"hotx" web dialer
i got a really annoying web dialer called "hotx". i deleted the files, and used both spybot and adaware, but it always reloads itself on startup. another thread was about the same thing, and on that thread, another guy got killbox to boot the re-installer called "win.com", then used spybot and adaware to delete the associated files. i dont know whether win.com is a file, or a web site, or what, and i cant get killbox to work as id like it to. i know its a bit of a nuisance, but could i get some help, or possibly some step by step instructions?
also, i downloaded the uninstaller posted in the last forum called "cleanit", and it didnt really work. whenever i'd run it, a countdown to restart would begin, but at the end of the countdown, nothing happened, so i'd restart the computer myself out of the start button. but then the pc would crash, so i'd have to manually turn off the pc by holding down the on button. then the web dialer would come back on reboot.
also, i downloaded the uninstaller posted in the last forum called "cleanit", and it didnt really work. whenever i'd run it, a countdown to restart would begin, but at the end of the countdown, nothing happened, so i'd restart the computer myself out of the start button. but then the pc would crash, so i'd have to manually turn off the pc by holding down the on button. then the web dialer would come back on reboot.
0
Comments
You'll have to scroll down the page a little and it's there.
Then save your log file to desktop and go to
HijackThis log file analysis
The site will explain what to do with the logfile.
also, i think that it might be important, but usually when i boot the comuter, the hotx files reload in a folder in program files called "web site viewer", or something like that. i always delete all the files and shortcuts and remove them from the recycling bin, but yesterday, i chose not to, and the program didnt boot on startup and the "web site viewer" folder and its contents were not reinstalled. i havent restarted my computer since then, but i will when i get home, and i will tel you what happens.
"I finally eliminated it. I found the re-installer as win.com and used Killbox to boot it. Then I ran spybot and adaware which killed other associated files involved."
If it's showing up as file-- "web site viewer"
And what you have I believe is the TIBS dialer.
I've found a few references to it.
We should be able to get rid of it.
i dont really know how much use this is to you, but i also found that a file called 127703.dlr that is associated with the tibs dialer boots when windows starts.
If not download one of these, and do a full deep scan.
I use AVG but both are good programs.
Then we can go on. Post back when your done.
also, Did AVG say it found malware or spyware?
also, i think its safe to say TIBS is gone. Assume so unless\until i tell you otherwise.
Trend Online virus scan is one of them. It's easy and simple, but is excelent at finding stuff leftover.
i have a bunch of problems that only happen in internet explorer. when i load up internet explorer, AVG notifies me of a virus [the name of the virus changes], and when i delete the file, it comes back. also, i have the infamouse about:blank thing [only in internet explorer. also, i have a bunch of bokkmarks load every time i open internet explorer. the bookmarks are a folder of bookmarks called "sites about", "only sex website", "search the web", and "seven days of free porn".
also, i went to the "trend online virus scan" link. it takes me to a page that assumes i have netscape and gives me loading directions. i downloaded it anyway, but would install it to C:\program files\netscape, which i dont have, and then would refuse to install it.
ps. i know it may be annoying that i tell you every little thing that happens, but i dont know very much about this kind of stuff, and i dont really know what information might be important.
Trying to do a system restore will only infect your pc deeper.
Only load the programs I tell you too for the moment. It's good your telling me every little thing.
And you definetely don't want Netscape. After we get this all cleaned, you'll need to get the Mozilla Firefox or Opera Browser. But not until we are done. Netscape and Internet Explorer are too easy to get infected.
First, You need to turn off system restore on all drives.
Then we need to enable your Active X in Internet Explorer to do an online virus scan.
That's why it's trying to tell you to get netscape.
I need to know what version Internet Explorer you have? On the top bar you'll see a (Help) button, click it and then (About Internet Explorer). It will have the version in there. It's a little different to turn it on in each version.
Post back and I'll be waiting.
first, i already have mozilla firefox. i dont use internet explorer too often, but i guess either i or someone else was using it on some occasion and that is when i got all the malware.
it says that the internet explorer version is 6.0.2800.1106.xpsp2.031208-2000
also, i noticed that under the "connections" tab in internet options, it says "TIBS41" and has a bubble "never dial a connection" selected.
ps. i want to add that i wont be able to check the thread between saturday the 23rd and monday the 25th, so dont be suprised if you dont hear from me for those few days.
Enabling Active X for Microsoft Internet Explorer 6.0
1. Click Tools and select Internet Options on the Internet Explorer menu bar.
2. Click the Security Tab and select the Internet Zone.
3. Click Internet to display the settings for the Internet Zone.
4. Click the radio button to select Custom (for expert users).
5. Click the Settings button to open the Security Settings window.
6. Scroll to the Active X controls and plug-ins and verify that the options are set to Enable or Prompt.
7. Scroll to the Scripting Section and verify that Active Scripting is set to Enable or Prompt.
Note: Clicking a checked box removes the checkmark and disables the feature.
If you see checkmarks in the Enable or Prompt boxes, do not click on the checked boxes.
8. Click OK to close the Security Settings window.
9. Click OK to close the Internet Options window.
Then go to trend and get the scan. You'll get a popup window that will want to load the program, say yes you trust trend.
Once it's loaded check all harddrives to be scanned and let it run.
Try to write down all things found too, for my reference.
When it's done, post back.
You can copy and print all these instructions so you can read them if need be.
also, when the AVG message comes up that i have a virus, what should i do, "continue", "heal", or "delete"?
No, On the error reports.
I'll keep the dates in mind. Hopefully we'll be done before then.
And you can use firefox at this site, firefox with java....Trend Micro .
One thing to do before your online scan (I almost forgot)
Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.
Then do your online scan with firefox.
Remember ; post all references to viruses if you have any.
OK, Do that and post back.
i found one of the files is called "ipod32.exe", and it found from the task manager that it was running, so id understand why the program cant delete it. but i still dont know why the other files wont be deleted. should i delete those files manually?
by the way, 2 of the programs are called "java_bytever.A-1", one called "java_bytever.b", three called "java_bytever.a", and one called "troj_dloader.hd". all of the 'java_bytever" files are in "C:\Documents and Settings\Abe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar", and troj.dloader is in "C:\windows".
No, Don't remove anything. we need to follow a step by step procedure.
Through this process, keep all names and addresses of the offending malware, virus trojan, etc so you can post them for me.
Check the task manager for all files that the trend scan found and turn them off in the task manager. And run it again to see if it will remove them.
Post back when you've finished.
JAVA_BYTEVER.A-1 (1) C:\Documents and Settings\Abe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-64e31c12-6e9292b4.zip (Gummy.class,Xeyond.class,)
JAVA_BYTEVER.A-1 (2) C:\Documents and Settings\Abe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-1fac6572-24e84406.zip (Gummy.class,Beyond.class,)
JAVA_BYTEVER.B (1) C:\Documents and Settings\Abe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1e42ae07-230caff4.zip (Blackbox.class,VB.class,Dummy.class,Beyond.class,)
JAVA_BYTEVER.A (1) C:\Documents and Settings\Abe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2e5e301f-3f9a5b8e.zip (Dummy.class,)
JAVA_BYTEVER.A (2) C:\Documents and Settings\Abe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-76dd7ea1-4cca0921.zip (Dummy.class,)
JAVA_BYTEVER.A (3) C:\Documents and Settings\Abe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv480.jar-240ae454-71849827.zip (Dummy.class)
TROJ_DLOADER.HD C:\WINDOWS\ipod32.exe
As long as we have the names and locations we're ok. Format doesn't matter.
Do the other and run the scan.
Also, Don't do all this with multiple windows or tabs open on your browser.
Close all programs and browsers except the one browser your using.
post back.
Make sure all browser windows are closed before doing the rest of these prosedures.
Next the first program that I recommend installing is CWShredder.
Get the stand alone version here.. CW Shredder
Unzip the program to your Desktop. Double click on it to open up the program. Click on Fix and let it remove any traces found. When you click Fix, it will ask you to close all browser windows, so make sure you don't have Internet Explorer, Netscape or any other browser running. Click OK. It will scan and remove any files found. If a window pops up asking you if you want to delete a certain file, write down the whole path to post here, (ex: C:\Windows\some_program.exe) and choose NO. After that's finished, click Next and Exit.Also post any viruses if you have one detected and any CWS entries removed or detected. Then post back.