Jump to content


Photo

myexexex and casino palazzo


  • Please log in to reply
8 replies to this topic

#1 LittleMissMoo

LittleMissMoo

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 07:54 AM

Hello...

I'm still having problems with myexexex and casino palazzo! I've done most things mentioned in other threads to try and rid myself of the myexexex problem, but it's still here.

Here's what I've done so far...

1 - Created the clear.reg file and added it to the registry.

2 - Deleted the spad folder.

3 - Searched for the files HPCMDTY.dll, c_10230.dll, crt32_v2.dll and crt2_v32.dll. None of these files showed up so I had nothing to delete.

4 - Ran HiJackThis and fixed any references to spad and myexexex.

But myexexex insisted on appearing on IE at random times. So today I just ran HiJackThis and fixed :

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

So far so good, but it's only been 30 mins! Is there anything else I should do to rid my computer of the annoying myexexex?

Also...how do I get rid of the Casino Palazzo? A shortcut keeps appearing on my desktop, as well as about 7 days ago, I was booted off my net connection and got a msg box from the casino palazzo bug thing saying "Your connection has been lost, would you like to reconnect? Yes No".

Also, anything I do, would I have to repeat the process for the other users on this computer?

Can anyone help me? I've had this problem for almost 2 weeks now! Any help would be greatly appreciated!

Thanks!


Here's my HiJackThis log -

Logfile of HijackThis v1.97.7
Scan saved at 13:50:52, on 03/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\documents and settings\leeloo\local settings\temp\m.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\PopupVanish\PopupVanish.exe
C:\Program Files\AOL 8.0a\aoltray.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\AOL 8.0a\waol.exe
C:\Program Files\AOL 8.0a\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mandy\My Documents\Setup Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = https://loginnet.pas...uth.srf?lc=1033
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice
O4 - HKLM\..\Run: [m] C:\documents and settings\leeloo\local settings\temp\m.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PopupVanish] C:\Program Files\PopupVanish\PopupVanish.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.q-serve.com/signup.htm
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab27571.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab27571.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2262EB76-4576-4541-BAF8-4F280354896B}: NameServer = 195.93.34.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{8951E138-12F1-495A-A04C-976300DCAB9E}: NameServer = 152.163.0.26 205.188.64.153
O17 - HKLM\System\CS1\Services\Tcpip\..\{2262EB76-4576-4541-BAF8-4F280354896B}: NameServer = 195.93.34.134

#2 LittleMissMoo

LittleMissMoo

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 06:43 PM

Can someone help me pleaaase?! I'm desperate! :weep:

#3 LittleMissMoo

LittleMissMoo

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 04 June 2004 - 02:02 PM

anyone?!

#4 12345

12345

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 04 June 2004 - 02:09 PM

!!!!!!!!!!!!!!!1have same prob with casino shit

#5 12345

12345

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 04 June 2004 - 02:12 PM

+

win/csrss.exe

cant be deleted........still in windows use

#6 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 04 June 2004 - 05:14 PM

check this

#7 LittleMissMoo

LittleMissMoo

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 05 June 2004 - 11:24 AM

Thanks Slav.

I followed PGPhantom's instructions while online, but when it came to deleting all content in the local settings/temp folder, all files could be deleted, apart from one, I can't remember the name... D_ something.

When I tried to delete this file, I got the message that it was "in use" and it could not be deleted. When I "OK"d this message, I got a blue screen. The error it reported was....

STOP: 0x00000005 (0x00420046, 0x00000002, 0x00000001, 0x80533FD4)

:( What went wrong?!

I haven't yet completed the instructions as I'm worried something else might go weird! (I'm not very confident with computers)

Also, last night while I was on a website, I was suddenly redirected to wow-web.com, a strip with links appeared across the screen. Also, one of the other users of this computer said that whenever they go to Google, when they click on search, the page goes to the wow-web site with search results. I don't know if that has anything to do with the myexexex or casino palazzo thing.

Thanks in advance!

#8 LittleMissMoo

LittleMissMoo

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 06 June 2004 - 05:17 PM

aaaaaaah!!

Okay, here's the deal so far, I did everything that PGPhantom and Shadowwar said to do. Everything seemed fine for about 6 hours, and THEN.....I got the blue screen AGAIN!!

This time the blue screen came up when I wasn't even active on the computer! Does anyone know what's wrong here?

The error I'm getting on the blue screen is still the same.....

STOP: 0x00000005 (0x00420046, 0x00000002, 0x00000001, 0x80533FD4)

Can anyone help me?? Thanks!

#9 jerrymlr1

jerrymlr1

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 June 2004 - 07:40 AM

This worked for me. ...... We used the asquared program and it found the trojan horse in system restore. You'll never find the program taking you to the myexexex web page because it constantly changes names. However if you can find anything in windows explorer or the registry it has to be deleted in safe mode. We found an exe one time in explorer and it disappeared before we could delete it. I also hear that cwshredder has a fix for this also.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button