Post by: J. Jefferies on May 26, 2004, 09:18:17 PM
Logfile of HijackThis v1.97.7
Scan saved at 9:08:18 PM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\services\services.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\comp barb face\pure aim settings.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkscal.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\services\dial.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Joshua Jefferies\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rhodes.edu (http://\"http://www.rhodes.edu\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rhodes.edu (http://\"http://www.rhodes.edu\")
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\System32\services\services.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\udpmod.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)
O2 - BHO: (no name) - {52750FCA-D481-65AB-6313-7996416CD494} - C:\PROGRA~1\SOFTBU~1\twohelp.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: planmoreaudio - {FA644055-0C26-3888-ABF6-9AD1B3A674C8} - C:\PROGRA~1\SOFTBU~1\twohelp.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COALSOFTWARE] C:\PROGRA~1\comp barb face\pure aim settings.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\services.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (http://\"http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
Post by: samverner on May 29, 2004, 04:56:10 AM
Hello! Just delete the notepad.COM in your windows/system232 directory. I had the same problem (not being able to view the HTML sourcecode anymore, for example) and found help in a German web forum. When I deleted the notepad.COM (not the notepad.EXE, of course), everything is right again.
Hope I have helped, Jan, Dortmund, Germany
Post by: samverner on May 29, 2004, 04:56:59 AM
Post by: J. jefferies on May 29, 2004, 03:22:21 PM
Post by: J. Jefferies on May 29, 2004, 03:34:51 PM
However, I don't have the notepad.COM file in the registry. Any other suggestions?
Post by: JG on May 29, 2004, 04:31:48 PM
Fix with hijackthis:
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\System32\services\services.exe
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\udpmod.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\services.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\services.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
after you fix these, reboot and delete this file:
C:\WINDOWS\System32\services\services.exe
To find this file, right click on start, choose "explore", windows explorer should open.
On the left is the directory tree, scroll down near the bottom to C:\Windows and double click "Windows" , it will open on the right. Locate a folder called System32 and open it. There should be a folder called "services" with services.exe inside. Delete the "services" folder, it should not be there.
Check the address bar to be sure you are at the right location before deleting. There is a services.exe at C:\WINDOWS\system32\services.exe, do not delete this one
If you are unable to see the windows folders then click tools>folder options>view and choose "show hidden files and folders" > apply > ok
run a new hijackthis log and post it
Post by: Guest on May 30, 2004, 02:47:50 PM
Logfile of HijackThis v1.97.7
Scan saved at 2:58:28 PM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMPBA~1\pure aim settings.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Joshua Jefferies\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rhodes.edu (http://\"http://www.rhodes.edu\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rhodes.edu (http://\"http://www.rhodes.edu\")
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {52750FCA-D481-65AB-6313-7996416CD494} - C:\PROGRA~1\SOFTBU~1\twohelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COALSOFTWARE] C:\PROGRA~1\COMPBA~1\pure aim settings.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (http://\"http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
Post by: JG on May 30, 2004, 05:37:15 PM
Which files did you not find? If it's C:\WINDOWS\System32\services\services.exe it's no longer running after deleting the run keys.
I would still run a search for it in explorer.
right click start>explore all users, click the search icon and paste in the search box:
C:\WINDOWS\System32\services\services.exe
If you find it check the full file path in the address bar to make sure it's the right one and delete the part in bold
Post by: Velg on June 02, 2004, 07:51:48 PM
Here is my log :/
Logfile of HijackThis v1.97.7
Scan saved at 03:03:35, on 03/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RUNDLLS.EXE
C:\DOCUME~1\Velgos\LOCALS~1\Temp\taskmon.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\MyIE2\MyIE.exe
C:\Documents and Settings\Velgos\Mes documents\Fichiers Anti-Spy\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage (http://\"http://www.myexexex.com/search.php?said=spage\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage (http://\"http://www.myexexex.com/search.php?said=spage\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php (http://\"http://www.myexexex.com/searchbar.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF80....BIZ/search.htm (http://\"http://DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD.BIZ/search.htm\") (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF80....BIZ/search.htm (http://\"http://DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD.BIZ/search.htm\") (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Ring World
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sarbian.com/ (http://\"http://www.sarbian.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30A56549-9D5B-4D34-AFA7-440A7F0538A9} - C:\Program Files\Open Site\opnste.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [iConfigLoader] dIIhost.exe
O4 - HKLM\..\Run: [Microsoft Windows Update] C:\WINDOWS\RUNDLLS.EXE
O4 - HKLM\..\Run: [Wupdate driver] WUPDADTE.EXE
O4 - HKLM\..\Run: [Service] C:\DOCUME~1\Velgos\LOCALS~1\Temp\taskmon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\RunServices: [iConfigLoader] dIIhost.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Tout télécharger en utilisant FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Télécharger en utilisant FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq= (http://\"http://www.myexexex.com/search.php?said=pfxp&qq=\")
O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq= (http://\"http://www.myexexex.com/search.php?said=pfxp&qq=\")
O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq= (http://\"http://www.myexexex.com/search.php?said=pfxp&qq=\")
O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq= (http://\"http://www.myexexex.com/search.php?said=pfxp&qq=\")
O14 - IERESET.INF: START_PAGE_URL=http://freebox.free.fr/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab (http://\"http://www.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37976.396412037 (http://\"http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37976.396412037\")
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_re.../soesysinfo.cab (http://\"http://everquest2.station.sony.com/beta_reg/soesysinfo.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/UCSearch.CAB (http://\"http://www.zuvio.com/UCSearch.CAB\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD32C828-475C-4AFF-A9F6-48C95C54A082}: NameServer = 192.168.0.2,194.117.200.10
ANy clue?
Post by: sudhir kashyap on June 03, 2004, 08:44:31 AM
i do not have notepad.com on my pc.
these are Logfile of HijackThis v1.97.7
Scan saved at 7:20:54 PM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchos1.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\PROGRA~1\HEWLET~1\DIGITA~1\Unload\hpqcmon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnd.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\ps2.exe
C:\DOCUME~1\Owner\APPLIC~1\eber.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\WININE~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\TE2E7C~1.ZIP\HIJACK~1.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz (http://\"http://easy-search.biz\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz (http://\"http://easy-search.biz\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz (http://\"http://easy-search.biz\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz (http://\"http://easy-search.biz\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz (http://\"http://easy-search.biz\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz (http://\"http://easy-search.biz\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz (http://\"http://easy-search.biz\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz (http://\"http://easy-search.biz\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz (http://\"http://easy-search.biz\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1003F7F9-483F-421E-A3CF-8291E1956FD8} - C:\WINDOWS\System32\phticons.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {5FA015AF-B1AE-41CA-B75C-5562DABC8B1D} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Configuration Loading] svchos1.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\RunServices: [Configuration Loading] svchos1.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {D6862A22-1DD6-11D3-BB7C-444553540000} - http://www.portalsearching.com/BHO.CAB (http://\"http://www.portalsearching.com/BHO.CAB\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab (http://\"http://chat.msn.com/bin/msnchat45.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CE05DA0-0A77-429A-983E-E8DD1E5B36AD}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA9859B5-E0C4-484E-B988-63C690CA9ADA}: NameServer = 202.56.215.6 202.56.230.6
the o/p with hijackthis.exe, please help
Post by: they got me on June 03, 2004, 09:10:51 AM
i just got the casino bug, and already removed the myexex thing that someone else posted above. i also noticed that norton antivirus (symantec) removed one of those password/keystroke recorders about two weeks ago. my problems stated around that time.
basically, my approach is going to be to reinstall windows, and be much more careful about sites i visit in the future. that seems to be the only option until IE gets fixed. i may even consider using a non-IE browser. too bad because IE is easy to use, but people with bad intentions are making the world a harder place to business in.
Post by: ajl on June 03, 2004, 11:43:51 AM
Logfile of HijackThis v1.97.7
Scan saved at 6:38:40 PM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\WINDOWS\runwin32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\MiniMavis.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Andrew Lewis\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz (http://\"http://easy-search.biz\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz (http://\"http://easy-search.biz\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz/ (http://\"http://easy-search.biz/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz (http://\"http://easy-search.biz\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz (http://\"http://easy-search.biz\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz (http://\"http://easy-search.biz\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople (http://\"http://www.sony.com/vaiopeople\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz (http://\"http://easy-search.biz\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz (http://\"http://easy-search.biz\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz (http://\"http://easy-search.biz\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = About:Blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - C:\WINDOWS\DOWNLO~1\mqgold1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [McAgentexe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [McUpdateexe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Personal Coach.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 15\MiniMavis.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab (http://\"http://www.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab (http://\"http://download.mcafee.com/molbin/Shared/MGBrwFld.cab\")
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://hard-virgins.com/dkvaget/x.chm::/load.exe
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab (http://\"http://cdn.mapquest.com/mqtoolbar/mqgold1.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...76/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7b77298...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/7b77298065d0b9/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs8b.instantservice.com/jars/custom...erxsigned41.cab (http://\"http://cs8b.instantservice.com/jars/customerxsigned41.cab\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab\")
O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/pops/md...tect/PCInfo.CAB (http://\"http://ciscdb.sel.sony.com/support/pops/mdldetect/PCInfo.CAB\")
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB (http://\"http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab (http://\"http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content-g.kontiki.com/kdx/v2.10/kon...current/kdx.cab (http://\"http://content-g.kontiki.com/kdx/v2.10/kontiki/kontiki/current/kdx.cab\")
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/10...rsinstaller.cab (http://\"http://download.redswoosh.net/Installer/104/rsinstaller.cab\")
Thank you
Post by: douglasray on June 03, 2004, 11:48:55 AM
I do not have notepad.com on my system (win98) either. I deleted Cookies and still the popup remains (although I can no longer access several important websites!) I then ran Spybot and deleted the "real threats," but this did not get rid of casinopalazzo. I would appreciate any suggetions.
Post by: Guest_Darren on June 03, 2004, 12:10:25 PM
LVCOMSX.EXE
This is a virus. Google it and you'll see. This may be reinstalling the spyware after each attempt to clean it.
The best thing to do is run antivirus scan, adware/spyware scan, hijack this, but also make sure you check each and every process running in task mgr and in services to see if there's a badguy in there because those background tasks and services will reinstall crap every chance they get... and worse.
Hope that helps
Post by: George Landers on June 04, 2004, 02:21:51 AM
Logfile of HijackThis v1.97.7
Scan saved at 9:08:18 PM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\services\services.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\comp barb face\pure aim settings.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkscal.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\services\dial.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Joshua Jefferies\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rhodes.edu (http://\"http://www.rhodes.edu\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rhodes.edu (http://\"http://www.rhodes.edu\")
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\System32\services\services.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\udpmod.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)
O2 - BHO: (no name) - {52750FCA-D481-65AB-6313-7996416CD494} - C:\PROGRA~1\SOFTBU~1\twohelp.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: planmoreaudio - {FA644055-0C26-3888-ABF6-9AD1B3A674C8} - C:\PROGRA~1\SOFTBU~1\twohelp.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COALSOFTWARE] C:\PROGRA~1\comp barb face\pure aim settings.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\services.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (http://\"http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")[/quote]
Try this it seams to work so far.
Start>Run>Type in Regedit>click OK>At the top of window click EDIT>
Click FIND>Type this in>www.casinopalazzo>Click find next>NOTE make sure My Computer is High Lighted before you click FIND NEXT. Windows searchers the Resistry from the High Lighted Point--so if anything else is high lighted other than My Computer thats where the search will begin. WARNING be dam careful when you do any editing in the Resistry. DONOT delete the folder, delete whats in the folder. If you find one delete it>Then click EDIT>Then Click FIND NEXT until Windows tells you it has search though the resistry and found no more.
Also, do a FIND for these files
1. casinopalazzo--without the WWW.
2. nhlgba
3. DC431
4. spywarenuker.com
5. vn.msie.tv
Also do a windows search for these files.
1. nhlgba.dll
2. DC431.dll
3. spywarenuker
4. vn.msie.tv
I hope this is help to you, good luck.
George
[email protected]
Post by: George Landers on June 04, 2004, 02:54:50 AM
Logfile of HijackThis v1.97.7
Scan saved at 9:08:18 PM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\services\services.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\comp barb face\pure aim settings.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkscal.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\services\dial.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Joshua Jefferies\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rhodes.edu (http://\"http://www.rhodes.edu\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rhodes.edu (http://\"http://www.rhodes.edu\")
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\System32\services\services.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\udpmod.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll (file missing)
O2 - BHO: (no name) - {52750FCA-D481-65AB-6313-7996416CD494} - C:\PROGRA~1\SOFTBU~1\twohelp.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: planmoreaudio - {FA644055-0C26-3888-ABF6-9AD1B3A674C8} - C:\PROGRA~1\SOFTBU~1\twohelp.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COALSOFTWARE] C:\PROGRA~1\comp barb face\pure aim settings.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\services.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (http://\"http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")[/quote]
This is what i believe is happening with www.casinopalazzo.com bug.
1. The person who started www.spywarenuker.com sent out the bug Casinopalazzo to infect everyones computer.
2. Then Spywarenuker pops up one of their adds to buy their software to remove the add they put on your computer in the first place. This is computer telemarketing. Ever since i had the casinopalazzo bug on my cp i also had spywarenuker. DONOT buy this software.
If you need Spyware Remover Software goto these web sites.
1. www.Download.com
2. ZDnet.com
You can get all the software you want for free.
Good Luck
George
[email protected]
Post by: Guest on June 04, 2004, 08:40:20 AM
here is my log file
can you help me out ???!!!
Logfile of HijackThis v1.97.7
Scan saved at 8:48:40 AM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\mess.exe
C:\WINDOWS\System32\taskngr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\gcirulis\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://*.63.219.181.7
O15 - Trusted Zone: http://*.nuker.com
O15 - Trusted Zone: http://*.spywarenuker.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab\")
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (http://\"http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/p...aploader_v5.cab (http://\"http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab\")
Post by: Han on June 05, 2004, 10:15:25 AM
I also have the same prob for the past 2 days. Downloaded Spyware, Adware, HijackThis and Spybot to figure out to
fix this casinopalazzo.com..but can't...this page pops up when when I open my IE (which has automatically been set to C:\WINDOWS\system32\IEsp.mht).
When I try to change it to blank or other homepage..it wouldn't, and also tried deleting the file....\system32/IEsp.mht, but it re-appears.
I cannot find out what is causing to generate IEsp.mht.
I cannot find any .../system32/services/services.exe to delete. Please advise: here is my HijackThis log:
Logfile of HijackThis v1.97.7
Scan saved at 11:27:05 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Documents and Settings\Asraf.IIUM-LABTOP\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\IEsp.mht
O2 - BHO: (no name) - {0B519E07-7824-4adc-8890-93D5EABBF285} - C:\WINDOWS\System32\msadocm32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A3DFDA85-1D92-4E28-8C0C-522574ACDC8A} - C:\WINDOWS\System32\msacrohlp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nhkjhh] "C:\WINDOWS\System32\nhkjhh.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
Thanks for the help
Post by: Guest on June 06, 2004, 11:25:42 PM
Google.com then type CWShredder. On dial up it's a 2 minute load. Then Google again and get Hijackthis. Run Ad-Aware first. It will miss the CP bug but it really speeds up your CPU so it can handle the evasive manuvers of the bug. It replicates itself as you are deleting it.
Then run the CWShredder. Let it kill the 80 or so file paths it finds. Then run Hijackthis. It will warn you that some files it found are needed for legitimate programs. Of the 30 or so names it found I UNclicked 4 near the bottom of the page. They had to do with word processing and faxing so I left them alone. All the files it deleted went into my Norton Protected Bin so later, if I need a deleted file I can unerase. I won't empty the Norton Bin for a few months just to make sure I haven't deleted a neccessary file unrelated to the CP bug.
Ad-Aware...CWShredder...Hijackthis, in that order. I played Freecell for an hour with no Pop-Up, then I spent an hour in my favorite chatroom; no Pop-Up.
Sometimes the 'simple cure' works best, especially for non-techy people like me.
Best of luck,
James
Albion6000Email Removed
Post by: Guest on June 07, 2004, 07:58:27 PM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> James, Thanks for the hint, after many days of trying, your "trio" worked immediately.I run on Win 98.
André
Post by: JeRzy on June 08, 2004, 07:54:33 PM
1. Download free program named "Spybot - Search&Destroy". It is anti-spyware/adware/anyothercrapware utility.
2. Run it, get the updates and check for problems. Remove the problems.
3. Enter "Tools" menu in the program.
4. Enter "System Startup" in the "Tools" menu.
5. Read carefully what programs are started with your Windows. You can disable or even delete the ones which are not supposed to be there.
6. In case of Casino Palazzo, most probably, you should disable (or delete) the program qttasks.exe. It is Quick Time related program which runs the scheduled tasks - in this case, the task is to add the icon of your desktop and to change your start page. It seems that CWS and other hijackers, including Casino Palazzo use it to respawn.
7. Enter "Tools" again and then enter "IE Tweaks".
8. You can lock your start page (and other settings) against changes.
I hope this instruction will be helpful. Good luck!
Post by: Alex, Germany on June 10, 2004, 11:03:37 AM
I had also the problem with CasinoPalazzo. It lasts about 2 weeks or more to got rid of it. I tried also Ad-Aware, CWSShredder Spybot S&D and HiJackThis but CP was still on my pc.
/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' /> I found that everytime the popup shows up, a ????.dat file (? means a letter from a-z) was generated in this folder:
c:\dokumente und einstellungen\alex\lokale einstellungen\temp
I guess on english machines the tree looks like this:
c:\documents and settings\username\local settings\temp
Also a copy of this file was generated in c:\windows\prefetch and was changed into a file with a *.pf extension, but the ????.dat string was still visible in the filename. But anyway, also removing all the dat files didn't bring the breakthrough.
I have WinXP and running several profiles on my pc for my family members. I found that it's important to login in each profile and repeat all the steps with ad-aware and cwsshredder and so on.
I found also an entry in the registry in a section called "whitelist" which is part of the google toolbar. An URL (vu-games.com) was entered. I removed it manually. Finally I deinstalled google toolbar to make sure, that this is not the leak. The CasinoPalazzo popup still apears after this.
I did an online scan with Norton Antivirus (directly executed from the Norton website). It found a trojan in the file wmplayer.exe.tmp and deleted the file. I'm not sure, but i think Norton told me that the name of the trojan is noran.trojan.
I don't know what of my actions solved the problem finally. But scanning the system with Norton was one of my last actions. Also using ad-aware and cwsshredder again and again.
One more hint:
My CP-bug appears directly after I had problems with a hijacker called www.myexexex.com. All searchpage and startpage entrys in the registry was renamed to this URL. After installing Spybot Search&Destroy the "teatimer.exe" gave my a message, that an *.exe file is trying to make an entry in the registry in one of the runonce-sections. I found this file in my Temporary Internet Files folder. To delete this file I logged in into another profile. When you are logged in into your own profile, not all temporary internet files are visible for you.
I hope this is a valuable information for some of you and will help you to get rid of this [censored].
Greetings from Germany
Alex
Post by: BJM on June 10, 2004, 02:33:24 PM
Hello! Just delete the notepad.COM in your windows/system232 directory. I had the same problem (not being able to view the HTML sourcecode anymore, for example) and found help in a German web forum. When I deleted the notepad.COM (not the notepad.EXE, of course), everything is right again.
Hope I have helped, Jan, Dortmund, Germany [/quote]
Jan,
I've had the same problem with this pop-up and had indeed this notepad.com file on my system (win2k). Btw to remove it I did have to use the task manager to end the proces, it cannot be search. Your tip seems to have helped because this casinopalazzo pop-up (and others) doesn't appear anymore. So, thanks for the tip!
Bert
PS Are there more files that should be deleted?
Post by: BJM on June 10, 2004, 02:36:12 PM
Hello! Just delete the notepad.COM in your windows/system232 directory. I had the same problem (not being able to view the HTML sourcecode anymore, for example) and found help in a German web forum. When I deleted the notepad.COM (not the notepad.EXE, of course), everything is right again.
Hope I have helped, Jan, Dortmund, Germany [/quote]
Jan,
I've had the same problem with this pop-up and had indeed this notepad.com file on my system (win2k). Btw to remove it I did have to use the task manager to end the proces, it cannot be search. Your tip seems to have helped because this casinopalazzo pop-up (and others) doesn't appear anymore. So, thanks for the tip!
Bert
PS Are there more files that should be deleted? [/quote]
Oops, sorry I meant to write:
it cannot be deleted when it's active.
Post by: [email protected] on June 13, 2004, 01:18:19 AM
Follow this link for CS Shredder, I scanned this with NAV and it appears too have worked for win ME and XP home.
www.securityworm.com/software/homepc/ adware/cwshredder--remove-coolsearch.html
You may need to reinstall Windows Media Player after this is run..
Post by: gustone on June 16, 2004, 06:25:21 AM
Logfile of HijackThis v1.97.7
Scan saved at 2:36:21 µµ, on 16/6/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mshdss.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regmon.exe
C:\WINNT\system32\msict.exe
C:\WINNT\System32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crm.artisys.gr/ (http://\"http://crm.artisys.gr/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [regmon] C:\WINNT\system32\regmon.exe
O4 - HKLM\..\Run: [msict] C:\WINNT\system32\msict.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = artisys.dns
O17 - HKLM\System\CCS\Services\Tcpip\..\{C612D2A6-1CCA-4D05-99CD-3A62156DF595}: NameServer = 193.92.150.3,194.219.227.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = artisys.dns
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = artisys.dns
Post by: Neville on June 16, 2004, 08:22:31 AM
Post by: gustone on June 16, 2004, 11:22:01 AM
Post by: Guest_Bill on June 18, 2004, 07:55:12 AM
Post by: Jake on June 23, 2004, 03:53:46 PM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />)
Post by: jihad on June 24, 2004, 06:22:36 PM
theres a file called web.exe, try renaming it to web.ex_ or deleting it...
dunno
Post by: Taps on June 25, 2004, 05:23:20 AM
Thanks for your help.
Post by: Taps on June 25, 2004, 01:00:49 PM
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />(((((
Post by: Kermit Dudley on June 26, 2004, 12:16:41 AM
C:\Documents and Settings\User\.jpi_cache\jar\1.0
I found some very nasty stuff, including web.exe but it was in a ZIP FILE! so this may be the problem or at least this should point us in the right direction, it appears to be a java-related exploit. The troubling thing is that i'm behind a firewall, all my windows updates were taken, so my java-machine should be secure. Another disappointment thanks to Microsoft. When I ran web.exe a smut site came up, asked me if i wanted to install more smut-ware, and all my IE windows started to revert to smut sites.
Oh one more thing about CasinoPalazzo, that model that appears on the right side of the pic is actually a guy, look closely at the neck - women's shoulders form a right-angle at the neck, men's arch upward
/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' />
Post by: Taps on June 26, 2004, 08:21:48 AM
Post by: Allen on June 26, 2004, 07:38:45 PM
Logfile of HijackThis v1.97.7
Scan saved at 5:38:20 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\POP\PopFilter.exe
C:\WINDOWS\System32\taskngr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Allen1\My Documents\My Music\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Allow Popups - C:\Program Files\POP\WhiteGetUrl.js
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Toggle Image (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab (http://\"http://www.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (http://\"http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05b1dbc4cc2aa1...ip/RdxIE601.cab (http://\"http://software-dl.real.com/05b1dbc4cc2aa1876505/netzip/RdxIE601.cab\")
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB (http://\"https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB\")
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7922.8925694444 (http://\"http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37922.8925694444\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...ic/wtwdinst.cab (http://\"http://www.wildtangent.com/install/wdriver/generic/wtwdinst.cab\")
Post by: Guest_Dan on June 26, 2004, 11:14:59 PM
I just put a new install of XP on a system and did some browsing to test the network connections.. wandered into some bad sites and got hammered as I had yet to apply any antivirus and patches or disable java script. I picked up the CoolWeb, Casino, auto dialer, a couple browser jacks, and a couple bugs...it was friggin ugly... couldn't even browse. I installed SpyBot, Adaware, CWShredder, Anti-CWshredder killer (some CoolWeb baddies can work around CWshredder), Hijack This and MacAfee antivrus.
Try booting into safe mode and disabling the system restore. Run antivirus and then SpyBot, Adaware, CWshredder Killer and CWshredder, and Hijack This. Now be sure to go into the "advanced options" on these programs when available as the "standard" scans may not find everything. I found this especially true with the antivirus as I had to set it to scan for "potentially unwanted" and "joke programs" in order to find some of them. I found crap all through the registry, system32, Docs & settings, programs folder, and even few more in C:\ that none of the programs detected- the bastards were breeding like rabbits.
You will find that you may not be able to delete some files as they are in use- quarantine them and set it to delete them after reboot (try using explorer to reach the location and manually delete them first). I noticed that additional items were created and installed upon reboot (especially in the registry) and it took three times of performing the above steps to finally rid myself of everything- you may have to manually delete registry settings each time as well.
Hopefully you guys won't have it as bad as I did, but if you have XP and do not disable the system restore before cleaning, you might just be killing time.
Post by: Kermit Dudley on June 27, 2004, 10:00:10 PM
I am running XP pro and have had a very difficult time removing it, but I *tentatively* think i got it. My version was running itself as services.exe, but it was NOT located in c:\windows\system32\system\ it WAS located in c:\windows\inetdata\services.exe CAUTION, if you are a newbie, BE VERY CAREFUL, DO NOT DELETE C:\WINDOWS\SYSTEM32\SERVICES.EXE THIS WILL WRECK YOUR SYSTEM. They do this on purpose. Start task manager and view running processes. Sort by process name, then look for services.exe, I guarantee you will have at least ONE entry, but if yours is infected like mine was, you will have TWO, once that says services.exe and the next column will say SYSTEM, then another services.exe process will have a column that says *user* for whatever your login name is, THIS IS CWSHREDDER, but dont try killing it because it wont let you.
to remove it from XP,
1) download cwshredder, put it on your desk top
2) unplug your ethernet cable or phone line so its NOT PHYSICALLY POSSIBLE to access the internet. (I dont know if this is necessary or not, but this is what I did, since it may be able to download itself again, but this way guarantees its not possible. If youre really paranoid, go into IE and delete your temporary internet files)
3) restart computer, right before it gets ready to boot, hit F8 a few times, and boot into SAFE MODE
4) run cwshredder, it should find cws.yexe or cws.msconfig (or similar) go ahead and remove it, but it will just reappear the next time you reboot.
5) run regedit (start->run, regedit), save the registry to a backup somewhere, then search for services.exe, go slowly ESPECIALLY if youre a newbie, this can mess up your machine. if it finds a match to services.exe delete it IF AND ONLY IF the path leading to it is anything BUT c:\windows\system32.exe again, i'm saying DO NOT delete the registry key IF IT DOES point to c:\windows\system32\services.exe.
C:\windows\system32\services.exe is the GOOD GUY, on my system the BAD GUY was c:\windows\inetdata\services.exe but inevitably other people might have different references. There were approximately 4 or 5 references to the BAD GUY on my system, I dont remember for sure.
6) go into c:\windows\inetdata or wherever you found the BAD GUY and delete this file, services.exe
7) run msconfig, (start->run->msconfig) look at system.ini at the bottom it should say [windows];msconfig load= [path to BAD GUY] uncheck this box.
8) run cwshredder again, do it up to 3 or 4 times until it says system completely clean. If it doesnt, then you must have a different variant of CWS on your system, sorry.
9) reboot and run windows normally (not safe mode) run cwshredder and make sure it says system is clean. open up IE (even though you still dont have internet access) and change your home page. plug your internet connection back in (phone line or ethernet cable, whichever you use) and make sure internet still works, surf a few sites, reboot again and run CWS again to be sure its gone. If it says clean you should be devoid of this parasite.
I take full responsibility for what happened, I got this from looking at smut sites. Norton AV even came up and said I was infected with trojan.byteverify, but it said it was unable to remove it. Some research I did indicated that trojan.byteverify is a virus caused by a security bug in microsoft VM (virtual machine for java), but I took all the updates from windowsupdate. I am still investigating how I am able to get infected this way.
Finally, try not to feel to angry. If youre not tech savy, dont feel bad about yourself. I'm a senior computer science major and it took me several days to figure this one out. Try not to hold anger towards the [insert your favorite expletive here] people who develop this software. Of course if we just knew where they lived ............. but we DON'T so dont get angry about it. Compare this to computer virii. virii are written by teenage kids (or the equivalent) who spend their free time writing goofy programs and they want their 2.5 minutes of fame. Scumware is written by people who are motivated by money. Thus there is a much stronger drive to produce scumware and make it as difficult to remove as possible, hence scumware is (now becoming) more difficult to control than virii. It shouldnt be a surprise at all. Also consider that AV companies such as Norton and MacCaffee have to handle scumware very niggardly, because if some 80 yr old retarded judge (but I repeat myself) or jury in BFE nebraska happens to rule that some particular scumware such as CWS is a legitimate business application, those companies (norton and mccaffee) could get sued to oblivion. I can hardly blame them for not wanting to take that chance. The best thing to do, if you have had it with this nonsense, is to get a mac, or switch to linux. I wish all of you the best in your endeavours
/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />
Post by: Kermit Dudley on June 27, 2004, 10:07:37 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: Guest_John on June 28, 2004, 09:47:34 AM
Logfile of HijackThis v1.97.7
Scan saved at 15:37:29, on 28/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\SBPCI\CTMIX32.EXE
C:\WINDOWS\TBPANEL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\PROMOTIONS\HPPROMO.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\WINDOWS\WININET32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNWIN32.EXE
C:\JOHN'S STUFF - WILL WIPE HARD DISK IF OPENED. OH [censored], JUST DID IT, SORRY!!\HIJACKTHIS.EXE
C:\PROGRAM FILES\OPERA75\OPERA.EXE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CreativeMixer] C:\SBPCI\ctmix32.exe /T
O4 - HKLM\..\Run: [Gainward] c:\windows\TBPanel.exe /A
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPpromo psc 2500 series] "C:\PROGRAM FILES\HP\DIGITAL IMAGING\PROMOTIONS\HPPROMO.exe" /N "psc 2500 series" -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\intralaunch.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...AB?37907.411875 (http://\"http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37907.411875\")
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab\")
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB (http://\"http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB\")
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
Thanks,
John
Post by: Guest on June 28, 2004, 12:32:30 PM
Post by: Urney on June 28, 2004, 02:19:12 PM
/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' /> 2) run cwshredder to find out what variant you have
3) lighten up
Post by: synged on June 28, 2004, 03:06:11 PM
DSB
Post by: Guest on June 28, 2004, 06:36:45 PM
Post by: synged on June 29, 2004, 04:30:28 AM
TELNETXP.EXE-069FCC56.pf C:\WINNT\Prefetch
telnetxp.exe C:\WINNT\system32
After more digging around and checking my firewall logs, I have come up with this. There are 2 files located in C:\WINNT\system32:
telnetxp.exe
taskngr.exe
There are also 2 files located in C:\WINNT\Prefetch:
TELNETXP.EXE-069FCC56.pf
TASKNGR.EXE-1F4A3A74.pf
According to my firewall logs the 2 .exe files run together.
Web Activity:
Date Time: 6/28/2004 11:59:11 PM
User: Supervisor
URL: http://66.230.167.185/z/taskngr.exe (http://\"http://66.230.167.185/z/taskngr.exe\")
Web Activity:
Date Time: 6/28/2004 11:59:10 PM
User: Supervisor
URL: http://66.230.167.185/z/telnetxp.exe (http://\"http://66.230.167.185/z/telnetxp.exe\")
Web Activity:
Date Time: 6/28/2004 11:59:06 PM
User: Supervisor
URL: http://66.230.167.185/z/2106/2106.php (http://\"http://66.230.167.185/z/2106/2106.php\")
My last guess is that the .pf files are the ones which keep creating the .exe files and thus causing all the annoyance. I am not exactly sure how the 2106.php file is used yet. Anyone else have a guess? Not sure if there are more files involved at this time.
DSB
Post by: Guest on June 29, 2004, 08:31:26 AM
After about three times of doing this I was finally able to rid myself of the bastards.
Post by: Guest on June 29, 2004, 12:27:40 PM
i had the same problems with that casinopalazzo-stuff, but i could solve it that way... maybe it helps you too.
System: win2k
control panel -> java console -> uncheck internet explorer -> restart pc -> now locate "jsconsole.dll" in c:\windows\system32. on my system this file was a trojan. rename or delete it.
after deleting this file, i had no more troubles with cp or other pages...
make sure, that there are no more redirects to myexexex.com in your registry.
Post by: visE on June 29, 2004, 06:06:28 PM
I too have been infected with the Casino Palazzo spyware and think it is the worst thing that has ever been created spyware wise. I think the most important thing to remember when you are removing this spyware device, is to have your System Restore turned to OFF. Mine had mistakenly been unchecked, leaving the System Restore feature ON.
After I took this feature off, I ran CWShredder. It found CWS.Mole and removed it. I then ran Ad-Aware 6. This found about 14 total files (about 6 hours ago it had found 20 or so, and I safely removed them and the desktop icon. It reappeared shortly thereafter. I was then browsing the web with my girlfriend in the room, when a porn pop-up hijacked my system, right when she was looking at the monitor. Anyways..). I removed all of these files, and then ran Hijackthis. Everything looked as it had for the past day or so here.
I then rebooted my computer, and ran Hijackthis, Ad-aware, and CWShredder again. All of these turned up ZERO results (except Hijackthis, which remained the same throughout). Hope this helps...
-visE
Post by: Guest on June 30, 2004, 08:26:07 AM
notepad.com
taskngr.exe (not taskmgr.exe)
telnetxp.exe
But this still doesn't help.
Post by: Allen on July 02, 2004, 11:44:58 PM
Post by: Steven Moors on July 03, 2004, 12:33:50 PM
I am really a computer noob and am seeking help with this 1
thanx all
Post by: Guest on July 04, 2004, 06:00:42 PM
Funny how this solution is so different to the other (very various) ways people have got rid of this thing. It seems to me that 'actual' viruses are pretty tame compared to this thing - when you get one of those, someone just makes a patch and it's OK, right? This thing takes hours of messing about, and really slows down and messes up your computer. IE doesn't work anymore, but then Opera is the only way now, I think...
Thanks for those who helped me get there - I hope my 'cure' might be of some use to someone...
Post by: Death to all Malware coders! on July 04, 2004, 07:25:45 PM
"DO NOT HESITATE TO TELL US ANYTHING YOU'D LIKE"
That's quoted from your own website, and from the forums I've been reading, I'm pretty sure I speak for a significant number of other internet users - You sick bastards might want to look into purchasing some guns and blowing each other away - scum like you should be shot! Your adware/spyware/malware crap or whoever is writing the code that you use to FORCE your "services" on people is just plain sick!
To get rid of your pop-ups and a number of others I had to re-install my OS and all apps.
Thanks so much for wasting a day of my life.
Bunch of GOOFS!
Post by: Jimi on July 10, 2004, 01:00:12 AM
Google.com then type CWShredder. On dial up it's a 2 minute load. Then Google again and get Hijackthis. Run Ad-Aware first. It will miss the CP bug but it really speeds up your CPU so it can handle the evasive manuvers of the bug. It replicates itself as you are deleting it.
Then run the CWShredder. Let it kill the 80 or so file paths it finds. Then run Hijackthis. It will warn you that some files it found are needed for legitimate programs. Of the 30 or so names it found I UNclicked 4 near the bottom of the page. They had to do with word processing and faxing so I left them alone. All the files it deleted went into my Norton Protected Bin so later, if I need a deleted file I can unerase. I won't empty the Norton Bin for a few months just to make sure I haven't deleted a neccessary file unrelated to the CP bug.
Ad-Aware...CWShredder...Hijackthis, in that order. I played Freecell for an hour with no Pop-Up, then I spent an hour in my favorite chatroom; no Pop-Up.
Sometimes the 'simple cure' works best, especially for non-techy people like me.
Best of luck,
James
Albion6000Email Removed[/quote]
James,
Your 'Simple Cure' did the trick. Thanks!
Post by: BigRonFH on July 19, 2004, 11:07:49 AM
Google.com then type CWShredder. On dial up it's a 2 minute load. Then Google again and get Hijackthis. Run Ad-Aware first. It will miss the CP bug but it really speeds up your CPU so it can handle the evasive manuvers of the bug. It replicates itself as you are deleting it.
Then run the CWShredder. Let it kill the 80 or so file paths it finds. Then run Hijackthis. It will warn you that some files it found are needed for legitimate programs. Of the 30 or so names it found I UNclicked 4 near the bottom of the page. They had to do with word processing and faxing so I left them alone. All the files it deleted went into my Norton Protected Bin so later, if I need a deleted file I can unerase. I won't empty the Norton Bin for a few months just to make sure I haven't deleted a neccessary file unrelated to the CP bug.
Ad-Aware...CWShredder...Hijackthis, in that order. I played Freecell for an hour with no Pop-Up, then I spent an hour in my favorite chatroom; no Pop-Up.
Sometimes the 'simple cure' works best, especially for non-techy people like me.
Best of luck,
James
Albion6000Email Removed[/quote]
James,
Your 'Simple Cure' did the trick. Thanks! [/quote]
I tried the AdWare-CWshredder-HiJackthis cure. It didn't work. I'm desperate! This Casinopalazzo-crap is really bad!!!!!!!!!!!!! Help!!!
Post by: douglasray on July 20, 2004, 12:01:29 PM
----
Disclaimer of Casino Palazzo
This is an auto responder email from Casinopalazzo.com.
It's about the virus problems you are having. Please, read it carefully but don't reply.
------------------------
Hello
We really apologize for this big nuisance.
We represent Casinopalazzo.com as a company and they wanted to let you know the following:
"Casino Palazzo is not responsible for infecting the players" computers with viruses.
On the contrary, our policy is to please all our players by giving them all services we can provide.
We are against all kind of spam or any form of bringing traffic illegally. This is for sure due to Russian hackers among others, that got affiliated to our revenue program and that created a harmful tool to get more visits towards his sites.
You can report him to the authorities, if you consider.
Obviously, we closed his account with us and started legal actions to prosecute him.
There are 3 more but we don't know yet their URL.
Maybe they are the same person. In case you have more information about this hacker, we'd be grateful if you could pass it on.
We think that the problem comes because the trojan is now installed inside the dialer you were using when the pop-up appeared. If it's the case, we recommend you to remove that dialer to see if the pop-ups cease to appear. More about the removal of this popup:
there are several tools cleaning computers from unpleasant pop-ups. You can always download free Ad-aware 6.0 at their site www.lavasoftusa.com/support/download or any anti spy bot you can find at Google, like Spybot (s&d) by Patrick M. Kolla. Unfortunately we can't guarantee it will remove it but it's worth trying.
In case the trojan has made change your home page, you can always do the following:
1) right click on the Internet Explorer icon on your desktop.
2) Click on Properties
3) Change the url on the line for the Home Page, at the top of the page.
We have received some feedback from users that managed to get rid of this problem. We advice you to get CWShredder Version 1.59.0.
You can download it for free from http://www.spywareinfo.com/~merijn/You (http://\"http://www.spywareinfo.com/~merijn/You\") can also try help forums, specially http://www.cybertechhelp.com (http://\"http://www.cybertechhelp.com\"). Several people have recommended visiting their site.
Some threads seem to have ended solving the matter succesfully, as http://www.cybertechhelp.com/forums/showth...ead.php?t=39028 (http://\"http://www.cybertechhelp.com/forums/showthread.php?t=39028\") and http://www.cybertechhelp.com/forums/showth...ead.php?t=36894 (http://\"http://www.cybertechhelp.com/forums/showthread.php?t=36894\") or even this one regarding sexdial:
http://www.dslreports.com/forum/remark,104...08243~mode=flat (http://\"http://www.dslreports.com/forum/remark,10408243~mode=flat\") If that helps, have a try with the tips included on the following boards too: http://www.lavasoftsupport.com/index.php?s...36660~mode=flat (http://\"http://www.lavasoftsupport.com/index.php?showtopic=31046http://forums.spywareinfo.com/index.php?showtopic=3992http://www.dslreports.com/forum/remark,10436660~mode=flat\")
More info about how to remove this virus has come from another player. He managed to remove it by doing that but no-one can guarantee it's going to work.
We just copy below his tips:
"I've stopped most of the problem by doing the following:
In C:\Windows I have deleted:
1. usermigratedstar.bin
2. dial32.exe
3. d1dial.exe
In C:\Windows\Temp I have deleted:
1. svchost.exe
2. incredifindBHOlog.temp
3. wmetracelog.log
4. ist_install.exe
I am not advising others to do the same, but this seemed to work for me. After this I ran a number of programs, each seemed to find new things to correct.
I ran:
Spybot, Adaware Vr. 6, ScanSpyware and Register Mechanic. In each case I allowed the software to automatically perform the recommended function."
We really hope this will help you to get rid of this virus.
Sincerely
Post by: Guest on July 21, 2004, 01:23:15 AM
Mine is the pop-up window which appears after opening and closing the Internet Explorer for about 7 or 8 times. Then there is also a file created on the desktop folder.
After reading the replies, mine is similar to the one which has sex.exe file in windows\system32 folder.
Then I have searched the web, and found the solution.
Here is the copy of the solution:
********
First, make sure, there's no process named IEXPLORE.EXE running
1
Delete these files:
* C:\WINNT\system32\msacrohlp.dll
* C:\WINNT\system32\sex.exe
* C:\WINNT\system32\mscgp32.dll
* The sex-shortcut on your desktop
("WINNT" is your system root - can be "Windows" too)
And if there:
* C:\Documents and Settings\User\Local Settings\Temp\backup-{some numbers here}.dll
(has the same size as msacrohlp.dll
just a note:
The file "mscgp32.dll" has the same content as "sex.exe" - both are packed with upx
2
Delete The following Registry-Keys and all it's sub-keys:
* HKEY_CLASSES_ROOT\CLSID\{A3DFDA85-1D92-4E28-8C0C-522574ACDC8A}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AcrobatIEHlpr?.AcroIEHlpObj?
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion?\Explorer\Browser Helper Objects\{A3DFDA85-1D92-4E28-8C0C-522574ACDC8A}
* HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3DFDA85-1D92-4E28-8C0C-522574ACDC8A}
* HKEY_CLASSES_ROOT\AcrobatIEHlpr?.AcroIEHlpObj?
* HKEY_CLASSES_ROOT\AcrobatIEHlpr?.AcroIEHlpObj?
this looks somehow, like it would be related to Adobe Acrobat-Reader, but it is not!
Why should a dll from adobe has the following lines in it?
S D B Val ForceRemove? NoRemove? Delete CLSID TYPELIB AcrobatIEHlpr?.AcroIEHlpObj? Version Version Version \ mscgp32.dll \ sex.exe explorer.exe S D B Val
This is the original Adobe Acrobat-Stuff:
ProgID?: AcroIEHelper?.AcroIEHlprObj?
TypeLib?: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
InprocServer32?: AcroIEHelper?.ocx
I'll try to put a note to Adobe, perhaps they can take legal steps against them
Post by: Zoid on July 27, 2004, 09:58:34 AM
Post by: JD on August 05, 2004, 12:01:25 PM
Google.com then type CWShredder. On dial up it's a 2 minute load. Then Google again and get Hijackthis. Run Ad-Aware first. It will miss the CP bug but it really speeds up your CPU so it can handle the evasive manuvers of the bug. It replicates itself as you are deleting it.
Then run the CWShredder. Let it kill the 80 or so file paths it finds. Then run Hijackthis. It will warn you that some files it found are needed for legitimate programs. Of the 30 or so names it found I UNclicked 4 near the bottom of the page. They had to do with word processing and faxing so I left them alone. All the files it deleted went into my Norton Protected Bin so later, if I need a deleted file I can unerase. I won't empty the Norton Bin for a few months just to make sure I haven't deleted a neccessary file unrelated to the CP bug.
Ad-Aware...CWShredder...Hijackthis, in that order. I played Freecell for an hour with no Pop-Up, then I spent an hour in my favorite chatroom; no Pop-Up.
Sometimes the 'simple cure' works best, especially for non-techy people like me.
Best of luck,
James
Albion6000Email Removed[/quote]
James,
Your 'Simple Cure' did the trick. Thanks! [/quote]
James,
The simple fix worked great! Not only did it take care of the "Casino" start page but eliminated the desktop icon for the shortcut to "theteenporn.com". Thanks!
Post by: Guest_joe on August 09, 2004, 06:46:59 PM
Logfile:
Logfile of HijackThis v1.97.7
Scan saved at 6:18:21 PM, on 8/9/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\FREESCAN\FREESCAN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MY DOCUMENTS\UPDATES AND FILES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com (http://\"http://ie.search.msn.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com (http://\"http://www.msn.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com (http://\"http://ie.search.msn.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com (http://\"http://ie.search.msn.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com (http://\"http://ie.search.msn.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/src...st/srchasst.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/src...st/srchcust.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm\")
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: (no name) - {9933A703-36F2-DAB1-4251-7976D2B07481} - C:\PROGRAM FILES\WAY VGA MPEG\FILMEGGS.DLL (file missing)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: Third software this - {BAFD8EFD-5111-56F3-036D-0D0061866E1D} - C:\PROGRAM FILES\WAY VGA MPEG\FILMEGGS.DLL (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproactauthmir...etwasherpro.cab (http://\"http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab\")
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab\")
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7917.7335300926 (http://\"http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37917.7335300926\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (http://\"http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB\")
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.shizmoo.com/activex/web665.cab (http://\"http://www.shizmoo.com/activex/web665.cab\")
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4...0367/wmavax.CAB (http://\"http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab\")
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab (http://\"http://www.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab (http://\"http://www.nick.com/common/groove/gx/GrooveAX27.cab\")
Help Please
Post by: Justaguy on August 10, 2004, 10:05:28 AM
I added one extra step that I think really worked. Like everyone else I used; Sptbot, Ad-aware and Hijackthis. But before that I used a shearware program called "register Mechanic" It fix 119 entries without bothing any of my programs.
I was skeptical that this would work. But 2 weeks later and everything is perfect.
[/B]WARNINGI received my telephone bill and there was over two dozen International calls! I was upset at the kids until I realized it was a Trogen placing these calls. Calls went to UK and some Tuvalu place. I talked with the phone company but they only said they would reduce my charges by 50%. After I fixed the computer, there hasn't been any other International calls.
I do not want this to happen to anyone else. Check your phone before your bill comes in.
Thanks again for this website and everyone here. Justaguy
Post by: Cruiser on August 31, 2004, 11:40:41 AM
I have been huanted by the same problem for the past 3 weeks. I am not a computer guy. I tried Norton, Ad-aware, etc. with no result. I've tried Yahoo Toolbar recently with no result. However I did an update today, and then scanned my computer, and found a whole bunch of things. I removed all of them, restarted the computer 2 times, and left it on for the last 2 hours - NO POP UP.
Toolbar is free for download from Yahoo - since it is a Yahoo product, I am extreme comfortable with it.
Good luck.
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> Cruiser.