its a setup file that installs golden casino even when i am not using the net.
any one else have this happen?

Run spybot, adaware, and spyweeper. Next time provide more information please.

if those cant take care of it, give pest patrol and hijack this a try.

this is the log.which is safe to delete?


Logfile of HijackThis v1.97.7
Scan saved at 20:55:33, on 26/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\SRNMIC~1\SOLOSENT.EXE
D:\Tauscan 1.6\Taumon.exe
D:\Shareaza\Shareaza.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INCRED~1\bin\IBMain.exe
F:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.incredimail.com/gallery.asp?typeId=6&lang=9&addon=IncrediMail&pn=29453200
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IBBHO - {12BA043E-293E-4CE4-A8C7-8460934FE801} - C:\Program Files\IncrediBar\bin\IBBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: MSN smart tags - {9DD4258A-7138-49C4-8D34-587879A5C7A4} - C:\PROGRA~1\MSN\smarttag\MSNBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Reset Timer] wscript.exe %systemroot%\repair\rollback.js
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoloSysCheck] d:\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoloSentry] D:\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [ofanwf] C:\WINDOWS\ofanwf.exe
O4 - HKLM\..\Run: [ldbkpevm] C:\WINDOWS\System32\ityfeddb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "D:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: IncrediBar (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

The entry which catches my eye is the 016 DPF WildTangent entry near the bottom.


Some info I found poking around about it:

I finally got fed up with Golden Palace Casino, actually went to their web site, called their customer service (http://www.computing.net/security/wwwboard/forum/9535.html#) number and they emailed me a link to uninstall and it worked! How simple was that! Here are the contents of the email they sent.
Dear Customer,



When you sign-up with different websites and download various programs from the Internet, it is possible you may also be downloading other programs or applications at the same time as part of their installation bundle.


Our company is affiliated with many different websites and it is possible you may have received our software in one of their bundles. All of our affiliates require their customers to agree to their Terms and Conditions before downloading any of their products and any software included with their products.


If you download software from the Internet, we highly recommend that you fully read all Terms and Conditions and/or licensing agreements before installing anything.


Removing our software from your computer (http://www.computing.net/security/wwwboard/forum/9535.html#) is a simple process. However, you can only do so after it has been completely downloaded to your computer. The full download is just over 60 megabytes.


Removing the Software


There are three ways of removing the software, try each one in order. If the first doesnt work, try the second; if the second is not successful, try the third.


1. Click the following link for instruction on how to remove the software: http://remove.monsterserve.com/remove/toolbar/index.html


2. Go to http://www.jraun.com and click the uninstall download at the bottom.


3. In some cases, you may also have to remove the software from your computer index directory. This is easy if you follow these steps:


1. Double click the My Computericon on your desktop to open it.

2. Double click the Local Disk (C)icon to open it.

3. Find the folder named Casinothen right-click ONCE on it this will open a drop-down menu.

4. Hold down the SHIFT Key and click DELETE in the drop-down menu simultaneously.

5. Be sure to wait for the final Delete message - you must click YES, then the software will be deleted from your index directory.


Keep in mind that our software is not spy-ware, and removing our software will not remove any spy-ware that may have been installed on your computer. We recommend that you download an application called "Ad-Aware" from
http://www.lavasoftusa.com and run in periodically to remove annoying spy-ware from your computer.
Should you need contact us for further assistance with the removal of the software, our toll free number is 1-888-217-5648.


Hope its of some use :)

Wow .. It almost sound like they're the victims ... and a legitimate business! :yell1:

Poor, Golden Palace Casino .... being misrepresented like that! Don't you feel sorry for them?

What a load of crap! These companies' programs should be classified as virii.
They attach themselves to your computer without your knowledge or permission, and refuse to be removed through normal means!

I would always use an independent 'uninstaller', there one could do more harm that good!!

Removing our software from your computer is a simple process. However, you can only do so after it has been completely downloaded to your computer. The full download is just over 60 megabytes.

Simple process ? not for someone who has modem connection, 60MB ? are they taking the xxxx ?

hehehe the funny thing is their install file is probably only a few kb!
Then normal people will go well cant download that and live with it still on their computer.

i had that on my pc, was part of ncase, feckin nightmare to get rid of.:mad:

I had this on MY PC this week and Adaware got rid of it nicely, HOWEVER---every few days I get a message when I boot my PC that "Golden Palace Casino has been uninstalled on your PC---would you like to reinstall it? Y/N". Where is THIS little message residing and how can I get rid of it so that it STAYS gone!???

leday, have you tryed a scan with spybot? Also check your start up folder, make sure nothing from it got left behind in there.

Had a look in MSCONFIG Startup tab and unchecked a couple of "suspicious" entries, but I don't know what they belong to (frsk.exe, eddmzzjk.exe, mwsvm.exe) and submitted them to Lavasoft (Adaware), but haven't heard anything yet. Haven't tried Spybot yet though. Any ideas?

Frsk X frsk.exe Unidentified adware downloader trojan
Mwsvm X mwsvm.exe SeekSeek search hijacker related

eddmzzjk.exe is probably in the same category.

Looks like your weren't quite all that clean.

This is a nightmare... I switched HD's for now but I have to go back and most likely reformat because of this thing. I'm going to try to DL it and uninstall like they say but I never asked for it or signed up for anything either. I don't like it at all!! Ad-aware 6 will get rid of it along with removing it in your add/remove programs area but it comes back! And even using the 'msconfig' won't help either because it rechecks itself when you reboot. Sorry peice of stuff if you ask me... :mad:

Had a look in MSCONFIG Startup tab and unchecked a couple of "suspicious" entries, but I don't know what they belong to (frsk.exe, eddmzzjk.exe, mwsvm.exe) and submitted them to Lavasoft (Adaware), but haven't heard anything yet. Haven't tried Spybot yet though. Any ideas?

Check out this site for startup questions. http://www.pacs-portal.co.uk/startup_content.php#THE_PROGRAMS

Actually, for a very extensive Startup Application list......................
http://www.sysinfo.org/startuplist.php

Thanks. helpful info!