Everytime i start up my computer this Golden Palace casino get Downloaded. It installs it self and asks me if i wan to to play. I say no of course and delete it right away. But if I leave my computer un attented it will DL it again an install. If I delete everything and reboot it still does the same. Can any one point me in the right direction? Any help would be appreciated.

P.S I ran spy-bot and it does not pic it up.

G'day,

Unfortunately, this is becoming more and more of a problem. I still have problems with these "low lifes" imposing their crap on my machine, despite the fact that I have all the current tools (zonealarm, adaware, AVG, spybot, homepage defender,bazooka, spyware blaster, webwasher, trojan detector...the list goes on)But I guess they are only effective against the then known threats- new ones pop up all the time. And if you followed the excellent links provided by abnormal (it may have fallen off the main page...)you will realise that to have any real fun or usefullness out of your internet experience you need activeX scripts enabled for IE5 and above- and that's where the problem starts.
So, here are a few tips (which will no doubt be expanded upon by other learned people on this forum):
1. always look at your startup programs ie click on start,click on run and type in msconfig and press ok. Select the startup folder. This is a place where programmes and scripts etc are loaded every time your computer boots up (that's why when you delete everything: it just pops up again when you next start your computer). You will see check boxes next to each one for the purpose of selecting or de-selecting. If you don't have a good feel for what should or shouldn't be there, then write down the list and post it here. A good guide for this is; if it just a hijack attempt, is that the offending url will be on there (ie www.casino or whatever it is called).
2 look at the boot options :
ie inb the same place click on the win.ini tab and click the [windows] listing. You will see entries like load= and run= : they should both contain empty strings.
3 Cross to the system.ini tab and select the [boot] option. Here the point of interest is that the shell=Explorer.exe line should be just that ..and not something like shell=explorer.exe msapp.exe %1 or similar.
4 if you do find names of files in these places, then run them through a good search engine like google and you will be surprised with all the help you will get from the hits.
5 A bit of detective work goes a long way.. I once solved a hijack for a friend by getting him to tell me when his problem started: we then used windows explorer to find files created and/ or modified on that date/time. Once isolated (renamed to *.old) the problem was near to being solved (*.hta files are a dead giveaway here)
Well, that's just a few ideas/ tips that I have collected; it would probably still be a good idea to get a copy of hijaak this and post the results on this forum.
However, despite all this I got up one sunny Sunday morning ,with my usual intent of going over the weekend's soccer results and match reports, only to find just my screensaver and a working mouse on the screen...
No explorer, no icons, no shortcuts...
Took me a whole Sunday to get my computer back to normal; buts that's another post..
good luck,
Elric

Threedoc,

Download and run HijackThis!
Copy and paste the log into a reply here. Someone will check the log and tell you what to delete.

Ok thanks i will look into all that has been said and post a reply later.

R1 - HKCU\Software\<nobr><a class="iAs" style="border-bottom:darkgreen 1px solid;text-decoration:underline;color:darkgreen;background-color:transparent;" href="http://itxt.vibrantmedia.com/al.asp?ipid=7&cc=us&cf=1&ai=7516784&di=123642&ts=20031208125618" target="_blank" oncontextmenu="return false;" onmouseover="kwE(event,123642);" onmouseout="kwL(event);" onmousemove="kwM(123642);">Microsoft</nobr>\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B55C92E8-1ED7-FEDC-757F-FD6C53C729CC} - C:\WINDOWS\system32\nsvvjnic.dll
O2 - BHO: (no name) - {F7E6F43E-AABB-8DDA-F4CB-DAB1ABC0C2BD} - C:\WINDOWS\system32\cmeunvav.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [opcwplvz] C:\WINDOWS\dxdagvjt.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [waimksct] C:\WINDOWS\System32\ncjooqym.exe
O4 - HKLM\..\Run: [CFPSVYC] C:\WINDOWS\CFPSVYC.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Danny\Application <nobr><a class="iAs" style="border-bottom:darkgreen 1px solid;text-decoration:underline;color:darkgreen;background-color:transparent;" href="http://itxt.vibrantmedia.com/al.asp?ipid=7&cc=us&cf=1&ai=7516784&di=126718&ts=20031208125618" target="_blank" oncontextmenu="return false;" onmouseover="kwE(event,126718);" onmouseout="kwL(event);" onmousemove="kwM(126718);">Data</nobr>\DownloadPlus.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud3.sports.yahoo.com/java/y/mlbst8298_x.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud1.sports.yahoo.com/java/y/nflgcst1008_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/075bd4dafaeb01352116/netzip/RdxIE601.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.230.208.134/activex/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37750.8326041667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab

That's my log. Golden palace opens up every few hours, installs itself on my computer, and starts. Any help would be awesome, thanks so much.

I have the same problem with the Golden Palace Casino as you do - here's my HijackThis log file.

Logfile of HijackThis v1.97.7
Scan saved at 9:59:07 PM, on 12/8/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4serv.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\xevavgvx.exe
C:\WINDOWS\System32\hvifkvll.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lauren\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sqwire.com/homepage.php?aid=975
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4FD4E9FB-62A3-BB91-7E45-A57599C18ACE} - C:\WINDOWS\system32\ehumxqtx.dll
O2 - BHO: (no name) - {6F67C06C-9945-F7C7-8AE5-8BEE9D92369C} - C:\WINDOWS\system32\ythkebrv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [NPDTray] C:\PROGRA~1\ThinkPad\UTILIT~1\NPDTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [oecbnzuk] C:\WINDOWS\xevavgvx.exe
O4 - HKLM\..\Run: [kycsdwdv] C:\WINDOWS\System32\hvifkvll.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

The offending program appears to be foarxdxe.exe. I found this program in the startup using msconfig and disabled. I also uninstalled golden casino in add/remove programs. Killed casino.exe in task manager and removed all casino references from the registry.

Hope this helps

Hi i am having the same problem with Golden Palace Casino on startup asking me if i want to play. But i cant find it in my add/remove program files list and i cant find the foarxdxe.exe file on my computer! what can i do?

I am filing a complaint with the
Pennsylvania Attorney General's office
about these losers...anyone else in PA
want to join in, send me an email...other
states, contact your department of
consumer protection. I am going to make
these scumbags pay for the time that I've
lost uninstalling their garbage...

G'day,

Good luck with the law suite. However, I believe that the most effective way of dealing with this, is to find out who the sponsers are and let them know that you will never buy any of their products.
If enough people do this, then we hit them where it hurts- in the pocket.
The trouble with going for the writers of the viruses, is that the sponsors can soon replace them with another bunch of sad losers.
regards,
Elric

I have the same problem with Golden Palace Casino. I've run adaware, norton antivirus, and looked in the startup menu for anything suspicious. I looked for the files that y'all suggested as well, but i believe this program uses a random name generator for its applications. If you ever want to expand your lawsuit beyond PA, count me in. I'm sick of these creeps trying to shove products in our face that we don't want, and hijacking our resources to do so.

Hi

I am having the same problem with Golden Palace Casino, and I can't find any of the things that people talked about above. I just did Hijackthis, but I don't know what to do with it. Can someone help me?

Thanks
Coleen

Logfile of HijackThis v1.97.7
Scan saved at 5:09:19 PM, on 12/15/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\vagvqmmy.exe
C:\WINDOWS\System32\szueylut.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Media\Media\UpdateStats.exe
C:\Program Files\syslaunch.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\uptodate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\DavPRG.exe
C:\WINDOWS\System32\Aji6KZ6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\COLEEN\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?001-nhp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server224.smartbotpro.net/7search/?002-nhp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.smartbotpro.net/7search/?003-nhp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
O2 - BHO: (no name) - {72BDD92B-921D-4EE2-8577-D5B69A3B3DF7} - C:\WINDOWS\SYSTEM32\zdfiul.dll
O2 - BHO: (no name) - {A96DA53B-20CD-8884-994F-ABC4FDF8B0F6} - C:\WINDOWS\system32\fknejpal.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D57054CA-FAAE-422C-A559-4A739A6DA25B} - C:\WINDOWS\System32\javacypqt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: (no name) - {0B85676D-ED00-4200-B709-A3ADCB77CF40} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [inbhdkcp] C:\WINDOWS\vagvqmmy.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [ELRYIOV] C:\WINDOWS\ELRYIOV.exe
O4 - HKLM\..\Run: [KUCMHSJXF] C:\WINDOWS\KUCMHSJXF.exe
O4 - HKLM\..\Run: [RIW] C:\WINDOWS\RIW.exe
O4 - HKLM\..\Run: [IVCJPW] C:\WINDOWS\IVCJPW.exe
O4 - HKLM\..\Run: [wkokqlnd] C:\WINDOWS\System32\szueylut.exe
O4 - HKLM\..\Run: [SafeSurfingUpdate] C:\WINDOWS\System32\SSUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BLRYFLSY] C:\WINDOWS\BLRYFLSY.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\LsxI52.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [BHO] C:\WINDOWS\BHO.exe
O4 - HKLM\..\Run: [BZHREOZG] C:\WINDOWS\BZHREOZG.exe
O4 - HKLM\..\Run: [ISAOY] C:\WINDOWS\ISAOY.exe
O4 - HKLM\..\Run: [ZHJXFP] C:\WINDOWS\ZHJXFP.exe
O4 - HKLM\..\Run: [MWEOJTBLZ] C:\WINDOWS\MWEOJTBLZ.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [CMZ] C:\WINDOWS\CMZ.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_27/QDow.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} (GigexCtrl ActiveX) - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/blackhawkstriker/wtinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.7.18/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://www.spywarelabs.com/Updates/VBouncerOuter1113.EXE
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FFC514F2-EA0B-E5FC-EFB2-67635ACCBE61} (DownloadUL Class) - http://public.searchbarcash.com/cab/341/tdpzdnyl.cab

Okay, this is what I've found using advice from here, fark.com, and my own poking around.

The file name IS randomly generated, it will be located in your "Windows\system32" directory.

The easiest way to locate which file it is, is to open Task Manager while the pop-up is displayed, under "applications" in Task Manager, select the pop-up window, right click and select "go to process". You know know the file name so that you can delete it from the directory.

Now the fun really begins. Using msconfig, look under "Startup", and you should find a couple of registry keys for the file. Mine were in

"HKEY_USERS\S-1-5-21-1390067357-813497703-1343024091-1003\SOFTWARE\MICROSOFT\W INDOWS\ShellNoRoam\MUICache"

and

"hkey_local_machine\software\microsoft\windows\currentversion\run".

I think that somewhere in the system, is another file or DLL that is going out and pulling down a replacement exe, but I haven't been able to locate it yet. I have my eye on a service called NICIDATTTNWP, but I'm still looking.

I hope that this helps, and that we can finally beat this thing.

3Horn

Okay, there is also a randomly named file in your Windows directory as well, it should also showup under "Startup" using msconfig.

Do a registry search for it as well.

3Horn

Hey... the problem has arrived in Europe... ;-) I saw you had the golden palace purks over last month... I have the problem now, and it's irritating me...

Despite your good advises I have still no idea how to get it removed. Will it still help to post a log file of hijack this here? We'll see! Thanx in advance

Matt

Logfile of HijackThis v1.97.7
Scan saved at 21:45:13, on 6/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Keyhost.exe
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\STARDO~1\stardown.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.paradigit.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.paradigit.nl/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download with Star Downloader - C:\PROGRA~1\STARDO~1\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/297c0f62dab7c290f417/netzip/RdxIE601.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com/activex/src/KeyActivex.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

After trying all day to get rid of it....this worked:-)
http://es.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=ADW_JRAUN.A#Solution

I also had the problem of Golden Palace Casino downloading and installing itself on bootup. I think finally got rid of it. There was a registry key in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run that launched a program with what looked like a randomly generated name. Once I deleted this entry the installation stopped. I used Advanced Startup Manager to find and remove the entry.

Ive been having problemswithin the last 2 months with the Golden Palace Casino. Ive read all of yalls posts but I still have no idea what yall are talking about. I just downloaded HijackThis! and ran it.It would be a GREAT help if somebody could tell me what to delete.

Thanks, Matt2