The file "mscgp32.dll" has the same content as "sex.exe" - both are packed with upx


2


Delete The following Registry-Keys and all it's sub-keys:

* HKEY_CLASSES_ROOT\CLSID\{A3DFDA85-1D92-4E28-8C0C-522574ACDC8A}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AcrobatIEHlpr?.AcroIEHlpObj?
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion?\Explorer\Browser Helper Objects\{A3DFDA85-1D92-4E28-8C0C-522574ACDC8A}



* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3DFDA85-1D92-4E28-8C0C-522574ACDC8A}

* HKEY_CLASSES_ROOT\AcrobatIEHlpr?.AcroIEHlpObj?

* HKEY_CLASSES_ROOT\AcrobatIEHlpr?.AcroIEHlpObj?




this looks somehow, like it would be related to Adobe Acrobat-Reader, but it is not!
Why should a dll from adobe has the following lines in it?

S D B Val ForceRemove? NoRemove? Delete CLSID TYPELIB AcrobatIEHlpr?.AcroIEHlpObj? Version Version Version \ mscgp32.dll \ sex.exe explorer.exe S D B Val


This is the original Adobe Acrobat-Stuff:

ProgID?: AcroIEHelper?.AcroIEHlprObj?
TypeLib?: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
InprocServer32?: AcroIEHelper?.ocx

I'll try to put a note to Adobe, perhaps they can take legal steps against them

#58 Guest_Zoid_*

Guest_Zoid_*
  • Guests

Posted 27 July 2004 - 08:58 AM

That worked well for me. The only problem I have now is that Internet Explorer keeps giving me the error when i try to connect "Cannot find 'file:///C:/WINNT/System32/IEsp.mht'. Adaware finds the registry entry that sets the home page as a possible hijack attempt, but removing the entry doesnt make any difference. Iv'e run Spybot and Hijack this to no avail. Any ideas?

#59 Guest_JD_*

Guest_JD_*
  • Guests

Posted 05 August 2004 - 11:01 AM

A simple cure for Casinopalazzo. It kept knocking me off line and I had to spend 5 minutes reconnecting to my Internet provider, but the CP bug appears every 8 to 10 minutes so I had an 8 minute 'window' for downloads. Sorry for being wordy but this is what I downloaded and the order in which I ran them. I got the latest version of Ad-Aware 6.181. It loaded over my older version (6.162) and found 32 bugs my older version didn't recognise.
Google.com then type CWShredder. On dial up it's a 2 minute load. Then Google again and get Hijackthis. Run Ad-Aware first. It will miss the CP bug but it really speeds up your CPU so it can handle the evasive manuvers of the bug. It replicates itself as you are deleting it.
Then run the CWShredder. Let it kill the 80 or so file paths it finds. Then run Hijackthis. It will warn you that some files it found are needed for legitimate programs. Of the 30 or so names it found I UNclicked 4 near the bottom of the page. They had to do with word processing and faxing so I left them alone. All the files it deleted went into my Norton Protected Bin so later, if I need a deleted file I can unerase. I won't empty the Norton Bin for a few months just to make sure I haven't deleted a neccessary file unrelated to the CP bug.
Ad-Aware...CWShredder...Hijackthis, in that order. I played Freecell for an hour with no Pop-Up, then I spent an hour in my favorite chatroom; no Pop-Up.
Sometimes the 'simple cure' works best, especially for non-techy people like me.
Best of luck,
James
Albion6000Email Removed

James,

Your 'Simple Cure' did the trick. Thanks!

James,
The simple fix worked great! Not only did it take care of the "Casino" start page but eliminated the desktop icon for the shortcut to "theteenporn.com". Thanks!

#60 Guest_Guest_joe_*

Guest_Guest_joe_*
  • Guests

Posted 09 August 2004 - 05:46 PM

same problem. Casinopalazzo and unwanted desktop items.

Logfile:

Logfile of HijackThis v1.97.7
Scan saved at 6:18:21 PM, on 8/9/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\FREESCAN\FREESCAN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MY DOCUMENTS\UPDATES AND FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: (no name) - {9933A703-36F2-DAB1-4251-7976D2B07481} - C:\PROGRAM FILES\WAY VGA MPEG\FILMEGGS.DLL (file missing)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Third software this - {BAFD8EFD-5111-56F3-036D-0D0061866E1D} - C:\PROGRAM FILES\WAY VGA MPEG\FILMEGGS.DLL (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iw...etwasherpro.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7917.7335300926
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.shizmoo.c...ivex/web665.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab


Help Please