Casinopalazzo Problem

Discussion in 'adware, spyware & hijack cleaning' started by e-kips, Jun 6, 2004.

Thread Status:
Not open for further replies.
  1. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Hey, I'm a newbie here, and I really need some help.

    This shortcut icon (looks like a big yellow X) named "default" added to my desktop. Its target is ""C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.casinopalazzo.com/index.php?sourceid=101969".

    It causes random Casinopalazzo Pop-ups to appear. I ran CWShredder, Spybot, Ad-aware, and HijackThis...nothing found.

    Can anyone help me? Here is my Hijack This log.

    Logfile of HijackThis v1.97.7
    Scan saved at 4:22:21 PM, on 6/6/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\drivers\KodakCCS.exe
    C:\WINNT\System32\llssrv.exe
    C:\WINNT\System32\sfmprint.exe
    C:\WINNT\system32\PGPsdkServ.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ScsiAccess.EXE
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\mqsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Downloads\HijackThis.exe

    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\WINDOWS\Desktop\Will\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\WINDOWS\Desktop\Will\FlashGet\jc_link.htm
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37889.567974537
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Jmei.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Jmei.com

    Thanks alot.
     
  2. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    I forgot to mention. If I just delete the icon, it comes back in about a day...

    Help... :'(
     
  3. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Anyone? *puppy*
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi e-kips,

    In HijackThis please click Config > Misc Tools > Generate Startuplist.
    That will produce a text file. Post back the content of that file.

    Regards,

    Pieter
     
  5. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Hey,

    Thanks a lot. Here's the content:

    StartupList report, 6/7/2004, 3:08:17 PM
    StartupList version: 1.52
    Started from : C:\Downloads\HijackThis.EXE
    Detected: Windows 2000 SP4 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\drivers\KodakCCS.exe
    C:\WINNT\System32\llssrv.exe
    C:\WINNT\System32\sfmprint.exe
    C:\WINNT\system32\PGPsdkServ.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\ScsiAccess.EXE
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\mqsvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Downloads\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    StarUpdater =
    (Default) =
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    (Default) =

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Steam =

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINNT\system32\ssstars.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - (no file) - {A5366673-E8CA-11D3-9CD9-0090271D075B}

    --------------------------------------------------

    Enumerating Download Program Files:

    [Checkers Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\msgrchkr.dll
    CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab

    [Microsoft Office Template and Media Control]
    InProcServer32 = C:\WINNT\Downloaded Program Files\IEAWSDC.DLL
    CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\messengerstatsclient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37889.567974537

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
    CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    Protocol #1: connwsp.dll (file MISSING)
    Protocol #2: connwsp.dll (file MISSING)
    Protocol #3: connwsp.dll (file MISSING)
    Protocol #4: connwsp.dll (file MISSING)
    Protocol #25: connwsp.dll (file MISSING)

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\system32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 5,370 bytes
    Report generated in 2.113 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Can you see if you can find this file: C:\WINDOWS\hxdefdrv.sys ?
    Let me know.

    Regards,

    Pieter
     
  7. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Nope, can't find that file.

    Thanks for trying to help.
    I sure hope this thing will go away for good soon.
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Worth a try:

    Download, unzip and run: http://members.aol.com/toadbee/hoster.zip

    In the *Add to hosts file* window type:
    127.0.0.1 www.casinopalazzo.com

    Then click *Add to Hosts file* button and the *Make Hosts ReadOnly* button.

    Then delete the shortcut. We will at least have accomplished that your computer can no longer contact their site.

    Regards,

    Pieter
     
  9. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    It seems to have gone away by itself.
    Should it come back, i'll give this a try.

    Once again, thanks a lot! :D
     
  10. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Uh Oh... :( The problem is back.

    Now it's even more annoying. Basically, any link I click, the casinopalazzo pop-up appears. I delete the shortcut, and it comes right back. I tried the Hoster thing above, didn't fix the problem.

    Help....
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi e-kips,

    Can you find a file called jsconsole.dll on your computer?

    Regards,

    Pieter
     
  12. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Hey,

    Yes, I found it!

    There's 3 of them, 36 KB each.

    1 in C:\WINNT
    1 in C:\WINNT\system32
    1 in C:\Documents and Settings\Administrator\Local Settings\Temp

    Should I delete them?
     
  13. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Should I delete those files?
     
  14. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Sorry mate. Completely missed your posts.

    Download and run: CWShredder (version 1.59.0)
    Use the Fix button and follow the instructions you will receive.

    Let me know if and which ones it deletes.

    Regards,

    Pieter
     
  16. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Hey,

    It removed CWS.Alfasearch and CWS.Jsconsole.

    So should I be fine now?

    Thanks :D
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Do me a favor and check how many instances of jsconsole.dll are left.

    Regards,

    Pieter
     
  18. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    There's still 2 left.

    1 in C:\WINNT and
    1 in C:\Documents and Settings\Administrator\Local Settings\Temp

    What do I do about them?
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi e-kips,

    Can you mail me one? (zipped up if possible)
    pieterATwilderssecurity.org (replace AT with @)

    Then delete them.

    Regards,

    Pieter
     
  20. e-kips

    e-kips Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    13
    Ok,

    I sent you one.

    THanks again
     
Thread Status:
Not open for further replies.