Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

"Casino" and "Poker" icon on desktop

Status
Not open for further replies.
mhaff

mhaff

Technical User
Joined
Jan 31, 2003
Messages
55
Location
US
I feel so stupid because this problem is my fault.
I found a file called "keep this.exe" or something like that on another system on the network. I thought it seemed suspicious but also thought it might be an executable zip file with something important in it. I scanned it for viruses with Symantec(which is up to date) and it came up with nothing.
...So I ran the exe....
Now, everytime I reboot, I get two icons on my desktop, "Poker" and "Casino". When I right click on them, the only option is delete. And they will delete, but they return upon reboot. Also, my homepage(in firefox) is hijacked to some page that doesn't exist. I ran "Registry Mechanic" but I guess it didn't find a problem.
I'm running Win2k on a Novell Network.
Suggestions??
Thanks.
 
Sort by date Sort by votes
I would suggest to download and run Spybot and Microsoft's Antispyware Beta. This should catch most of the spyware on your system.

Then I would run Hijack This! It will look for suspect programs and registry entries, then return a list of them to you. Go through the list, DO NOT DELETE ALL ENTRIES, and delete those that do not belong.

You should be clean then.
 
Upvote 0 Downvote
Yes, do as aquias suggested and post your Hijack Log and post it here and we will help you get rid of the nasties.

Hope that helps.

Erik
 
Upvote 0 Downvote
Please post a link to the appropriate site for "Hijack This".
When I do a google search there are too many results to figure out which one is the right one.

Thanks.
 
Upvote 0 Downvote
One possibility for what you are describing is LOP.

One possible way to have gotten it is for someone to have installed messenger plus with the sponsors.

An hjt log may contain lines looking like this:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: (no name) - {2C15AD61-BF45-DD8A-EB19-B3A4667ABA11} - C:\WINDOWS\APPLICATION DATA\SAFE EQ ACID\SETTINGS BIN.EXE (file missing)
O4 - HKLM\..\Run: [Bore Debug Admin Flap] C:\WINDOWS\Application Data\glue stupid bore debug\SECT BYTE.exe
O4 - HKCU\..\Run: [Sendfive] C:\WINDOWS\APPLIC~1\SECTSE~1\Cdrom flag.exe

As well as checking the desktop for icons, check the favorites folder for unwanted items.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Here is my HijackThis Log.

Logfile of HijackThis v1.99.1
Scan saved at 11:26:43 AM, on 2/18/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\NWTRAY.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\RssReader\RssReader.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Novell\GroupWise\Notify.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\zabkat\xplorer2_lite\xplorer2.exe
P:\HiJaak This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EADE115-6873-5668-9A70-7ED854D403FA} - C:\DOCUME~1\ADMINI~1\APPLIC~1\SOFTWA~1\Vga base.exe
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
O3 - Toolbar: (no name) - {55910916-8B4E-4C1E-9253-CCE296EA71EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [tons ref axis flap] C:\Documents and Settings\All Users\Application Data\bits barb tons ref\mathway.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKCU\..\Run: [TWO FORK] C:\DOCUME~1\ADMINI~1\APPLIC~1\ROADAM~1\locks mfcd.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINNT\msxml4.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\System32\cusrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
 
Upvote 0 Downvote
Get rid of these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c2El0XQpcm/ZjM.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll

O2 - BHO: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll

O3 - Toolbar: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll

O3 - Toolbar: (no name) - {55910916-8B4E-4C1E-9253-CCE296EA71EB} - (no file)

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

Should be good to go. You have NewDotNew, among others.

Erik
 
Upvote 0 Downvote
BTW

If System Restore applies, you will need to turn that off before doing this, or NewDotNet could come back.

Erik

 
Upvote 0 Downvote
And remove this also:

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

Not sure what this is:

Can't find any info on it - do you recognise it?

O4 - HKLM\..\Run: [tons ref axis flap] C:\Documents and Settings\All Users\Application Data\bits barb tons ref\mathway.exe

Check that NEWDOT is not in your programs list too and reset your internet settings back to defaults in Internet Options also.
 
Upvote 0 Downvote
Thanks alot everyone. Everything seems back to normal.

Except one thing. I noticed that I have the following folder:

"C:\Documents and Settings\Administrator\Application Data\road amen cool"

It contains these files:
FlagSiteInfo.exe
glqcoefz.exe
pzntrswd.exe
send bore dvd vc.exe
yjrnuzrz.exe

Obviously this is very suspicious. Any ideas where it came from.
I will delete, I just wanted your opinion.

Thanks again.
 
Upvote 0 Downvote
Kill them. Some spyware leftovers I would guess.

Hope that helps.

Erik
 
Upvote 0 Downvote
Some form of toolbar is the only info I could find - I agree with Erik - get rid :)

Kes
 
Upvote 0 Downvote
Re new dot net stuff
Read notes on lspfix at cexx.org before you start that fix.

Your folder above is lop. I am going to give you another post on that.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
You have some other problems too, this post does not address those.

There's your LOP (Live Online Portal). Notice how it follows the pattern in my previous post.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: (no name) - {0EADE115-6873-5668-9A70-7ED854D403FA} - C:\DOCUME~1\ADMINI~1\APPLIC~1\SOFTWA~1\Vga base.exe
O4 - HKLM\..\Run: [tons ref axis flap] C:\Documents and Settings\All Users\Application Data\bits barb tons ref\mathway.exe
O4 - HKCU\..\Run: [TWO FORK] C:\DOCUME~1\ADMINI~1\APPLIC~1\ROADAM~1\locks mfcd.exe


Try these first, if this doesn't work, you are in for some registry work:
=Obtain the lop uninstaller:
From here:

Or from here >Lop uninstaller

Run the uninstaller.
Reboot in safe mode.

Fix these lines in hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: (no name) - {0EADE115-6873-5668-9A70-7ED854D403FA} - C:\DOCUME~1\ADMINI~1\APPLIC~1\SOFTWA~1\Vga base.exe
O4 - HKLM\..\Run: [tons ref axis flap] C:\Documents and Settings\All Users\Application Data\bits barb tons ref\mathway.exe
O4 - HKCU\..\Run: [TWO FORK] C:\DOCUME~1\ADMINI~1\APPLIC~1\ROADAM~1\locks mfcd.exe

In programfiles and all your application data folders look for these folders:
(You have to come up with the full name on two of them)

SOFTWA~1
bits barb tons ref
ROADAM~1
Check contents to be sure they are bad ones and delete.

Also in programfiles look for C2MEDIA folder, delete that as well if present.

Cleaning up temp folders is always a good idea.

As I said before, also check your desktop and favorites for added stuff (like poker, casino, printer cartridges, etc.)

Reboot, run another log and see what it looks like.

If the stuff is still there, you are going to have to do some registry work.
You have some clues in the info above, check doxdesk and symatec (search on lop) for additional locations to work on in registry.

If problem recurs after fixing, check taskscheduler for odd jobs.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Upvote 0 Downvote
One last thing, I don't know anything about this one, but I see suggestions to fix it in 3 or 4 threads.

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINNT\msxml4.cab


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Olumighty
  • Locked
  • Question Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP
Replies
1
Views
541
SamBones
SamBones
2ffat
  • Locked
  • News News
C-Ware Bundled on "ALL" Freeware Sites
Replies
6
Views
703
xit
xit
javierdlm001
  • Locked
  • Question Question
"Win32.Downloader.gen" found as Malware by Spybot
Replies
3
Views
451
2ffat
2ffat
SantaMufasa
  • Locked
  • Question Question
How can I get rid of "PC Fix Speed", a particularly nasty PC malware infection.
Replies
18
Views
1K
kjv1611
kjv1611
lvis001
  • Locked
  • Question Question
Cannot remove "pup.bprotector"
Replies
6
Views
499
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top