Unwanted casino popup when I start Windows

[msgerma2]

Hi,

Lately I've been getting a popup every time I start Windows on my computer (I use Windows ME). It's some sort of spammy casino popup, asking me to select my language, featuring a picture of a pair of red dice on a green background, and says "Powered by Grand Virtual". I can't determine its properties since nothing happens if I right-click it, and it doesn't show up in my Start menu or Program Files directory in my C-drive, or add/remove window.

I've already run Hijack This and Adaware 6.0, both of which found and deleted a number of hostile files, but this had no effect on the popup. I also went into the C:\WINDOWS\SYSTEM directory, looking for exe files whose "last modified" date coincided with when the problem started occuring (early afternoon 23 Jan 05), and found about two dozen (inculding several 137-kb exe files which featured the same "GV" logo as the popup), which I manually deleted, but again this has no effect.

There is however one exe files in that directory (PCLcr.exe) that I am unable to delete manually; when I try to delete it, a message box appers saying "Cannot delete PCLcr.exe. The file is being used by Windows". This may or may not be related to the popup; as I recall, the problem started several hours before this file's "last modified" tag.

It also seems that every time I start my computer, a new exe file with the GV logo appears with a different name (though always 137 kb) in the C:\WINDOWS\SYSTEM directory.

It doesn't seem to be affecting any of my other online or offline functions, but it's clearly not an acceptable situation, and I really want to find out how to remove it. If anyone has encountered this or knows who I should talk to for instructions, i'd be eternally grateful...

Michel

 

[RealBlackStuff]

Go to this post here first, and follow the instructions EXACTLY.
How to remove Begin2Search / Coolwebsearch

Should work for your problem as well.

 

[msgerma2]

Hi realblackstuff,

Sorry for the delay in my reply...

I followed the instructions as indicated (but I used Adaware 6.0 with the VX2 plugin instead of Adaware SE), but this hasn't had an effect on my problem. I've attached a copy of the HJT logfile.

I found a number of matches between my logfile and the files you specified in your earlier reply, checked them and had HJT fix the checked entries, but when I reboot my computer, the same problem re-occurs (I forgot to mention last time that in addition to the casino popup, an IE window automatically pops up and sends me to a search page; as I recall its address matches the first O15 entry in the HJT logfile), and the entries that HJT supposedly had fixed are still there when I run another HJT scan.

Thanks in advance for any further input you may have...

Michel

 

[hp_compaq_tech]

Honestly, I have no idea what that PCLcr.exe file is/does (google says nothing) but if you want to delete it, boot into 'Windows Advanced Options' (same screen to get to safe mode) but select the 'command prompt' option. Change the directory to the location of the file ('cd\', 'cd windows\system')
then change the attributes of the file ('attrib PCLcr.exe -a -h -s -r'). You should now be able to delete it ('del PCLcr.exe').

If this helps it or breaks it, the file is gone.

 

[RealBlackStuff]

Come back AFTER you have installed an Antivirus program, updated its definitions and ran a full scan.
www.grisoft.com gives AVG away for free!

Then go to this post here, and follow the instructions EXACTLY.
How to remove Begin2Search / Coolwebsearch.

I would like to stay nice, but you ARE an irresponsible [fill in what you like].

 

[Anarchi]

Ive had a rogue spyware on my PC that would keep on coming back after it was removed by AdAware - the problem was that XP's System Restore was restoring the spyware upon bootup. I belive WinME also has SysRestore, so try disabling it and run AdAware.


ps. there is a utility that forces the deletion of ANY file in Windows, even if its in use (sorry I cant remember the name of it). Do a google search for "remove file XP in use" or something

 

[msgerma2]

Everyone,

I've successfully removed the problems (both the casino popup and the browser hijack).

I already had antivirus software (NIS 2004 with the latest virus definitions) when this all started, but it looks like this didn't protect my comp. Part of the problem was that I hadn't disabled the system restore, so that each time I eliminated a virus or trojan, it would re-appear when I rebooted.

Once I disabled system restore and once again ran through the procedure realblackstuff indicated, I eliminated the casino popup, but the browser hijack remained. So I downloaded and installed AVG, ran it and that didn't eliminate the problem, also ran and installed Spy Subtract and Spy Sweeper, which found and eliminated a number of trojans, but this didn't solve the problem either; finally I ran Panda ActiveScan, which you can get here: http://www.pandasoftware.com/activescan/com/activescan_principal.htm
which found and eliminated the following:

Trj/Memtest.A
Trj/Downloader.AIX
Exploit/ByteVerify
Trj/Shinwow.c
W32/Spybot.gen.worm

Once it eliminated these, the browser hijack suddenly dissapeared, and the O15 trusted zone entries in my HJT log were permanently eliminated (before I ran ActiveScan, whenever I fixed the O15 entries, they would reappear after reboot, regardless of whether I had disabled System Restore or not). Anyway, I'm no computer expert so I have no idea which of these viruses/trojans/worms was responsible for the hijack, but the fact that it's gone now is good enough for me.

Thanks for all your help everyone, I never would have been able to defeat this problem without your assistance!

Michel