CasinoGames shortcuts appearing on desktop

This time I'm on a friend's computer who has CasinoGames shortcuts appearing on their desktop and reappearing after they are deleted. I've run most of the "READ ME FIRST" list with the exception of About:Buster and HSRemove, since this is not a browser hijack or HSA problem. I ran the online Trend Micro Virus scan, it detected two "non cleanable" files with Trojan variants (TROJ_SMALL.AMT in C:\Program Files\Windows Media Player\wmplayer.exe.tmp and one other I do not remember). I did not run the Symantec online scan because I would not have the time to do it here today. They didn't want to disable their System Restore function, so that was also not done. Everything else in the list was gone through, but the problem is still there.

Any recommendations?

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Okay, here's the HJT log.

 

I notice you only ran one of the online scans, so run the following online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After you have completed ALL of the above scans, reboot and post a fresh HJT log.

 

The Bitdefender scan either does not exist anymore, or the page is down, but I could not access it to run the scan. I ran the other three, and took a screenshot of the results from TrojanScan if you would like to see them. I rebooted and am posting the HJT log.

 

Your Operating System and Internet Explorer versions are WAY out of date and represent a major security risk. After we fix your current problems, you must get updated. You need to install Service Pack 2 for security purposes.

Please look in Add or Remove Programs for the following and Uninstall if found:

GuardBar


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

O2 - BHO: GuardBar.BHO - {62F5BBB6-A71E-46E7-AE78-73D25185EDC8} - C:\Program Files\GuardBar\GuardBar.dll
O3 - Toolbar: GuardBar - {7F4D8DE6-AC92-4A13-9DE9-F360736F2464} - C:\Program Files\GuardBar\GuardBar.dll

O4 - HKLM\..\Run: [lzom] C:\WINDOWS\System32\lzom.exe

O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c18.cab

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - D:\Fang\Programs\VNC\VNC4\WinVNC4.exe" -service (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\GuardBar ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\lzom.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Does the HJT note about VNC mean anything besides that a file is missing? That program is supposed to be there so I can help her on her computer from my computer.

GuardBar eh? I didn't know what that was, but I guess now I know that it's bad!

She's been wondering what lzom.exe was, ZoneAlarm kept telling her it was asking for Internet access, and she's been denying it every time. Now I can remove it and tell her that it's another bad program.

I'll take care of this the next time I'm at her computer, then I'll provide an update.

 

As Chaslang previously mentioned if that entry came back then its legit as HJT has a bug that shows file missing but the file really isnt.

You need to do this fix in a timely manner so things wont get worse.

Will be awaiting update.

 

Here's a new HJT log and some notes regarding the instructions you gave me.

Sorry this took so long, I had trouble getting access to the computer again.

 

While your somewhat clean you must now get updated or else these things will never keep coming back.

Download the following package, please note its 266 MB and may take about 15 minutes on Cable/DSL.

Windows XP Service Pack 2

After download is complete, double click to install.

 

The shortcuts reappeared and GuardBar reinstalled itself once I booted into Normal Mode. Can I install SP2 from a CD that I have instead of downloading it?

 

Yes!

 

Alright, I had to leave that computer again for the night, but I will resume work on the computer tomorrow. It seems that it is missing a lot of Windows Updates.

Shame on her.

 

Okay, Just get the SP2 installed then get me a fresh HJT log.

 

Popups appearing

Okay, this is a continuance of this thread. However, now the only noticeable problem is that popups appear almost any time you open an IE window. I've run the "Read Me" instructions, and attached an HJT log.

 

Oh, I forgot to mention. I ran the NEW "Read Me" yesterday. I'll attach the BitDefender log, but I could not get Panda ActiveScan to run.


EDIT: Also, I have updated this system to SP2 and run Windows Update afterwards to get all updates.

 

Huh, that's strange. I saved it as a text file. I guess I missed something when I saved it. Should I rerun the scan and resave the log?

 

O4 - HKCU\..\Run: [Baitsoft] C:\DOCUME~1\ALL\APPLIC~1\THEBAL~1\dvdmfcdstore.exe


I have no idea what this is for, and neither does the computer owner.

 

I followed all instructions, except that I did not find "C:\Program Files\C2Media". Here is a new HJT log. Sorry for previous complications.

 

Oh, sorry! I haven't seen any popups just yet, but that doesn't mean they are gone. IE seems to be running slower than normal, but maybe that's just my imagination.

Anything else you wanted to know or wanted me to run?

 

I am happy to report that I have neither witnessed nor heard of any more problems on this computer. Once again, thanks for all your help!

 

Glad your system is running good!