casinopalazzo

Discussion in 'adware, spyware & hijack cleaning' started by Hemiten, Jun 19, 2004.

Thread Status:
Not open for further replies.
  1. Hemiten

    Hemiten Registered Member

    Joined:
    May 27, 2004
    Posts:
    10
    Hi!
    I have a problem with a pop up window that directs me to casinopalazzo.com
    I used SpyBot, and here's my hijackthis-log:

    Logfile of HijackThis v1.97.7
    Scan saved at 13:52:32, on 2004-06-19
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Apoint2K\Apoint.exe
    C:\Program\LAUNCH~1\QtaET2S.EXE
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program\ICQLite\ICQLite.exe
    C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Messenger\msmsgs.exe
    C:\Program\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\PROGRAM\AIM\aim.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ägaren\Lokala inställningar\Temp\Temporär katalog 20 för hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tt.se/start
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LManager] C:\Program\LAUNCH~1\QtaET2S.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ 4.0 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FA34799-218E-4672-9C17-5B3CED6D14B0}: NameServer = 193.11.224.135,193.11.241.11,193.11.226.3,217.28.194.41
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com


    Thanx for helping me!
    Simon
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Hemiten,

    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program\MyWay\myBar\2.bin\MYBAR.DLL (file missing)

    Please download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot and keep us posted.

    Regards,

    Pieter
     
  3. Hemiten

    Hemiten Registered Member

    Joined:
    May 27, 2004
    Posts:
    10
    Thanx Pieter, hopefully everything will work now!
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  5. Hemiten

    Hemiten Registered Member

    Joined:
    May 27, 2004
    Posts:
    10
    Hi again!
    Now the same page (casinopalazzo) is back again. I ran HijackThis to delete the same item as last time, but now there was no item with the same name. So let's start all over again...
    I used Spybot, and here's my log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:20:06, on 2004-06-22
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Apoint2K\Apoint.exe
    C:\Program\LAUNCH~1\QtaET2S.EXE
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program\Messenger\msmsgs.exe
    C:\Program\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Documents and Settings\Ägaren\Lokala inställningar\Temp\Temporär katalog 26 för hijackthis1977.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tt.se/start
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [Apoint] C:\Program\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LManager] C:\Program\LAUNCH~1\QtaET2S.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
    O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ 4.0 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FA34799-218E-4672-9C17-5B3CED6D14B0}: NameServer = 193.11.224.135,193.11.241.11,193.11.226.3,217.28.194.41
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = gsnet.se,guldheden.com
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Hemiten,

    Actually it was CWShredder that cured it last time (at least, that was my objective).
    Did you try that again?
    And do a Find Files for jsconsole.dll and let me know how may and where you find them.

    Regards,

    Pieter
     
  7. Hemiten

    Hemiten Registered Member

    Joined:
    May 27, 2004
    Posts:
    10
    I tried the CWShredder, but it didn't work. An icon called "Default" that leads to casinopalazzo is still on my desktop. According to CWShredder my system is completely clean. The jsconsole.dll file is in C:\WINDOWS\system32, should I delete it?
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Hermiten,

    Before you delete it can you check the date and time it was created?
    Then do a Find Files for anything that arrived at about the same time.

    TIA,

    Pieter
     
  9. Hemiten

    Hemiten Registered Member

    Joined:
    May 27, 2004
    Posts:
    10
    It doesn't say when it was created. It was changed sept 9th though and used today (june 22nd).
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Can you rename it to jsconsol.bak ?

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - Startup: PowerReg Scheduler.exe

    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

    Then reboot and delete the icon on your desktop.
    Keep us posted.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.