0

Help!!! I can't get to any websites on my IE. Everything keeps getting directed to this http:// 296f8.iltxt.info /index.php?aid=543 site, with a pop up saying that 18% of my files are corrupted with spyware. I need to be able to get to my email and other websites in a hurry for work........can anyone help me remove this virus?

Thanks! :confused:


Edit: Link has been altered so that it can't be accidentally clicked on. It leads to a nasty 'Web search' site which plays games with your brower. Don't go there please! - Catweazle

4
Contributors
12
Replies
13
Views
12 Years
Discussion Span
Last Post by dlh6213
0

If you haven't done so already, download Adaware and Spybot and scan your computer, rebooting between each, and let them fix anything they find. You can download them from here:

http://www.computercops.biz/zx/phoenix22/spybotsd13.zip
http://www.computercops.biz/downloads-file-292.html

After that, download and scan your computer with HijackThis. Be sure you update it to the latest version, which is 1.98.2. Scan your computer and post the log here. One of the security experts will take a look at it and advise you on fixing your computer. :) I don't have a link for HijackThis right offhand, but if you check in one of the other threads, more than likely there will be a link to it within a thread or in someone's sig. Good luck!:)

0

OK, I scanned with adaware and spybot, and so here is the log from the HJT scan:

Logfile of HijackThis v1.98.2
Scan saved at 8:21:14 PM, on 9/22/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\X5S9IMYIOYF3HN.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=543
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost; *windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com; *profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\7OSOSG~1.DLL
O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\X5S9IMYIOYF3HN.EXE
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228

Is there a name for this virus? I can't seem to figure out what it's called. What next?

Thanks for the speedy reply, by the way!

Heather

0

Before you post a new log, have hjt fix these entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost; *windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com; *profiles.yahoo.com;*.pogo.com;*test-speed.com;<local>

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\7OSOSG~1.DLL

O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\X5S9IMYIOYF3HN.EXE

Reboot into Safe Mode, go to the folder C:\WINDOWS\SYSTEM and delete this file:
X5S9IMYIOYF3HN.EXE

Reboot normally, scan with hjt, and now post a new log. :)
(Thank crunchie for this last bit, and thanks to Catweazle for editing the link in the original post.)

0

Hi, here is the new log after doing all that was asked of you guys.....except the panda scan....since it opens in a new window, the window flips back to the wierd index page I'm having problems with. Otherwise, everything else was done. Here's the log:

Logfile of HijackThis v1.98.2
Scan saved at 11:18:42 AM, on 9/23/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS1.98.2\HIJACKTHIS.EXE

O4 - HKLM\..\RunOnce: [untd_recovery] C:\PROGRAM FILES\JUNO\QSACC\X1EXEC.EXE
O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

What next? Thanks for all your help here!!!!

0

I thought I rebooted, but maybe not....I rebooted again and here is the log.

Logfile of HijackThis v1.98.2
Scan saved at 11:46:22 AM, on 9/23/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\HIJACKTHIS1.98.2\HIJACKTHIS.EXE

O8 - Extra context menu item: Display Image with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/227
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\PROGRAM FILES\JUNO\QSACC\appres.dll/228
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

I also have noticed when I reboot, not everything loads (when I look at the task manager). I went into msconfig and notice it keeps defaulting to selective startup, rather than normal start up. I keep changing it back to normal, but it keeps defaulting to selective. Maybe that has something to do with the log not looking right. Is this a result of the virus?

Thanks!

0

I also have noticed when I reboot, not everything loads (when I look at the task manager). I went into msconfig and notice it keeps defaulting to selective startup, rather than normal start up. I keep changing it back to normal, but it keeps defaulting to selective. Maybe that has something to do with the log not looking right. Is this a result of the virus?

Your log looks clean, I'm not sure how to fix your internet access problem. You could try installing SpywareBlaster, maybe it will block access to that site. You can download it from here:
http://www.javacoolsoftware.com/

Your startup problem certainly needs to be fixed, hopefully someone here can help you with that; I'm afraid I can't. :(

0

Oh, Hi, I got my internet access problem fixed. Thanks to all of you that helped me......you guys are the BEST!!!

Still having problems with not everything loading when I start my computer. Windows loads and so does exec and one other thing, and that's it. I guess it's OK, doesn't seem to affect anything when I'm working.

Not an urgent threat, but just wondering why that would happen

Thanks!

0

If you go into msconfig and tell it to load normally
or
selective startup with everything ticked

Then what happens? i.e. a new log? or does it still go back to selective? or what? msconfig has something to do with the lack of entries.

0

Oh, Hi, I got my internet access problem fixed.

How did you get it fixed? It may help someone else who runs across this thread. :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.