Search

[camilikins]

Yesterday my boyfriend was downloading WinRAR to open some zip files and discovered that the version he downloaded had something called Comanglia Virus attached. Basically a popup saying 'Comanglia' kept popping up in a pop-up box which kept reappearing when you hit OK. Popup. We have two computers, so it's not too big of an issue, but I need to get rid of it.

I've since discovered that it's a Trojan. Unfortunately the computer often turns itself off spontaneously after 15-20 minutes (unrealted issues, I'm fairly sure) so Norton and AVG can't run long enough to clear it. Does anyone know a definitive way (even if it takes longer than 20 mins) to clean up this virus?

Cheers in advance.

[Remington]

Press CTRL-SHIFT-ESC to bring up the task manager.  Click on Processes and end any process that says "explore.exe" (NOT explorer.exe).

Start -> Search -> "explore.exe" (again NOT explorer.exe)

Delete any copies of explore.exe found on your computer. (If you searched without quotations you might find copies of iexplore.exe alongside explore.exe--either search with the quotation marks or be sure not to delete the iexplore.exe files)

After you've deleted the files...

Start -> Run -> C:\WINDOWS\system32\drivers\etc  (or navigate that file path through My Computer)

Right click on the "Hosts" file and Open With -> Notepad.  You may need to just click open and select notepad from the list.

You should see a line that says

127.0.0.1  localhost

If there is anything below that line, remove it and save (CTRL-S) the file.

If this doesn't solve the problem, let me know and I'll do a little more research.

[camilikins]

Awesome, thanks so much! Karma coming your way.

As far as I can tell it's been removed. I've also uninstalled WinRAR so hopefully no more problems will ensue. Thanks again for your trouble!

[Remington]

No problem.  If you're looking for a good alternative to WinZip/RAR, I recommend 7-Zip.

[mattg2]

I've just had the same problem with this but this isn't solving it I'm afraid.

explore.exe isn't in processes, thankfully. The messages have stopped now too but everything still isn't right.

In my hosts file there is only 1 line:

123.251.143.110   www.asdfasdf,d.com

When I try and delete it or replace it with the localshosts line it won't let me do that

I now also have CoolWWWSearch.smartsearch hijacker software showing up in Spybot and I can't delete it.

I can't even open avast to run a scan either.

Man, this is annoying!

[Remington]

Try running CWShredder to get rid of CoolWebSearch.

When you say it won't let you remove the line in the hosts file, what do you mean?  You can't delete it or it won't let you save it or what?

[mattg2]

Hi Remington,

Thanks for the reply - I'll give CWShredder a go, although looking at the Spybot forums it may just be a reporting error problem or something - there are lots of CoolwebSearch variables and not all of them are picked up straight away by name by Spybot.

Anyway, about the hosts file - I can't save the changes. I've since discovered that in Vista (I have Vista) I need to change the permissions settings so in Notepad so I can use it as an administrator. If you don't do this you can't edit anything. This is done by going to Start > All Programs > Accessories > Notepad, right click > Run as adminstrator.

I have tried this but it still won't save. I still need to play with this but I think this is the right way to go.

At the moment I'm just running loads of scans to uncover any lurking nasties on my machine. I'll then probably restart it and try and edit the hosts file again.

Do you know what  I need in my hosts file? Is the following line enough by itself, or will I need anything else?

127.0.0.1  localhost

Thanks again for your reply and your help.

[mattg2]

All sorted now - phew!

For future reference if anyone else with the same problem stumbles across this thread here's what worked for me:

CWShredder found that CoolWebSearch.SmartSearch was indeed still on my machine but I actually deleted it after running a detailed scan with:

http://www.malwarebytes.org/mbam.php     (Just the free initial download)

Scan took well over an hour. It also found another nasty lingering there that the others missed.


I then replaced the infected hosts file with a template from here:

http://vlaurie.com/computers2/Articles/hosts.htm


I used the method I mentioned in my last post to open a blank notepad file with admin permissions, copied the template hosts file into it, then 'Save As' the host file into the /etc folder, replacing the infected file. I had been trying to directly edit the infected file but this isn't possible.

Thanks again for your help Remington.

Matt

[toolman59]

Remington

I followed your instructions to remove explore.exe and got rid of the annoying pop up.
Today I installed Widows Defender, after the first scan the Software Explorer tool in defender came up with the following entry in the start up category, it was listed as "N/A".

File Name: explore.exe
Start up Value: G:\WINDOWS\system32\explore.exe
File Path: G:\WINDOWS\system32\explore.exe
Start up Type: Registry: Local Machine
Location: Software\Microsoft\Windows\CurrentVersion\Run
Classification: Disabled
SpyNet Voting: Not Available

I selected disable in defender which removed it from "run" in the  registry.
I can not find an entry for it in G:\WINDOWS\system32, is it still hidden somewhere on the system?

toolman59

[Remington]

If you got rid of the actual file itself, it looks like what you did with Windows Defender was remove the registry value that was pointing to it, so you should be alright.

[butts2bombs]

soooo
i did everythin u did and i got rid of the comanglia pop-up  :D

but i cant find the 127.0.0.1 local host in the hosts file

ive typed it in and saved it but it hasnt changed anything

wat must i do ????

[Remington]

Try doing what mattg2 did above, especially if you have Vista.

[siwelmail]

can you help me?

I'm on XP and i did this:
Press CTRL-ALT-DEL to bring up the task manager.  Click on Processes and end any process that says "explore.exe" (NOT explorer.exe).

Start -> Search -> "explore.exe" (again NOT explorer.exe)

Delete any copies of explore.exe found on your computer. (If you searched without quotations you might find copies of iexplore.exe alongside explore.exe--either search with the quotation marks or be sure not to delete the iexplore.exe files)

[siwelmail]

sorry for double posting.

then i tryed to do this:


After you've deleted the files...

Start -> Run -> C:\WINDOWS\system32\drivers\etc  (or navigate that file path through My Computer)

Right click on the "Hosts" file and Open With -> Notepad.  You may need to just click open and select notepad from the list.

You should see a line that says

127.0.0.1  localhost

If there is anything below that line, remove it and save (CTRL-S) the file.

but i didnt see anything to do with that all i see is ## Copyright (c) 1993-2001 Microsoft Corp.
#
# This file has been automatically generated for use by Microsoft Internet
# Connection Sharing. It contains the mappings of IP addresses to host names
# for the home network. Please do not make changes to the HOSTS.ICS file.
# Any changes may result in a loss of connectivity between machines on the
# local network.
#

#192.168.0.1 acer-3f31164f8b.mshome.net # 2013 5 2 7 19 2 43 78

[butts2bombs]

k

i tryed to set the notepad to run as administrator?

but it still hasnt changed?

i think im the administrator?

btw im runnin XP so im guessing thts why it didnt work

is there anything else i can do ???

plzz help :D

[Remington]

If you can't edit the file directly, try renaming it to something (like hostdelete, hostremove).  Once you've done this, create a new text document in the \etc\ folder (right click -> new -> text document).  Call it "hosts", with no extension.

Right click and open the new hosts file you created (using notepad), and paste this single line into this new document:

127.0.0.1       localhost

Save the file with CTRL-S.  Delete the file you renamed.

[buffybaskey]

hello, i have joined ust to say thank you to everyone who has posted on this topic, i followed the instructions and used the malware and have now solved the problem, thanks again guys very much appreicated xxx

[RayW]

I am using vist 64 but and seem to have got rid of the popup, but I can still not get on to youtube, google as it keeps directing me to the "microsoft site" can anyone help

[Remington]

That's probably your hosts file.  It's telling your browser to go to their IP address for those sites rather than the actual IP address of the site.

Follow the instructions in this thread to revert your hosts file to its default (you may need to make a blank hosts file, rename the old one and then rename the new one, or run notepad as an administrator to edit the existing hosts file).

[RayW]

I have completely deleted the HOSTS files that I can find...and still they same thing