**computer geeks** if you are willing to help me...

[noginsk]

If anyone knows a lot about computers, I have a question. The other day, a casino game program managed to download it's way onto my har drive without me knowing it. It had been constanly turning itself on and being really annoying. I think it even caused a bazillion popup ads to appear everytime I got on the internet. So, I deleated it by going intothe start button on the lower left hand corner of the screen. Then went to control panel. Then hit Add or remove programs. Foun the culprit and got rid of, or so I thought. Now, the computer still looks for the program but can't find it, and so it gives us an error message when the computer is turned on. The computer runs fine after, it's mainly just a nuisance. I remember a buddy of mine showing me how to get to some sort of "start menu" where I could tell the computer which programs to start when the computer was turned on. I can't remember how to get back there though. I think that might help, so if anyone knows what I am talking about, let me know. Thanks!I am running windows XP on an emachines T2200, if that helps.

[joatmon]

sounds like you picked up some spyware. install and run both lavasoft's AdAware http://download.com.com/3000-2...utton (1.6 MB) and PepiMK's Spybot Search and Destroy http://download.com.com/3000-2...t-0-1 (3.5 MB)Together they should be able to clean up the problem.

[noginsk]

Yeah, Igot the adaware and used it too to try and it off the computer, but it still gives me the error message. I'm so pissed, I feel violated. I almost want to just reboot my whole system, but that seems like too much work for just a stupid error message.

[noginsk]

I think I'll try that other one tomorrow and see what happens.Thanks

[ragingfish]

Also try going to:*Start*Run*Type "msconfig" without the quotes*CLick the startup tag.*Uncheck anything that references the aforementioned "casino program."Give a shout if you still need help...

[ArcsVibe]

Make sure Adware has the latest reference files installed then try it again.

[yank dini]

Sounds Like it's in the reg....Have you tried a System Restore before your download. Another thing I would do before the last resort "clean restore" is write down the error message and go the the Microsoft knowledge base and see if anyone can help u there.

[Stang2Vibe]

noginsk....I know exactly what you are going through. If it's the Golden Palace Casino thing, my g/f had it on her computer for about 2 months before I found a way to get rid of it. The other "main menu" thing that you are talking about is the system registry, and if you delete one wrong thing in there, it could permanently damage the whole operating system and at worst, make the computer inoperable. Always use extreme caution when altering the registry if you don't know exactly what you are doing.The key files that are causing the problem are hidden well within the computer and have filenames that are completely unrelated to the casino program. You will probably never find them unless you know exactly what files you are looking for and where they are. It isn't hopeless, though, as I was able to get rid of it fairly easily. Just do a Google search for something like "removing Golden Palace Casino" and that is where I found a website with good instuctions for getting rid of it. Follow the directions carefully and it will work. Might want to print it out because I think you have to restart the computer as part of the process. I hated that damn program, I drove me nuts for months and I tried everything I could think of to get rid of it!

[Stang2Vibe]

here I just found the site I used. It is for Golden Palace Casino only, so if that is not the one causing the problem, then it won't work for you. http://remove.monsterserve.com...html

[Mr. Poopypants]

Go Here http://download.com.com/3000-8...t-0-2 and download this program, update the spyware definitions and scan the computer, it will get rid of it. Then go to http://www.wilderssecurity.net and download Spyware Blaster, if you keep it updated, it will block almost all spyware. I have not had a piece of spyware in over a year, not even a cookie thanks to this program. It will be a TON easier than going into the registry and searching for it, trust me, you don't want to mess with the registry unless you know EXACTLY what you are doing.

[Stang2Vibe]

if you go to the link I gave, you don't have to do anything with the registry. You just delete the program and download an uninstall file to to get rid of the rest.I tried AdAware, SpySweeper, and a few others, all with the most updated version and they did nothing to get rid of this. On computer help sites, they have all reported the same. This link was created by the people who represent Golden Palace Casino and made this link to help people who couldn't get rid of it. I used it and it hasn't come back for about a month so far. The spyware sweepers are great to help prevent these things, but unfortunately they haven't worked to get rid of this bug once you already have it.The instructions in the link are short and very easy to do.

[noginsk]

Quote, originally posted by Stang2Vibe »noginsk....I know exactly what you are going through. If it's the Golden Palace Casino thing, my g/f had it on her computer for about 2 months before I found a way to get rid of it. The other "main menu" thing that you are talking about is the system registry, and if you delete one wrong thing in there, it could permanently damage the whole operating system and at worst, make the computer inoperable. Always use extreme caution when altering the registry if you don't know exactly what you are doing.The key files that are causing the problem are hidden well within the computer and have filenames that are completely unrelated to the casino program. You will probably never find them unless you know exactly what files you are looking for and where they are. It isn't hopeless, though, as I was able to get rid of it fairly easily. Just do a Google search for something like "removing Golden Palace Casino" and that is where I found a website with good instuctions for getting rid of it. Follow the directions carefully and it will work. Might want to print it out because I think you have to restart the computer as part of the process. I hated that damn program, I drove me nuts for months and I tried everything I could think of to get rid of it!Wow everybody! This is so awesome, I can feel so much love in the air... Anyway, thanks a lot everyone. I just back back from work and haven't had time to try anything yet, but will so probably on Monday. Yes it is the golden palace casino stang2vibe. What's weird though is that I already deleted everything I could find. I'm wondering if what you are syaing is that I would need to put it back on the computer, then get that uninstall software, then finally fully delete it. Damn, computers are great, but sure can be a pain in the (removed). And to mister poopypants (hard to write this wihtout laughing out loud, funny name) I will try the software you suggested. Having no spyware sounds very appealing right now. And to everyone else that wrote, thanks too. Hey, quick thought, "stang2vibe", does that mean you had a mustang then got a pontiac vibe?

[Stang2Vibe]

Quote, originally posted by noginsk »And to mister poopypants (hard to write this wihtout laughing out loud, funny name)I think we've all started to just call him "Poopy" for short. I get a kick out of that And yes, I traded in a base model 2000 Mustang--5 speed manual, power everything, Atlantic Blue. So far the extreme versatility of my Vibe and the developing aftermarket for it have kept me from regretting trading in the Mustang.As for getting rid of that darned spyware, I got rid of it on the g/f's computer by allowing it to fully reinstall itself then followed the directions in the link I posted for you above. Seems you have to go back to the add/delete programs list and delete the casino file there. Then download the uninstall file that is in the link on the page I sent you to. After it downloads, find it on your hard drive and run it. Then "POOF", bye bye a-hole casino program!

[noginsk]

As far as allowing it reinstall... I don't remember how it got on the computer in the first place. Should I just try the uninstall software anyway?

[Stang2Vibe]

On her computer, I found that after I went in the Add/Remove programs list and deleted the program (so I thought), it would begin to reinstall the program every time the computer was rebooted. That told me that 1.) the program had files in the registry that were executed upon startup and 2.) this thing is going to be a pain to get rid of. When I found those directions to delete the program, I restarted the computer and let the casino program go ahead and do its thing and fully reinstall. When the insallation began after a reboot, you couldn't stop it except by using ctrl/alt/delete. So instead of stopping it, I just let it reinstall. Then I followed the steps in the link I gave you. It was actually pretty easy. If the program is not trying to reinstall itself when you reboot the computer, I don't think it is a problem. You probably don't have to have it fully installed for this fix to work. Just follow the directions and it should be gone. Her computer is running Windows 98 so it may have acted a bit different on startup than yours running XP. But again, that shouldn't matter as long as you follow the directions in that link. I would try that and then check to see if the casino thing comes back. If its gone, then go ahead and download a good free spyware prevention program and keep it updated to help prevent this in the future.These kinds of spyware programs along with the hompage hijacker programs I think are some of the hardest to get rid of. Fortunately, I was able to find that uninstaller file that takes the casino program out of the registry for you so you don't have to go in there yourself and risk screwing up the computer. Give it a shot and let us know if it works.

[bus driver]

go to start, click on run type in msconfig, go to start tab, uncheck that program, re boot pc

[Stang2Vibe]

That re-installs the program, right?Get this, just as we were talking about the darned casino thing, I picked up a dreaded homepage hijacker...grrrrrr! I HATE these things with a passion! Why do stupid a-holes have to do crap like this?If anyone knows how to get rid of the nkvd.us homepage hijacker, please let me know! I checked Google and all I could find was a bunch of computer techno-babble that I didn't understand and pages and pages of scrolling through what others have posted as the results of spyware dectectors that they ran on their computers. I can't get this thing to go away. When it runs, it changes my homepage to http:/nkvd.us and just repeatedly keeps popping up new Internet Explorer windows by the hundreds. Then my computer freezes up when I try to close them all.BTW--I strongly suggest that those reading this DO NOT try to go to the nkvd.us website, if there is one. You might pick up this virus as well.

[ColonelPanic]

Quote »BTW--I strongly suggest that those reading this DO NOT try to go to the nkvd.us website, if there is one. You might pick up this virus as well.I went there! I thought I'd see if there was anything I could dig up to help you out... Running nothing but Linux here, so I'm immune to the exploits and whatnot that affects Windows.After going there, it instantly redirected me to smartfinder.biz... At the bottom I see "if problem click here" which shows the following:If you don't want to continue using smart-finder, follow instruction below: Click "Start" -> "Run"Type "regedit" and click OK.In navigation tree go to HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionSharedTaskSchedulerThen delete all keys at the right panel (just click on it and press Delete key)Then go to HKEY_CURRENT_USERsoftwareclassesCLSID{3F143C3A-1457-6CCA-0A7-7AA23B61E40F} and delete all keys too.Restart your PC.Go to C:WINDOWSsystem32 folder.Find file mtwirl32.dll and delete it.If you not sure that you can make it yourself, you can download a small software:Which I would not trust the "small software" since who knows what else that executable will infect your box with when it tries to "uninstall" whatever this is. I'm not sure if the steps they stated above will work to remove whatever this is, I don't have a way to test it, but it may be worth a shot. I might also add, while you are in the registry, a quick check of HKLM/Software/Microsoft/Windows/Current Version/Run and see what is hanging out there... If something looks odd, you may do a google for it and see if it is actually something you need running on your machine. Keep in mind that sometimes there is a value in the registry that looks like it may be important to windows, but it actually is part of some sort of spyware/virus/etc. Definitely do a google if in doubt. Just be careful when digging around in the registry, and if you have any questions, ask!Hope this helps.......

[Sputnik]

I had this exact same problem and posted a thread in here asking for help as well. I did some googling on it and found that if I went into the registry and deleted something called ncase, it got rid of it. I haven't had a problem since.

[Sputnik]

Here is the thread I mentioned in my previous post:http://forums.genvibe.com/zerothread?id=8814Seems I deleted a bridge.dll file from the registry. I think I also deleted ncase as well.

[Stang2Vibe]

Thank you all!!! I'm off to try and fix my computer now. If nobody here hears from me for a few weeks, then you know that I accidentally deleted the wrong thing from my registry!Quote, originally posted by ColonelPanic »If something looks odd, you may do a google for it and see if it is actually something you need running on your machine.Sorry Colonel, but it ALL looks odd to me!

[Stang2Vibe]

Ok, ran into several problems. Went into my registry and found this key:Quote, originally posted by ColonelPanic »HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionSharedTaskSchedulerbut I have two files called "CurrentVersion" and niether of them had SharedTaskScheduler in themthen I went into:Quote, originally posted by ColonelPanic »HKEY_CURRENT_USERsoftwareclassesCLSID{3F143C3A-1457-6CCA-0A7-7AA23B61E40F}and found that the CLSID file was not in the "classes" file, but was farther down the list in the "software" file somewhere below the "classes" file. In any case, the value with all the letters and numbers in the brackets was not in either of those, either. I did find a similar value and deleted it anyway cause at this point I'm about to throw the computer out the window anyway.Went into c:windowssystem32 and found an "mtwirl.dll" file but no "mtwirl32.dll" file. Tried to delete it anyway and it wouldn't let me, popping up a warning message that the file was in use and couldn't be deleted. Now I'm even more angry.That all did nothing. So I tried the link for the uninstaller file. All that did was take me back to the hijacker's homepage, the nkvd.us page. That did nothing as well. Where the hell are the people who created this little ba$tard of a program so I can inflict LOTS of pain upon them??? I'd really love to beat them to a bloody pulp right now. They did something that I don't even understand to my computer, without my permission, then lied to me twice about how to fix it. That constitutes "time for a severe beating". I wish I had their email address, I'd be adding a few new words to their vocabulary.Now time to try Sputnik's link. Or put my fist through this screen.

[rasermon]

Try this program..... http://209.133.47.200/~merijn/files/CWShredder.exe http://www.spywareinfo.com/~merijn/downloads.html

[Stang2Vibe]

OK gentlemen, here is a copy of my hijackthis log file:Logfile of HijackThis v1.97.7Scan saved at 5:54:59 PM, on 4/7/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:WINDOWSSystem32smss.exeC:WINDOWSsystem32winlogon.exeC:WINDOWSsystem32services.exeC:WINDOWSsystem32lsass.exeC:WINDOWSsystem32svchost.exeC:WINDOWSSystem32svchost.exeC:WINDOWSExplorer.EXEC:WINDOWSsystem32spoolsv.exeC:WINDOWSNhksrv.exeC:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exeC:Program FilesNorton AntiVirusnavapsvc.exeC:WINDOWSSystem32nvsvc32.exeC:WINDOWSSystem32svchost.exeC:Program FilesAdaptecEasy CD Creator 5DirectCDDirectCD.exeC:PROGRA~1NORTON~1navapw32.exeC:WINDOWSDELLMMKB.EXEC:WINDOWSSystem32spooldriversw32x863hpztsb04.exeC:Program FilesQuickTimeqttask.exeC:Program FilesHewlett-PackardDigital ImagingUnloadhpqcmon.exeC:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exeC:Program FilesCommon FilesRealUpdate_OBrealsched.exeC:Program FilesCommon filesupdmgrupdmgr.exeC:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnf.exeC:WINDOWSSystem32RUNDLL32.EXEC:Program FilesNetropaOSD.exeC:Program FilesCommon FilesMicrosoft SharedWorks Sharedwkcalrem.exeC:Program FileshijackthisHijackThis.exeR1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://nkvd.us/R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://nkvd.us/R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://nkvd.us/R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://nkvd.us/R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://nkvd.us/R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://nkvd.us/R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://nkvd.us/R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = sas.r6.attbi.com:8000R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.r6.attbi.com;R1 - HKCUSoftwareMicrosoftInternet Explorer,Search = http://nkvd.us/R1 - HKLMSoftwareMicrosoftInternet Explorer,Search = http://nkvd.us/R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocxO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton AntiVirusNavShExt.dllO2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:WINDOWSSystem32mshelper.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:Program FilesNorton AntiVirusNavShExt.dllO4 - HKLM..Run: [Microsoft Works Portfolio] C:Program FilesMicrosoft WorksWksSb.exe /AllUsersO4 - HKLM..Run: [Microsoft Works Update Detection] C:Program FilesMicrosoft WorksWkDetect.exeO4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartupO4 - HKLM..Run: [AdaptecDirectCD] "C:Program FilesAdaptecEasy CD Creator 5DirectCDDirectCD.exe"O4 - HKLM..Run: [NAV Agent] C:PROGRA~1NORTON~1navapw32.exeO4 - HKLM..Run: [WorksFUD] C:Program FilesMicrosoft WorksWkfud.exeO4 - HKLM..Run: [DellTouch] C:WINDOWSDELLMMKB.EXEO4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSSystem32spooldriversw32x863hpztsb04.exeO4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottimeO4 - HKLM..Run: [CamMonitor] C:Program FilesHewlett-PackardDigital ImagingUnloadhpqcmon.exeO4 - HKLM..Run: [Share-to-Web Namespace Daemon] C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exeO4 - HKLM..Run: [nwiz] nwiz.exe /installO4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osbootO4 - HKLM..Run: [P2P Networking] C:WINDOWSSystem32P2P NetworkingP2P Networking.exe /AUTOSTARTO4 - HKLM..Run: [AltnetPointsManager] c:program filesaltnetpoints managerpoints manager.exe -sO4 - HKLM..Run: [updmgr] C:Program FilesCommon filesupdmgrupdmgr.exeO4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /backgroundO4 - HKCU..Run: [MoneyAgent] "C:Program FilesMicrosoft MoneySystemMoney Express.exe"O4 - HKCU..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NVMCTRAY.DLL,NvTaskbarInitO4 - Startup: PowerReg Scheduler.exeO4 - Global Startup: Camio Viewer 2000.lnk = C:Program FilesSierra ImagingImage Expert 2000IXApplet.exeO4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXEO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O8 - Extra context menu item: &Define - C:Program FilesCommon FilesMicrosoft SharedReference 2001AERS_DEF.HTMO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000O8 - Extra context menu item: Look Up in &Encyclopedia - C:Program FilesCommon FilesMicrosoft SharedReference 2001AERS_ENC.HTMO9 - Extra button: Encarta Encyclopedia (HKLM)O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)O9 - Extra button: Define (HKLM)O9 - Extra 'Tools' menuitem: Define (HKLM)O9 - Extra button: AIM (HKLM)O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dllO13 - DefaultPrefix: http://www.nkvd.us/O13 - WWW Prefix: http://www.nkvd.us/O13 - Home Prefix: http://www.nkvd.us/O13 - Mosaic Prefix: http://www.nkvd.us/O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cabO16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/...M.CABO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/31d8544f5...1.cabO16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dllO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.window
supdate.micros...77778O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com...h.cabHave fun deciphering it, I sure dont get it. Let me know what you see. Thanks Rasermon and Joatmon!

[joatmon]

wait for someone else to confirm this diagnosis before you operate.Quote, originally posted by Stang2Vibe »O4 - HKLM..Run: [P2P Networking] C:WINDOWSSystem32P2P NetworkingP2P Networking.exe /AUTOSTARTO4 - HKLM..Run: [AltnetPointsManager] c:program filesaltnetpoints managerpoints manager.exe -sO4 - HKLM..Run: [updmgr] C:Program FilesCommon filesupdmgrupdmgr.exeI think these three are bad. doing a google search for each of these three executables seems to show that they are evil.What I would do is run the task managerr (ctl-alt-del or right click on the task bar) go to Processes, highlight the updmgr and click end process.then I would use regedit, go to HKEY_LOCAL_MACHINESOFTWAREmicrosoftWindowsCurrentVersionRun and in the right pane, right click on each of these three entries and delete them. That won't get rid of the programs, just keep them from running every time you reboot.Then, go change you home page and stuff in IE, and reboot.If that fixes the prob, then you can go deleteC:WINDOWSSystem32P2P Networkingc:program filesaltnetC:Program FilesCommon filesupdmgr wait for someone else to confirm this diagnosis before you operate.

[VibeChick]

Quote, originally posted by joatmon »wait for someone else to confirm this diagnosis before you operate.I think these three are bad. doing a google search for each of these three executables seems to show that they are evil.What I would do is run the task managerr (ctl-alt-del or right click on the task bar) go to Processes, highlight the updmgr and click end process.then I would use regedit, go to HKEY_LOCAL_MACHINESOFTWAREmicrosoftWindowsCurrentVersionRun and in the right pane, right click on each of these three entries and delete them. That won't get rid of the programs, just keep them from running very time you reboot.Then, go change you home page and stuff in IE, and reboot.If that fixes the prob, then you can go deleteC:WINDOWSSystem32P2P Networkingc:program filesaltnetC:Program FilesCommon filesupdmgr wait for someone else to confirm this diagnosis before you operate.Those may cause annoying pop-ups, but your hijacker is this:R1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://nkvd.us/R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://nkvd.us/R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://nkvd.us/R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://nkvd.us/R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://nkvd.us/R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://nkvd.us/R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://nkvd.us/R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = sas.r6.attbi.com:8000R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.r6.attbi.com;R1 - HKCUSoftwareMicrosoftInternet Explorer,Search = http://nkvd.us/R1 - HKLMSoftwareMicrosoftInternet Explorer,Search = http://nkvd.us/They need to be removed from the registry. Should also make sure there isn't something installed that will cause it to re-register after rebootThere's a bit more than that to do...so don't just jump in and start deleting though!

[AKLGT]

wow.... i have no idea what all that stuff is! glad i don't have that crap on mine. good luck!

[rasermon]

Stang, with all browser windows closed, rescan with Hijackthis, put a check next to any of the entries I listed below that remain and click "Fix Checked".R1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://nkvd.us/R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://nkvd.us/R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://nkvd.us/R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://nkvd.us/R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://nkvd.us/R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://nkvd.us/R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://nkvd.us/R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = sas.r6.attbi.com:8000R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.r6.attbi.com;R1 - HKCUSoftwareMicrosoftInternet Explorer,Search = http://nkvd.us/R1 - HKLMSoftwareMicrosoftInternet Explorer,Search = http://nkvd.us/O13 - DefaultPrefix: http://www.nkvd.us/O13 - WWW Prefix: http://www.nkvd.us/O13 - Home Prefix: http://www.nkvd.us/O13 - Mosaic Prefix: http://www.nkvd.us/Next, open Add/Remove programs and remove any of the following if found:My Search Bar MyWay Speed BarMy Web Search BarFun Web Products Easy Installer Run CWShredder once more to make sure everything was removed.

[VibeChick]

Hopefully this works...and he doesn't have a new variant that CWShredder hasn't been updated to handle...Such a pain...

[Stang2Vibe]

My latest log file. CRAP CRAP CRAP!!! The bad files came back again!Logfile of HijackThis v1.97.7Scan saved at 11:09:10 PM, on 4/7/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:WINDOWSSystem32smss.exeC:WINDOWSsystem32winlogon.exeC:WINDOWSsystem32services.exeC:WINDOWSsystem32lsass.exeC:WINDOWSsystem32svchost.exeC:WINDOWSSystem32svchost.exeC:WINDOWSExplorer.EXEC:WINDOWSsystem32spoolsv.exeC:WINDOWSNhksrv.exeC:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exeC:Program FilesNorton AntiVirusnavapsvc.exeC:WINDOWSSystem32nvsvc32.exeC:WINDOWSSystem32svchost.exeC:Program FilesAdaptecEasy CD Creator 5DirectCDDirectCD.exeC:PROGRA~1NORTON~1navapw32.exeC:WINDOWSDELLMMKB.EXEC:WINDOWSSystem32spooldriversw32x863hpztsb04.exeC:Program FilesQuickTimeqttask.exeC:Program FilesHewlett-PackardDigital ImagingUnloadhpqcmon.exeC:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exeC:Program FilesCommon FilesRealUpdate_OBrealsched.exeC:Program FilesCommon filesupdmgrupdmgr.exeC:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnf.exeC:WINDOWSSystem32RUNDLL32.EXEC:Program FilesNetropaOSD.exeC:Program FilesCommon FilesMicrosoft SharedWorks Sharedwkcalrem.exeC:Program FileshijackthisHijackThis.exeR1 - HKCUSoftwareMicrosoftInternet Explorer,SearchURL = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://nkvd.us/R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://nkvd.us/R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://nkvd.us/R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://nkvd.us/R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://nkvd.us/R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://nkvd.us/R1 - HKCUSoftwareMicrosoftInternet Explorer,Search = http://nkvd.us/R1 - HKLMSoftwareMicrosoftInternet Explorer,Search = http://nkvd.us/R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 5.0ReaderActiveXAcroIEHelper.ocxO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton AntiVirusNavShExt.dllO2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:WINDOWSSystem32mshelper.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocxO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:Program FilesNorton AntiVirusNavShExt.dllO4 - HKLM..Run: [Microsoft Works Portfolio] C:Program FilesMicrosoft WorksWksSb.exe /AllUsersO4 - HKLM..Run: [Microsoft Works Update Detection] C:Program FilesMicrosoft WorksWkDetect.exeO4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSSystem32NvCpl.dll,NvStartupO4 - HKLM..Run: [AdaptecDirectCD] "C:Program FilesAdaptecEasy CD Creator 5DirectCDDirectCD.exe"O4 - HKLM..Run: [NAV Agent] C:PROGRA~1NORTON~1navapw32.exeO4 - HKLM..Run: [WorksFUD] C:Program FilesMicrosoft WorksWkfud.exeO4 - HKLM..Run: [DellTouch] C:WINDOWSDELLMMKB.EXEO4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSSystem32spooldriversw32x863hpztsb04.exeO4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottimeO4 - HKLM..Run: [CamMonitor] C:Program FilesHewlett-PackardDigital ImagingUnloadhpqcmon.exeO4 - HKLM..Run: [Share-to-Web Namespace Daemon] C:Program FilesHewlett-PackardHP Share-to-Webhpgs2wnd.exeO4 - HKLM..Run: [nwiz] nwiz.exe /installO4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osbootO4 - HKLM..Run: [P2P Networking] C:WINDOWSSystem32P2P NetworkingP2P Networking.exe /AUTOSTARTO4 - HKLM..Run: [AltnetPointsManager] c:program filesaltnetpoints managerpoints manager.exe -sO4 - HKLM..Run: [updmgr] C:Program FilesCommon filesupdmgrupdmgr.exeO4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /backgroundO4 - HKCU..Run: [MoneyAgent] "C:Program FilesMicrosoft MoneySystemMoney Express.exe"O4 - HKCU..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSSystem32NVMCTRAY.DLL,NvTaskbarInitO4 - Startup: PowerReg Scheduler.exeO4 - Global Startup: Camio Viewer 2000.lnk = C:Program FilesSierra ImagingImage Expert 2000IXApplet.exeO4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXEO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O8 - Extra context menu item: &Define - C:Program FilesCommon FilesMicrosoft SharedReference 2001AERS_DEF.HTMO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000O8 - Extra context menu item: Look Up in &Encyclopedia - C:Program FilesCommon FilesMicrosoft SharedReference 2001AERS_ENC.HTMO9 - Extra button: Encarta Encyclopedia (HKLM)O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)O9 - Extra button: Define (HKLM)O9 - Extra 'Tools' menuitem: Define (HKLM)O9 - Extra button: AIM (HKLM)O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dllO13 - DefaultPrefix: http://www.nkvd.us/O13 - WWW Prefix: http://www.nkvd.us/O13 - Home Prefix: http://www.nkvd.us/O13 - Mosaic Prefix: http://www.nkvd.us/O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cabO16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/...M.CABO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/31d8544f5...1.cabO16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dllO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.micros...77778O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com...h.cab

[VibeChick]

I hate to say I told you so....But on to plan B!!

[joatmon]

Quote »O4 - HKLM..Run: [P2P Networking] C:WINDOWSSystem32P2P NetworkingP2P Networking.exe /AUTOSTARTO4 - HKLM..Run: [AltnetPointsManager] c:program filesaltnetpoints managerpoints manager.exe -sO4 - HKLM..Run: [updmgr] C:Program FilesCommon filesupdmgrupdmgr.exeI think these three are bad. doing a google search for each of these three executables seems to show that they are evil.What I would do is run the task managerr (ctl-alt-del or right click on the task bar) go to Processes, highlight the updmgr and click end process.then I would use regedit, go to HKEY_LOCAL_MACHINESOFTWAREmicrosoftWindowsCurrentVersionRun and in the right pane, right click on each of these three entries and delete them. That won't get rid of the programs, just keep them from running every time you reboot.did you do this? Maybe one or more of these are responsible.

[VibeChick]

There's a dll that needs to be removed...but finding its reg entry is another trick. AFAIK it's invisible to Hijackthis

[joatmon]

the dll is most likely the mtwirl.dll that he cannot delete. Probably can't delete it because it is in use by a running process, my guess would be the updmgr one, The P2P networking, the altnet, and the updmgr are probably related. Need to stop running those at boot, then delete the mtwirl.dll,Also, be sure to check your hosts file c:windowssystem32driversetchosts. Some of these things put entries in there so that when you try to go to a common site, the entry in the hosts file sends you to a different IP address than you think you are going to.

[VibeChick]

Quote, originally posted by joatmon »the dll is most likely the mtwirl.dll that he cannot delete. Probably can't delete it because it is in use by a running process, my guess would be the updmgr one, The P2P networking, the altnet, and the updmgr are probably related. Need to stop running those at boot, then delete the mtwirl.dll,Nah, I think those are harmless...annoying, but harmless. He should be able to rename mtwirl.dll, reboot and then delete it. But it needs to be removed from the registry as well, which is the trick. But I'm no expert, so we'll just have to keep trying till we get it.

[Fialchar]

P2PNetworking is for your Kazaa proggy, don't delete this unless you no longer use Kazaa.

[Stang2Vibe]

Yes, the P2PNetworking is attached to my Kazaa program.I had a little brainstorm of my own and decided to run hijackthis again. Then I had it fix the same keys that I tried before at Rasermon's suggestion. There were only 18 that came back, there were originally 21. After I went and fixed those, I went into the c:/windows/system32 folder and I WAS able to delete the mtwirl.dll file. I ran hijackthis again, and none of those bad files came back. The mtwirl file is still gone as well. Also, I emptied the recycle bin to make sure it was gone.I tried stopping the process taskmgr.exe in the windows task manager. I am able to click on everything and I get no error messages, but that process keeps running even after I tried several times to stop it.So far, I have not been redirected to the hijacker's site. But, when I try to click on download links and some other links on webpages, I get a new page that pops up with an error message like it was a broken link. This used to bring up that smart-finder.biz site, but now its just the default broken link window. So the only thing that is still a functional problem from this nasty bug is that it prevents me from opening some links.I have not rebooted the computer yet, so I dont know if it will return after a reboot. I have to leave for work now, but I'll be back again later tonight. Thank you all for your diligent help with this! Hopefully I can get rid of this darned thing once and for all.

[VibeChick]

Well, reboot and let us know....or just don't ever reboot again - then it won't come back!

[Keely]

Stang, I don't see in your earlier posts whether you had tried Spybot S&D. I can't ascertain whether the current Spybot definitions have caught up with this one, but as I research I'm a little concerned you may have a trojan on your hands. Are you AV definitions up to date?

[Stang2Vibe]

Ok, I rebooted and so far all the bad files are still gone. I still have the problem with clicking on some links bringing up a blank page like its a broken link (even though I know it isn't). So I think some part of it is still on my computer.

[noginsk]

Quote, originally posted by Stang2Vibe »On her computer, I found that after I went in the Add/Remove programs list and deleted the program (so I thought), it would begin to reinstall the program every time the computer was rebooted. That told me that 1.) the program had files in the registry that were executed upon startup and 2.) this thing is going to be a pain to get rid of. When I found those directions to delete the program, I restarted the computer and let the casino program go ahead and do its thing and fully reinstall. When the insallation began after a reboot, you couldn't stop it except by using ctrl/alt/delete. So instead of stopping it, I just let it reinstall. Then I followed the steps in the link I gave you. It was actually pretty easy. If the program is not trying to reinstall itself when you reboot the computer, I don't think it is a problem. You probably don't have to have it fully installed for this fix to work. Just follow the directions and it should be gone. Her computer is running Windows 98 so it may have acted a bit different on startup than yours running XP. But again, that shouldn't matter as long as you follow the directions in that link. I would try that and then check to see if the casino thing comes back. If its gone, then go ahead and download a good free spyware prevention program and keep it updated to help prevent this in the future.These kinds of spyware programs along with the hompage hijacker programs I think are some of the hardest to get rid of. Fortunately, I was able to find that uninstaller file that takes the casino program out of the registry for you so you don't have to go in there yourself and risk screwing up the computer. Give it a shot and let us know it works.Again, thanks stang. I have been really busy the last few days, but will try this today befoer class. Hopefully I'll get it to work.

[noginsk]

Quote, originally posted by Stang2Vibe »here I just found the site I used. It is for Golden Palace Casino only, so if that is not the one causing the problem, then it won't work for you. http://remove.monsterserve.com...html Hey, I just tried this, but it says "evidence scan is not installed on this computer" and then "uninstall failed" after that. Oh well, looks like you have a bigger fish to fry now...

[Stang2Vibe]

Did you download that uninsaller file onto your hard drive and run it from there? I think it has to be on the hard drive to work. I think I have 3/4 of my problem solved thanks to some of the members here. I'm pretty confident that I will be able to get rid of the rest of it with a little more help.