Hey All,
I really appreciate all of you help. This thing is pretyy annoying and know that there are people more intelligent than these stupid programs like yourselves, is a relief.
My problem is that every couple times I open/have open Internet Explorer, I get a pop-up saying that "Windows has detected spyware modules on your PC. You must install Spyware Scanner and Remover." It gives me the option of "Install" or "Close." I keep clicking on the close option. Along with this pop-up, my IE will open with my regular homepage in one browser and the Casino Palazzo in another browser. Lastly, it keeps putting a shortcut on my desk top called "Best Online Casino." The shortcut executes IE to the following URL:
http://www.casinopalazzo.com/index.php?sourceid=102174.
I have run Bazooka Spyware Scanner, Adaware 6.0, and Spybot to no avail. I have the Symantec AntiVirus Corporate Edition and I ran it last night, but it detected nothing.
Here is the log from HijackThis v1.97.7:
Logfile of HijackThis v1.97.7
Scan saved at 11:52:10 AM, on 06/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ReggolYek\skl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Data\AIM\aim.exe
C:\Notes\nminder.exe
C:\Notes\naldaemn.EXE
C:\WINDOWS\System32\taskngr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Marti_Bob\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ecampus.bentley.edu/R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N1 - Netscape 4: user_pref("browser.startup.homepage", "
http://ecampus.bentley.edu"); (C:\Program Files\Netscape\Users\default\prefs.js)
O1 - Hosts: 141.133.112.5 Pan
O1 - Hosts: 141.133.112.3 Atlas
O1 - Hosts: 141.133.112.75 Artemis
O1 - Hosts: 141.133.112.75 Electra
O1 - Hosts: 141.133.64.36 Admin1
O1 - Hosts: 141.133.64.36 Ares
O1 - Hosts: 141.133.64.35 Admin2
O1 - Hosts: 141.133.64.35 Trivia
O1 - Hosts: 141.133.60.12 Facstaff
O1 - Hosts: 141.133.60.13 Student1
O1 - Hosts: 141.133.60.14 Student2
O1 - Hosts: 141.133.60.15 Appserv1
O1 - Hosts: 172.16.1.116 CCURE_HOST
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Spy-Keylogger] "C:\Program Files\ReggolYek\skl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Steam] "c:\progra~1\steam\steam.exe" -silent
O4 - HKCU\..\Run: [AIM] C:\Data\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) -
https://components.viewpoint.com/MTSInstall...MetaStream3.cabO16 - DPF: {056BDD7A-F777-42AF-AADF-288C4C055618} (SoftwareUpdates.PatchDetect) -
https://deploy.bentley.edu/controls/BentleyUpdate.CABO16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
http://www.ipix.com/viewers/ipixx.cabO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwa...director/sw.cabO16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) -
http://student1.bentley.edu/iNotes.cabO16 - DPF: {31BAF1D4-A6F1-4BBA-A836-9D611DE3E2DF} -
https://deploy.bentley.edu/fall2003/patches...404/install.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -
http://www.fileplanet.com/fpdlmgr/cabs/FPD...DC_1_0_0_41.cabO16 - DPF: {4BFC73A6-F8AE-42B3-AAEC-792C3CF0B418} (VCGSU Control) -
http://commonsvcg.oar.net/VCGSU.CABO16 - DPF: {58EFF30B-73CE-4841-945A-7730FC869C30} (PatchDetection.PatchDetect) -
https://deploy.bentley.edu/controls/PatchDetection.CABO16 - DPF: {AE775D48-49AA-11D1-8F1C-00C04FB67063} (MS Investor Ticker) -
http://fdl.msn.com/public/investor/v5/ticker.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwa...ash/swflash.caband here is the log from Bazooka:
****************************************
Bazooka Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/http://www.kephyr.com/spywarescanner/library/[email protected]Log created 11:52:26.
OS: Windows NT 5.1
Database version: 2.100000
Database format version: 1.020000
Database date: 20040623
Current date: 2004-06-28 11:52
****************************************
Result when scanning:
No threats found.
****************************************
Auto start entries:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l
C:\Documents and Settings\Marti_Bob\Start Menu\Programs\Startup\desktop.ini
C:\Documents and Settings\Marti_Bob\Start Menu\Programs\Startup\desktop.ini
Go here to analyse the startup entries and the associated files:
http://www.kephyr.com/filedb/index.php****************************************
Run entries:
ATIModeChange Ati2mdxx.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ATIModeChange
TP4EX tp4ex.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TP4EX
AGRSMMSG AGRSMMSG.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AGRSMMSG
AtiPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AtiPTA
vptray C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\vptray
TPKMAPMN C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TPKMAPMN
TrackPointSrv tp4serv.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TrackPointSrv
TPHOTKEY C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TPHOTKEY
Spy-Keylogger "C:\Program Files\ReggolYek\skl.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Spy-Keylogger
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
Steam "c:\progra~1\steam\steam.exe" -silent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Steam
AIM C:\Data\AIM\aim.exe -cnetwait.odl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AIM
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
Go here to analyse the run entries and the associated files:
http://www.kephyr.com/filedb/index.php****************************************
Browser helper objects:
{53707962-6F74-2D53-2644-206D7942484F} not set C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
{98DBBF16-CA43-4c33-BE80-99E6694468A4} not set C:\WINDOWS\System32\msmk.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{98DBBF16-CA43-4c33-BE80-99E6694468A4}
****************************************
Toolbars:
{8E718888-423F-11D2-876E-00A0C9082467} C:\WINDOWS\System32\msdxm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{8E718888-423F-11D2-876E-00A0C9082467}
{2318C2B1-4965-11d4-9B18-009027A5CD4F} c:\program files\google\googletoolbar2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2318C2B1-4965-11d4-9B18-009027A5CD4F}
{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB}\InprocServer32
System error message: The system cannot find the file specified.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB}
{01E04581-4EEE-11D0-BFE9-00AA005B4383} C:\WINDOWS\System32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
{01E04581-4EEE-11D0-BFE9-00AA005B4383} C:\WINDOWS\System32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
{0E5CBF21-D15F-11D0-8301-00AA005B4383} C:\WINDOWS\system32\SHELL32.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
{2318C2B1-4965-11D4-9B18-009027A5CD4F} c:\program files\google\googletoolbar2.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{4D5C8C25-D075-11d0-B416-00C04FB90376} C:\WINDOWS\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
{32683183-48a0-441b-a342-7c2a440a9478} C:\WINDOWS\System32\browseui.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
{EFA24E62-B078-11D0-89E4-00C04FC9E26E} C:\WINDOWS\System32\shdocvw.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
{EFA24E64-B078-11D0-89E4-00C04FC9E26E} C:\WINDOWS\System32\shdocvw.dll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
****************************************
All processes:
[System Process]
System
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
ibmpmsvc.exe
ati2evxx.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
spoolsv.exe
DefWatch.exe
mdm.exe
Rtvscan.exe
ati2evxx.exe
explorer.exe
AGRSMMSG.exe
atiptaxx.exe
VPTray.exe
TpKmapMn.exe
TPHKMGR.exe
TPONSCR.exe
skl.exe
TpScrex.exe
ctfmon.exe
MSOFFICE.EXE
aim.exe
nminder.exe
naldaemn.exe
taskngr.exe
IEXPLORE.EXE
notepad.exe
spywarescanner.exe
Go here to analyse the running processes:
http://www.kephyr.com/filedb/index.php****************************************
Internet Explorer Settings:
Local Page C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
Start Page
http://www.msn.com/ HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\
www http://
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\
provider gogl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\provider
Local Page C:\WINDOWS\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
Start Page
http://ecampus.bentley.edu/ HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
Use Search Asst no
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Search Asst
****************************************
I would really appreciate if you could look over all of this and give me your expert opinion.
Thanks a lot,
Bob
