Help! - CasinoPalazzo and MagicSearch.us trojan

Discussion in 'adware, spyware & hijack cleaning' started by egomez, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. egomez
    Offline

    egomez Registered Member

    Hi, I've been hijacked by the CasinoPalazzo and MagicSearch trojan(s). CasinoPalazzo pops up every so often and places icons on my desktop, and MagicSearch places bookmarks in my Favorites.

    As instructed, I ran AdAware 6 with the latest pattern update installed. Then ran HijackThis. Here's my HijackThis logfile.

    Thanks for your help with this!

  2. egomez
    Offline

    egomez Registered Member

    *bump*
    Hi there, Just hoping for some help with this problem. Any assistance would be greatly appreciated. Thanks!
  3. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi egomez,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://magicsearch.us/browser/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.us/browser/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washington-heights.us/ba...sql_utility.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mailbox.washington-heights.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://magicsearch.us/browser/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://magicsearch.us/browser/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://magicsearch.us/browser/

    R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O1 - Hosts: 207.68.176.190 auto.search.msn.com
    O1 - Hosts: 207.68.176.190 www.auto.search.msn.com

    O4 - HKLM\..\Run: [MSConfig Manager] C:\WINDOWS\msupdate.exe

    O4 - HKCU\..\Run: [MSConfig Manager] C:\WINDOWS\msupdate.exe

    Download and run: CWShredder
    Use the Fix button and follow the instructions you will receive.

    Then reboot and post a new log.

    Could you mail me a (preferably zipped) copy of C:\WINDOWS\msupdate.exe
    The address is pieterATwilderssecurity.org (replace AT with @)

    Regards,

    Pieter
  4. egomez
    Offline

    egomez Registered Member

    Hi Pieter, Thank you.

    I couldn't find the msupdate.exe file in the C:\WINDOWS directory. Instead, I found the following files with the same icon used by the unwanted shortcut icons placed on my desktop: a big orange X on a dark blue background:
    dl0001.exe
    wincall.exe
    The shortcut on my desktop is labeled "longcall" and points to Internet Explorer, set to the CasinoPalazzo Web site. Should I delete all three files?

    I followed your instructions:
    * Ran HijackThis and fixed the items you indicated.
    * Ran CWShredder.

    Following is the new HijackThis log. [I noticed that the R3 - URLSearchHook: (no name) ..." line is back, even though I had removed it.]

    Looking forward to further instructions. Cheers!

  5. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi egomez,

    Follow this procedure to get rid of the R3 line:
    http://www.wilderssecurity.com/showthread.php?t=30668
    HijackThis is probably thrown of by the ~ sign at the start, where there should be a {

    Could you mail me the files youf ound that seem related?
    dl0001.exe
    wincall.exe
    I am trying to figure out these casinopalazzo pests, but it looks like there are several different variants of it.
    If I could find a common factor that would cure them all, that would be great.

    Regards,

    Pieter
  6. egomez
    Offline

    egomez Registered Member

    Hi Pieter,

    I've e-mailed you the two related files in a ZIP archive. I also included three other files in the WINDOWS directory that looked suspicious to me -- they have similar modified dates.

    I successfully removed the evil registry entry with Registrar Lite, and here is the new HijackThis log.

    Cheers!

  7. egomez
    Offline

    egomez Registered Member

    Hello Pieter,

    Just following up on this. Please let me know what the next steps are to get rid of this problem. I sent you the files you asked for. Thanks.

    Cheers!

    -Eduardo
  8. egomez
    Offline

    egomez Registered Member

    *bump* Hi Pieter, Did you forget about me? Just following up. When you have a chance, please let me know the next steps. Regards, -Eduardo
  9. egomez
    Offline

    egomez Registered Member

    Hi there, Just bumping this up. Pieter or any other experts ... Can you help me finish cleaning up my computer? Thanks. -Eduardo
  10. egomez
    Offline

    egomez Registered Member

    P.S. Pieter, I hope you're doing OK ...
  11. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi Eduardo,

    Sorry for taking so long. A full scan with AdAware should take care of any leftovers you may have.

    Regards,

    Pieter
Thread Status:
Not open for further replies.