Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

C \Program Files\Internet Explorer\IEXPLORE.EXE


  • Please log in to reply

#1
Kate Etropolska

Kate Etropolska

    Member

  • Member
  • PipPip
  • 11 posts
Hi,

I found the below icon on my desktop and can't see to get rid of it, when I try to delete it, or anything at all on the computer, it comes up with a message saying source file is in use and cannot delete. This is happening with all files and documents except the temporary internet files. Are these 2 things related?

I have run adware but when trying to save the HiJackThis log, the casino icon has taken over my notebook and tries to open up IE. Saved it in a word document, hope this is ok:)

thank you:)

Kate

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.casinopal...sourceid=100514

Logfile of HijackThis v1.98.2
Scan saved at 13:34:09, on 11/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\WINDOWS\SYSTEM\HPZTSB08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.u...ope/default.stm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eircom.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.c...et/src/vscp.cab
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Hi Kate,

Please download and run:
http://www.intermute...r_download.html

Use the Fix button.

Regards,

Pieter
  • 0

#3
Kate Etropolska

Kate Etropolska

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi:)

I downloaded that programme and it found 3 items, deleted them but the casino plazzo is still there and also when i try to delete anything at all from the desktop or anywhere, is still telling me the source file is in use, even if i have no windows open.

Thanks for your help:)

Kate
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
I'd like to test a new tool on this one.

Please download & Unzip Ms4Hd_look to a folder - double click on the runme.bat and it should produce a look.log file

post the look.log file back and the other log files it makes here including the err.log so we know what we are dealing with

To do a analysis I will also need to know approximately when the file first showed up on your computer.

Regards,

Pieter
  • 0

#5
Kate Etropolska

Kate Etropolska

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks Pieter:)

I tried to downlaod that tool, but had a problem eunning it, would open the window and then get an error message saying Mh4_look has caused an error in Mh4_look.exe Mh4_look will now close.

Tried it a few times installing it but always got the same answer.

I think the problem initiall started a few weeks ago, but managed to delete the casino plazzo icon and also from the temp folder, not the way it is, I can't delete anything at all.

Many thnaks for your help:)

Kate
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Please download DllCompare from here: http://www.geekstogo...=download&id=38

When it has downloaded, run the program and click on the Run Locate.com button. When that has completed, use the dropdownbox to set the filetype to *.* then click on the Compare button. When that completed click on the Make Log of What Was Found button. Then post the contents of that log as a reply to this post.

Regards,

Pieter
  • 0

#7
Kate Etropolska

Kate Etropolska

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Pieter,

Ran the programme, again have problems as it tries to open it with notepad which has apparently been taken over by the casino plazzo icon. This is all it came up with, should there be more?

Best wises

Kate:)


* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :tazz:"
________________________________________________

851 items found: 851 files, 0 directories.
Total of file sizes: 170,346,268 bytes 162.45 M

--------------------End log---------------------
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Excellent. I just needed to make sure you got rid of everything else.

Please go here:
http://www.spywarein...es.html#notepad
and download http://www.spywarein.../notepad_me.zip

Unzip it to your C:\Windows folder, allowing to replace the "false" one that is there now.

Regards,

Pieter
  • 0

#9
Kate Etropolska

Kate Etropolska

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks Pieter,

Have downloaded that and now have notepad in my windows folder, the only problem is that as nothing will delete from the computer the old one is still there. But I can open the notepad now. What next?:tazz:
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Good job. :tazz:

Please surf to http://www.billsway.com/vbspage/ and scroll down to
Registry Search Tool
Download, unzip and run RegSrch.vbs
Put casinopalazzo in the dialog box.

After a while a prompt will come up. Click OK to write the results to wordpad and post them.

Regards,

Pieter
  • 0

Advertisements


#11
Kate Etropolska

Kate Etropolska

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi:)

Here is the log from that download

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "casinopalazzo" 12/12/2004 16:21:18

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
"016"="casinopalazzo.com/index.php?sourceid=100514"


Thanks so much for all your help:)

Kate
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
That didn't bring us much closer. :tazz:

Can you repeat the same procedure for:
win86.exe

and

amino.ini

TIA,

Pieter
  • 0

#13
Kate Etropolska

Kate Etropolska

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Pieter,

did the search for both of those and no instances were found in the registry for either:(

Kate
  • 0

#14
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Hmmff. I know the Sophos Antivirus detects and removes this, but they don't have an online scanner that I know of.

Can you see if this one finds anything
http://housecall.trendmicro.com/

Please copy the results for me, before you close it down.

Regards,

Pieter
  • 0

#15
Kate Etropolska

Kate Etropolska

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Pieter,

Here are the results of the scan:)

TROJ SMALL .IA Non Cleanable C:\Recycled\Q330995.exe
JS EXECPTION GEN Non Cleanable C:\Recycled\Dc22894.html

Thanks

Kate:)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP