Help! - CasinoPalazzo and MagicSearch.us trojan

Hi, I've been hijacked by the CasinoPalazzo and MagicSearch trojan(s). CasinoPalazzo pops up every so often and places icons on my desktop, and MagicSearch places bookmarks in my Favorites.

As instructed, I ran AdAware 6 with the latest pattern update installed. Then ran HijackThis. Here's my HijackThis logfile.

Thanks for your help with this!

 

*bump*
Hi there, Just hoping for some help with this problem. Any assistance would be greatly appreciated. Thanks!

 

Hi egomez,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.us/browser/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.us/browser/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washington-heights.us/ba...sql_utility.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mailbox.washington-heights.us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.us/browser/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.us/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.us/browser/

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O1 - Hosts: 207.68.176.190 auto.search.msn.com
O1 - Hosts: 207.68.176.190 www.auto.search.msn.com

O4 - HKLM\..\Run: [MSConfig Manager] C:\WINDOWS\msupdate.exe

O4 - HKCU\..\Run: [MSConfig Manager] C:\WINDOWS\msupdate.exe

Download and run: CWShredder
Use the Fix button and follow the instructions you will receive.

Then reboot and post a new log.

Could you mail me a (preferably zipped) copy of C:\WINDOWS\msupdate.exe
The address is pieterATwilderssecurity.org (replace AT with @)

Regards,

Pieter

 

Hi Pieter, Thank you.

I couldn't find the msupdate.exe file in the C:\WINDOWS directory. Instead, I found the following files with the same icon used by the unwanted shortcut icons placed on my desktop: a big orange X on a dark blue background:
dl0001.exe
wincall.exe
The shortcut on my desktop is labeled "longcall" and points to Internet Explorer, set to the CasinoPalazzo Web site. Should I delete all three files?

I followed your instructions:
* Ran HijackThis and fixed the items you indicated.
* Ran CWShredder.

Following is the new HijackThis log. [I noticed that the R3 - URLSearchHook: (no name) ..." line is back, even though I had removed it.]

Looking forward to further instructions. Cheers!

 

Hi egomez,

Follow this procedure to get rid of the R3 line:
https://www.wilderssecurity.com/showthread.php?t=30668
HijackThis is probably thrown of by the ~ sign at the start, where there should be a {

Could you mail me the files youf ound that seem related?
dl0001.exe
wincall.exe
I am trying to figure out these casinopalazzo pests, but it looks like there are several different variants of it.
If I could find a common factor that would cure them all, that would be great.

Regards,

Pieter

 

Hi Pieter,

I've e-mailed you the two related files in a ZIP archive. I also included three other files in the WINDOWS directory that looked suspicious to me -- they have similar modified dates.

I successfully removed the evil registry entry with Registrar Lite, and here is the new HijackThis log.

Cheers!

 

Hello Pieter,

Just following up on this. Please let me know what the next steps are to get rid of this problem. I sent you the files you asked for. Thanks.

Cheers!

-Eduardo

 

*bump* Hi Pieter, Did you forget about me? Just following up. When you have a chance, please let me know the next steps. Regards, -Eduardo

 

Hi there, Just bumping this up. Pieter or any other experts ... Can you help me finish cleaning up my computer? Thanks. -Eduardo

 

P.S. Pieter, I hope you're doing OK ...

 

Hi Eduardo,

Sorry for taking so long. A full scan with AdAware should take care of any leftovers you may have.

Regards,

Pieter