Casinopalazzo Problem

Discussion in 'adware, spyware & hijack cleaning' started by e-kips, Jun 6, 2004.

Thread Status:
Not open for further replies.
  1. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Hey, I'm a newbie here, and I really need some help.

    This shortcut icon (looks like a big yellow X) named "default" added to my desktop. Its target is ""C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.casinopalazzo.com/index.php?sourceid=101969".

    It causes random Casinopalazzo Pop-ups to appear. I ran CWShredder, Spybot, Ad-aware, and HijackThis...nothing found.

    Can anyone help me? Here is my Hijack This log.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:22:21 PM, on 6/6/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\drivers\KodakCCS.exe
    C:\WINNT\System32\llssrv.exe
    C:\WINNT\System32\sfmprint.exe
    C:\WINNT\system32\PGPsdkServ.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ScsiAccess.EXE
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\mqsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Downloads\HijackThis.exe

    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\WINDOWS\Desktop\Will\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\WINDOWS\Desktop\Will\FlashGet\jc_link.htm
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37889.567974537
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Jmei.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Jmei.com

    Thanks alot.
     
  2. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    I forgot to mention. If I just delete the icon, it comes back in about a day...

    Help... :'(
     
  3. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Anyone? *puppy*
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,425
    Location:
    Netherlands
    Hi e-kips,

    In HijackThis please click Config > Misc Tools > Generate Startuplist.
    That will produce a text file. Post back the content of that file.

    Regards,

    Pieter
     
  5. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Hey,

    Thanks a lot. Here's the content:

    StartupList report, 6/7/2004, 3:08:17 PM
    StartupList version: 1.52
    Started from : C:\Downloads\HijackThis.EXE
    Detected: Windows 2000 SP4 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\drivers\KodakCCS.exe
    C:\WINNT\System32\llssrv.exe
    C:\WINNT\System32\sfmprint.exe
    C:\WINNT\system32\PGPsdkServ.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ScsiAccess.EXE
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\mqsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Downloads\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    StarUpdater =
    (Default) =
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    (Default) =

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Steam =

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINNT\system32\ssstars.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - (no file) - {A5366673-E8CA-11D3-9CD9-0090271D075B}

    --------------------------------------------------

    Enumerating Download Program Files:

    [Checkers Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\msgrchkr.dll
    CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab

    [Microsoft Office Template and Media Control]
    InProcServer32 = C:\WINNT\Downloaded Program Files\IEAWSDC.DLL
    CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\messengerstatsclient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37889.567974537

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
    CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    Protocol #1: connwsp.dll (file MISSING)
    Protocol #2: connwsp.dll (file MISSING)
    Protocol #3: connwsp.dll (file MISSING)
    Protocol #4: connwsp.dll (file MISSING)
    Protocol #25: connwsp.dll (file MISSING)

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\system32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 5,370 bytes
    Report generated in 2.113 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,425
    Location:
    Netherlands
    Can you see if you can find this file: C:\WINDOWS\hxdefdrv.sys ?
    Let me know.

    Regards,

    Pieter
     
  7. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Nope, can't find that file.

    Thanks for trying to help.
    I sure hope this thing will go away for good soon.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,425
    Location:
    Netherlands
    Worth a try:

    Download, unzip and run: http://members.aol.com/toadbee/hoster.zip

    In the *Add to hosts file* window type:
    127.0.0.1 www.casinopalazzo.com

    Then click *Add to Hosts file* button and the *Make Hosts ReadOnly* button.

    Then delete the shortcut. We will at least have accomplished that your computer can no longer contact their site.

    Regards,

    Pieter
     
  9. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    It seems to have gone away by itself.
    Should it come back, i'll give this a try.

    Once again, thanks a lot! :D
     
  10. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Uh Oh... :( The problem is back.

    Now it's even more annoying. Basically, any link I click, the casinopalazzo pop-up appears. I delete the shortcut, and it comes right back. I tried the Hoster thing above, didn't fix the problem.

    Help....
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,425
    Location:
    Netherlands
    Hi e-kips,

    Can you find a file called jsconsole.dll on your computer?

    Regards,

    Pieter
     
  12. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Hey,

    Yes, I found it!

    There's 3 of them, 36 KB each.

    1 in C:\WINNT
    1 in C:\WINNT\system32
    1 in C:\Documents and Settings\Administrator\Local Settings\Temp

    Should I delete them?
     
  13. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Should I delete those files?
     
  14. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,425
    Location:
    Netherlands
    Sorry mate. Completely missed your posts.

    Download and run: CWShredder (version 1.59.0)
    Use the Fix button and follow the instructions you will receive.

    Let me know if and which ones it deletes.

    Regards,

    Pieter
     
  16. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Hey,

    It removed CWS.Alfasearch and CWS.Jsconsole.

    So should I be fine now?

    Thanks :D
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,425
    Location:
    Netherlands
    Do me a favor and check how many instances of jsconsole.dll are left.

    Regards,

    Pieter
     
  18. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    There's still 2 left.

    1 in C:\WINNT and
    1 in C:\Documents and Settings\Administrator\Local Settings\Temp

    What do I do about them?
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,425
    Location:
    Netherlands
    Hi e-kips,

    Can you mail me one? (zipped up if possible)
    pieterATwilderssecurity.org (replace AT with @)

    Then delete them.

    Regards,

    Pieter
     
  20. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Ok,

    I sent you one.

    THanks again
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.