I can't get rid of this Golden Palace Casino that keeps downloading or the XXX toolbar....I ran hijack this, but I don't know what to delete...can somebody help me?

0

Cassandra I had golden palace and xxxtoolbar on my 98 machine...I removed most of it by going to add/remove programs and removing: CasProg xxxtoolbar CSync...comes with the toolbar and is spyware n-case ncase ads delivery...comes with xxx crap and is adware...you will be taken to a website to download the uninstaller. IST ISTsvc...part of the xxxtoolbar Internet optimiser...comes with that toolbar Active alert..comes with the toolbar ***note*** All those programs I listed may not be there but do remove any of the ones that are in my list above. After you removed what you can with add/rem...reboot when it tells you, and you need to be online for most because the site that installed it will uninstall it. Download these 3 programs for both protection and removal of what is left. Ad-aware Spybot Spywareblaster Once installed update all 3 programs. Spywareblaster...once updated click the select all button, click the "protect from checked items button. Spybot...after updating run its scan (turn off your antivirus to prevent conflicts) remove all in red. Ad-aware...after updating, close it and restart the program, set up the following: Click the gear icon on top of window click scanning button on left...check everything you can there...green=on Click tweak on left... click the+ beside scanning engine, make sure this is green: unload recognized processes during scanning Click the+ beside cleaning engine Make sure this is green: Let windows remove files in use at next reboot Click proceed at botom of window click start check use custom scanning options Make sure Activate in depth scan is green Click next Let it remove all found. Make sure you have all your windows updates, there has been many security related issues fixed that will help prevent re-infection. And if you havn't already...wouldnt hurt to do a full system scan with antivirus. Here is an online scanner if you need it: Housecall If ou use the online scanner...turn off your antivirus to prevent conflicts. Once you have done all that...start your own new thread if you want to post hijack log...but do say you used spybot, ad-aware to clean up first. (there will still be a few things to remove (fix)) All the above programs are free. Jp Follow same advise as I gave Cassandra _________________________________ I never give up!

0

Hi, I think I have the similar problem: about:blank page was highjacked with some internet search. The only thing I could do was to remove links to a file "winres.dll" from the registry. It helped but I wonder if is it an original Windows file or some trojan created it. One more thing: is it possible that trojan is still there? Lamers everywhere!

0

Hey Jp, I did everything you said, and Golden Palace Casino is still downloading. Here is my hijackthis log...thanks so much!!! ~Cassandra Logfile of HijackThis v1.97.7 Scan saved at 4:24:37 PM, on 2/27/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\WINDOWS\System32\uvtqaxhq.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\iPod\bin\iPodManager.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM95\aim.exe C:\Program Files\Ares\ares.exe C:\Program Files\AOL Companion\companion.exe C:\Program Files\America Online 9.0\aoltray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\CASSANDRA\My Documents\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.globalcomputer.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://ucf.proxy.fcla.edu:8888 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {C048B794-38AE-C293-FEFE-81DF7AD8FE08} - C:\WINDOWS\system32\vykulgti.dll O2 - BHO: (no name) - {EFBDCDCC-BC0A-F92F-96CA-833D8BFD563C} - C:\WINDOWS\system32\poibtyab.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [onlhidhd] C:\WINDOWS\eydcnpsm.exe O4 - HKLM\..\Run: [WinFavorites] C:\Program Files\WinFavorites\WinFavorites.exe1 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [xgnvkyza] C:\WINDOWS\System32\uvtqaxhq.exe O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [] c:\WINDOWS\System32\ O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\tpsaqfgv.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKCU\..\Run: [] c:\WINDOWS\System32\ O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\ares.exe" -h O4 - HKLM\..\RunOnce: [RealPlayer_update] C:\Program Files\America Online 9.0\Jiti\Real9_codec_upd.exe restart O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.globalcomputer.com O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

0

mmmiha That winres.dll is one of the cool web search trojan varients... Link to CWShredder...removal tool. Second one in the list. Run the tool while offline, with all windows closed except for cwshredder. http://www.lurkhere.com/~nicefiles/ The tool will check for and remove any other varients and remains of the one you have (had). To prevent it from happening again....Visit windows update, install all critical updates and service packs for both windows and for internet explorer. _________________________________ I never give up!

0

Cassandra Just so I dont confuse you...I was giving Jp pretty much the same advise. First place hijack in its own folder in your "my documents" folder...the program makes backups and will make a mess of your documents folder. Start hijackthis and check all the following: R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {C048B794-38AE-C293-FEFE-81DF7AD8FE08} - C:\WINDOWS\system32\vykulgti.dll O2 - BHO: (no name) - {EFBDCDCC-BC0A-F92F-96CA-833D8BFD563C} - C:\WINDOWS\system32\poibtyab.dll O4 - HKLM\..\Run: [onlhidhd] C:\WINDOWS\eydcnpsm.exe O4 - HKLM\..\Run: [WinFavorites] C:\Program Files\WinFavorites\WinFavorites.exe1 O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [xgnvkyza] C:\WINDOWS\System32\uvtqaxhq.exe O4 - HKLM\..\Run: [] c:\WINDOWS\System32\ O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\tpsaqfgv.exe O4 - HKCU\..\Run: [] c:\WINDOWS\System32\ O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - Close all windows except hijack and click "fix checked" Reboot the computer to SAFE mode (tap f8 while booting) Show hidden and system files: Start> settings> control panel> folder options> View> Check "show hidden files and folders"> click apply> click ok. Search for and delete the following files/folders: C:\WINDOWS\eydcnpsm.exe <- file C:\Program Files\WinFavorites <- folder C:\WINDOWS\System32\P2P Networking <- folder C:\WINDOWS\System32\uvtqaxhq.exe <-file C:\WINDOWS\System32\tpsaqfgv.exe <-file c:\program files\WebsavingsFromEbates <- folder Reboot to normal windows, visit windows update, install all updates listed including sp1; there are many for both windows and internet explorer. That should take care of most of the baddies but I do have a couple questions.. Is globalcomputer.com your homepage? Can you go to c:\windows\system32\zzb.exe, right click the file> properties> and tell me whatever info you get from the properties box please? Also for this one unless you can tell me... c:\program files\ares\ares.exe <-this file I am particularly interested in who made them and date created..(when installed on your computer) Can you also post a fresh log too please? Thanks! _________________________________ I never give up!

0

Hi,I think I solved the problem,it seems that my pc had a CWS.Googlemsn. I used the Hijackthis, the Cwssrhedder and also i deleted the file winres.dll, which i think was the file that install the problem everytime the pc was reboot, then i had also a file call svshost similar to svchost , but the first is a kind of hj or similar, well ty for the help and suggestions bye sorry for my poor english jp..

0

JP Hi..Glad you got it fixed up. You are right the file winres.dll is one of the CWS varients. The file svshost is a result of a virus. You may want to do an online scan or make sure your own antivirus is up to date and run a scan with it. If you had the googlems cws hijack; you might want to check to see if your windows media player works ok. Sometimes the hijacker will replace the windows media player with its trojan. If you find your windows media player does not work...you can re-instal it here: For windows 95/me/nt4/2000/xp: http://www.microsoft.com/windows/windowsmedia/9series/player.aspx Make sure you check for updates when done installing it...there has been updates since media player 9 came out. For windows 98 gold: http://www.microsoft.com/windows/windowsmedia/software/playerV7.aspx Online scans: Housecall Pandascan Rav Antivirus Turn off your own antivirus to run any of those scans. If they report clean as well as your own...you are ok. Good luck _____________________________________ I never give up! Windows Update

0