# Possible virus in IIS, but not sure.



## Tad R (Mar 28, 2006)

I hardly know where to start with this as it is the most bizarre occurrence I have ever encountered. Up until last weekend, everything worked fine on my computer. Now, when I go to two sites to login to various accounts (www.citicards.com – click “Small Business” tab on upper left or www.microsoft.com/smallbusiness/hub.mspx - click “Sign into my Online Services” button on upper right), pressing the button or link to the login page returns this (The one below is Microsoft; Citibank has a different reference URL):
--------------------
The page cannot be found
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Please try the following:
•	If you typed the page address in the Address bar, make sure that it is spelled correctly.
•	Open the ulogin.bcentral.com home page, and then look for links to the information you want. 
•	Click the Back button to try another link. 
HTTP 404 - File not found
Internet Information Services

Technical Information (for support personnel)
More information:
Microsoft Support
-------------------------

Now things get really creepy. If I click on the ulogin.bcentral.com link, it pulls up the homepage to a site I have on my personal web server (IIS), with the URL showing http://www.ulogin.bcentral.com/. If I then click on any page in my site, it shows the domain name as http://www.ulogin.bcentral.com, with all directories and pages in the site tied to that domain. Incidentally, if I go back to “http://localhost” that still works and all of my pages and links appear as they should. 

The bad thing here is that I can’t login to these two sites and I have to every single day. Has something (virus/malware/etc.) corrupted IIS or how it interprets these links? I have been able to login to other accounts with no problem, but I’ve had no luck with these two. 

Over the weekend I did the following to my computer. Maybe this will shed some light on what is happening. However, note that I did nothing to IIS or my personal web server:

1.) Took one of those spam/scam “update your Chase Bank account info” emails and responded, entering my login as “FBI” and password as “is coming to get you.” I was trying to mess with these losers but am afraid that maybe that allowed something malicious on my computer. 
2.) Uninstalled an old version of Kazaa and tried to install a newer version (I haven’t been able to download a song in months because it just keeps saying, “connecting”). When this didn’t work, I just uninstalled it completely and gave up.

3.) Ran RegVac (novice mode) to clean up the registry from the deletions.

4.) Ran a couple of online spyware programs last night (kaspersky and panda). Nothing was detected.

Since then I have tried Windows System Restore and undoing the RegVac cleanup. Nothing has helped. I have checked my Zone Alarm Pro settings and my Norton AntiVirus setup, and nothing looks off (I did, however, delete some files that Norton had quarantined. I hope that didn’t screw something up).

Does anyone have any idea what is going on. I hope I placed this in the correct forum. If not, I can repost in another, I suppose. Any advice or help would save my sanity.

Tad


----------



## Skie (Mar 15, 2003)

I would suggest posting in the HijackThis forum after you download HijackThis and run it. Give them your log and let them determine if your computer is infected.


----------

