Internet Explorer...

No they're not needed, and some of those things in that list are trojan/virus commands (not my list BTW, just an example that goes on for another 4 pages).

I agree HP is bad at installing start-up programs (most of which are memory hogs), but it's only one of many. Two or three years ago it was uncommon to see anything in that list at all, most of it went into the startup group and people could see it easily and delete it, then the developers got a bit smarter and hid the start-up routines in the registry. It's snowballed from there to the point today that many systems take ages to load everything up, and the system runs like a dog, low on memory and a lot less processing power available to run what you really want too, and the OS gets a bad name because of this tactic.

IMO if something really needs to be running it should be a started as service and interact with the desktop via a common interface like the control panel/WMI or even a browser and keep the system free of junk. If it needs a dedicated appliction interface the the user should start it each time they need it, having it sitting in memory may be convient, but 99.99% of the time it's taking up valuable resources for no good reason.

That said however, I find most programmers never consider such things, hell most of them a just happy to get a program appearing to comply to specs, let alone something that performs properly and doesn't cause major problems if it encounters something outside it usual operating parameters. Nobody really performance/compatability tests these days, they all live by the adage that more/faster hardware is all that's needed to make their poorly designed/written application work properly.

 

Carbon There is no application that is going to remove this for you. You are going to have to do some leg work to get this fixed. do a google search for casino palooza and you will find out what others have had to do. You will need to boot into safe mode and find out what is on your machine that shouldn't be there. Or you can back up you you critical files ahd do a clean install.

 

That will probably work, if it's enabled and you've rebooted the computer on a regular basis you may be able to find an unmolested backup of the settings.

If that doesn't work then one other place to check is the startup group Start->Programs->Startup

BTW was there anything in the MSCONFIG startup that was at all suspect? If there was and you removed it did it re-appear? If so then you need to kill the running copy first or boot in safe mode to remove it as it will reinstall itself when you try to restart.

 

Your Registry has been changed and that’s why you will need to do a system restoration as Imperial stated above.

ALSO make sure you check your “Favorite Places” on your browser and make sure you delete any “Unwanted PORN Folders” that were installed when this program took over.

IN THE MEAN TIME USE A DIFFERENT BROWSER LIKE NETSCAPE until your problem is fixed.

PD

 

I am certain that my suggestion should work. That is what I have done in the past. Let me know if it does not work and I can help you with another solution.

 

That's because you din't pay attention to Post #20, you, you, you you, you!

 

Carbon, give me a ring. You have the #. Let's get this fixed tonight.

BTW, just so you know, there are some users here that actually profit from such malware/spyware/adware on your system. So... watch out what is recommended. Note that some of the anti-spyware apps don't do jack and they are malware themselves.

 

Install VNC Server.

Give me your IP address.

Give me a few hours..

Profit??? Oh man I gotta stop that.

Hit me up on AIM Carbon!

 

I don't want to sound rude but are you running a legal copy of windows and have you been installing the the regular updates from Windows?

Here is another small step that I want you to try. Try usig Ad-aware again. make sure you update the files again before you use it by clicking on "check for updates now" in the main menu.

 

Could be a BHO..? (Browser Helper Object)

I agree... run Hijack this and post the results.

 

I have the logfile at home from NN0's hijackthis.

I spent a while working with him on the phone until the computer just crapped out completely. Lots of spyware/malware apps running all over the place. even lots of various 'hosts' settings that hijackthis found. those are always fun fun fun to discover. the proxy was also set to 127.0.0.1:8080, hence, how things got reactivated and the apps came back. really nasty stuff, but it is resolved once the computer comes up and is patched correctly.

it's xp pro, unpatched and no av on the system currently. I'll help him get it all straightned out soon. I might have to burn a cd and send it out to him.

 

awesome.

 

you are more than welcome Carbon.

Here's the logfile with some explaination of items in it. All nasty stuff. Comments are BELOW each section of the logfile.

Code:

Logfile of HijackThis v1.97.7
Scan saved at 10:27:30 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\wanmpsvc.exe

All is fine here, but then we run into some interesting stuff coming up...

Code:

C:\WINDOWS\wininet32.exe
C:\WINDOWS\runwin32.exe

All you need to do for these is look at google to get a clue. Just plop in the filename and the results should be obvious: http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=wininet32%2Eexe and http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=runwin32.exe

Code:

C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\America Online 9.0b\aolwbspd.exe

Typical AOL stuff. Eh... maybe someone can get him off of AOL. I tried to convert him to Trillian - it's a start.

Code:

C:\WINDOWS\System32\wpabaln.exe

Just a popup balloon reminder.

Code:

C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

The HiJackThis app that is running to detect BHO's (browser helper objects).

Code:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]http://dinamo.directwebsearch.net/search.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://easy-search.biz[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://easy-search.biz[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://easy-search.biz[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://dinamo.directwebsearch.net/search.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://dinamo.directwebsearch.net/search.php[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]http://dinamo.directwebsearch.net/search.php[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = [url]http://dinamo.directwebsearch.net/search.php[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://easy-search.biz[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://easy-search.biz[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://easy-search.biz[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://dinamo.directwebsearch.net/search.php[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]http://easy-search.biz[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://easy-search.biz[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://easy-search.biz[/url]

All of these are crap crap crap. If you search, they go to those sites by default instead of Yahoo/Google/MSN and other real, non-hijacking search bars.

Code:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

This sets the proxy server to be your local computer. 127.0.0.1 is the localhost, which is basically your own computer, no one else's. 8080 is the port and an app sits waiting to listen for it to ring up. Once it hits, well... the app starts up again and filters everything through that app, or will start up .dll's/.exe's/apps across the network and such to re-create or possibly download those apps once again which hijack your browser.

that means, ANYTHING you are going through will be submitted or retrieved via this app on your local system. Not too fun when it comes down to sending passwords, right? Afterall, with some BHO's, not even online banking is secure anymore.

Code:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = [url]http://dinamo.directwebsearch.net/search.php[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = [url]http://dinamo.directwebsearch.net/search.php[/url]

More search junk, throwing it to their sites.

Code:

O1 - Hosts: 69.31.79.180 auto.search.msn.com
O1 - Hosts: 69.31.79.180 auto.search.msn.com

Interesting part here. This is the host file modifier. What this does is point you to a certain IP address of a site that is specified in the file instead of the site you wanted to reach. This is quite a useful item to use in some cases. Let's say for instance, you cannot hit Ferrarichat.com, however you can hit it's IP address which is 209.115.108.75. So you could hit the site by http://that ip address. But why do that? just edit the hosts file (in the windows directory) and specify the IP address for that IP.

Code:

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

just fine.

Code:

O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe

Virus.

Code:

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

More stuff that is just fine.

Code:

O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe

Evil stuff. Viruses actually.

Code:

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

This stuff is fine.

Code:

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht![url]http://69.31.79.180/winsearchie32.chm::/winsearchie32.exe[/url]
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab

more evil stuff. not needed at all. search for yousrelf and see:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=winsearchie32
and
http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q=info6%5Fs%2Ecab

Just searching for these items like "websearchie32" in google brings up things that give you a clue. This means you don't have to remember each and every file, but 'searchie'? MS wouldn't create such a file.
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Code:

O17 - HKLM\System\CCS\Services\Tcpip\..\{7F89ECF4-08B3-47D2-97E1-E1EAE663DFF8}: NameServer = 205.188.146.146

More crap. Look at this, name server is being resolved to that IP. Just search google groups for issues of the sort. That means, as a name server, when you ask for "google.com" - THIS SERVER tells you where it is, and that could be their own search page, which isn't google's site.
http://groups.google.com/groups?q=205.188.146.146&hl=en&lr=&ie=UTF-8&sa=N&tab=wg


___________________________

Anyways, I hope this helps when you look through a logfile from HiJackThis and what to look for. I've attached the original logfile to this posting if you want to see it in raw format. Enjoy!
Image Unavailable, Please Login

 

Good stuff! I am happy the problem is solved.

 

Another one down, only a few billion more problems to go!