Member Avatar for blondie074

Help!!! I can't get to any websites on my IE. Everything keeps getting directed to this http:// 296f8.iltxt.info /index.php?aid=543 site, with a pop up saying that 18% of my files are corrupted with spyware. I need to be able to get to my email and other websites in a hurry for work........can anyone help me remove this virus?

Thanks! :confused:


Edit: Link has been altered so that it can't be accidentally clicked on. It leads to a nasty 'Web search' site which plays games with your brower. Don't go there please! - Catweazle

  • 4 Contributors
  • 12 Replies
  • 233 Views
  • 5 Days Discussion Span
  • Latest Post Latest Post by dlh6213

Recommended Answers

All 12 Replies

Member Avatar for deonnanicole

If you haven't done so already, download Adaware and Spybot and scan your computer, rebooting between each, and let them fix anything they find. You can download them from here:

http://www.computercops.biz/zx/phoenix22/spybotsd13.zip
http://www.computercops.biz/downloads-file-292.html

After that, download and scan your computer with HijackThis. Be sure you update it to the latest version, which is 1.98.2. Scan your computer and post the log here. One of the security experts will take a look at it and advise you on fixing your computer. :) I don't have a link for HijackThis right offhand, but if you check in one of the other threads, more than likely there will be a link to it within a thread or in someone's sig. Good luck!:)

Member Avatar for blondie074

OK, I scanned with adaware and spybot, and so here is the log from the HJT scan:

Logfile of HijackThis v1.98.2
Scan saved at 8:21:14 PM, on 9/22/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\X5S9IMYIOYF3HN.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost; *windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com; *profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\7OSOSG~1.DLL
O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\X5S9IMYIOYF3HN.EXE
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228

Is there a name for this virus? I can't seem to figure out what it's called. What next?

Thanks for the speedy reply, by the way!

Heather

Member Avatar for dlh6213

First, try these free online scans (set them to fix whatever they find):
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Also, download CWShredder and run it. Select the fix button & it will fix everything related to CoolWebSearch that is stored in it's database. Close ALL windows before running CWShredder.
http://www.softpedia.com/progDownload/x-Download-8114.html

Reboot, scan with hjt and post a new log.

Member Avatar for dlh6213

Before you post a new log, have hjt fix these entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost; *windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com; *profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\7OSOSG~1.DLL

O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\X5S9IMYIOYF3HN.EXE

Reboot into Safe Mode, go to the folder C:\WINDOWS\SYSTEM and delete this file:
X5S9IMYIOYF3HN.EXE

Reboot normally, scan with hjt, and now post a new log. :)
(Thank crunchie for this last bit, and thanks to Catweazle for editing the link in the original post.)

Member Avatar for blondie074

Hi, here is the new log after doing all that was asked of you guys.....except the panda scan....since it opens in a new window, the window flips back to the wierd index page I'm having problems with. Otherwise, everything else was done. Here's the log:

Logfile of HijackThis v1.98.2
Scan saved at 11:18:42 AM, on 9/23/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS1.98.2\HIJACKTHIS.EXE

O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

What next? Thanks for all your help here!!!!

Member Avatar for DaveSW

have you rebooted before posting that log? it looks kinda thin on the ground...

Member Avatar for blondie074

I thought I rebooted, but maybe not....I rebooted again and here is the log.

Logfile of HijackThis v1.98.2
Scan saved at 11:46:22 AM, on 9/23/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\HIJACKTHIS1.98.2\HIJACKTHIS.EXE

O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

I also have noticed when I reboot, not everything loads (when I look at the task manager). I went into msconfig and notice it keeps defaulting to selective startup, rather than normal start up. I keep changing it back to normal, but it keeps defaulting to selective. Maybe that has something to do with the log not looking right. Is this a result of the virus?

Thanks!

Member Avatar for dlh6213

I also have noticed when I reboot, not everything loads (when I look at the task manager). I went into msconfig and notice it keeps defaulting to selective startup, rather than normal start up. I keep changing it back to normal, but it keeps defaulting to selective. Maybe that has something to do with the log not looking right. Is this a result of the virus?

Your log looks clean, I'm not sure how to fix your internet access problem. You could try installing SpywareBlaster, maybe it will block access to that site. You can download it from here:
http://www.javacoolsoftware.com/

Your startup problem certainly needs to be fixed, hopefully someone here can help you with that; I'm afraid I can't. :(

Member Avatar for blondie074

Oh, Hi, I got my internet access problem fixed. Thanks to all of you that helped me......you guys are the BEST!!!

Still having problems with not everything loading when I start my computer. Windows loads and so does exec and one other thing, and that's it. I guess it's OK, doesn't seem to affect anything when I'm working.

Not an urgent threat, but just wondering why that would happen

Thanks!

Member Avatar for DaveSW

If you go into msconfig and tell it to load normally
or
selective startup with everything ticked

Then what happens? i.e. a new log? or does it still go back to selective? or what? msconfig has something to do with the lack of entries.

Member Avatar for dlh6213

Oh, Hi, I got my internet access problem fixed.

How did you get it fixed? It may help someone else who runs across this thread. :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.