Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

My computer no longer works at all in the slightest

This is a discussion on My computer no longer works at all in the slightest within the Resolved HJT Threads forums, part of the Tech Support Forum category. Okay, basically, my computer no longer works at all. I sent this Facebook message to a friend of mine who


 
 
Thread Tools Search this Thread
Old 12-27-2009, 07:03 AM   #1
Registered Member
 
Join Date: Dec 2009
Posts: 39
OS: Windows Vista



Okay, basically, my computer no longer works at all. I sent this Facebook message to a friend of mine who is good with computers. I sent it Christmas night, when my computer still worked. It describes what was happening at the time:

"Symantec keeps saying it's blocked a malicious attack on my computer, so I click view details and it says "An intrusion attempt by [MY NAME]-PC was blocked". It keeps saying that I've had attacks blocked, and that something called "HTTP Zbot Malicious File Download" has been blocked. The statistics it gives are:

Risk level: High
Default action: Block
Action taken: Block
Attacking Computer: [MY NAME]-PC (192.168.1.2, 62929)
Destination Address: 222.122.60.186, 80
Traffic Description: TCP, 62929

What does this mean? How do I get rid of it? I don't have anything important on my PC, but what am I at risk of losing here?

Also, Windows Defender keeps deleting (and I think at first it quarantined) "TrojanDownloader:Win32/fakeinit".

So I kept deleting it/blocking it and it kept coming back so I typed these things into the search engine and none of the results were helpful. Basically they said that TrojanDownloader often posed as antivirus software and then once downloaded installed lots of spyware and such on your computer. They gave some files it posed as, and suggested deleting them but none of them were on my computer (well none of them came up when I searched, anyway).

Finally, sometimes a popup box appears and says something like "Microsoft Windows Search Protocol Host stopped working and was closed"."

After that, he took control of my PC remotely, but he couldn't help because the virus had control of my system and kept shutting down programs that tried to help (for instance, I tried performing a full system scan with Norton but it delivered the "Norton blah blah blah has stopped working and was closed" message). It would also redirect from potentially helpful websites, though I was still able to get to them if I clicked back and then clicked the link again.

While I was still fiddling around and listening to music, reading webcomics etc., suddenly I heard an advert for Philadelphia come on that was DEFINATELY, 100% coming from my laptop. I checked Youtube, MSN, everything I was doing, and nowhere could I find where it was coming from. The audio advert stopped, and another one for Philadelphia came on. After that ended, one for Windows 7 came on but was cut out halfway through so another Philadelphia one started but it also stopped halfway through. I asked my friend, over MSN, what the hell was happening, and he said that someone else may be remotely controlling my computer but that he didn't know because he'd never used a trojan. He said over MSN (assuming that whoever may have been controlling the laptop could see) "get off my friend's computer, pick on someone else" and my Internet connection briefly disappeared but I was able to log on again right away. I assumed that someone was remotely accessing my computer and started a Word document and wrote "you are pathetic" in big letters (lol I know ) and Word immediately crashed (with the "Word has stopped working and was closed" message). I tried opening Word again just in case to see what would happen, and it would close immediately each time, but the original Word document had just frozen and would not close.

Straight after that happened I unpluggged my Internet connection. I plugged it in again 10 minutes later, then unplugged it after about 2 minutes and turned off the laptop.

Now when I power up the laptop, nothing out of the ordinary happens until I log into a user. When I do that, I receive this exact message:

"Security Warning!

Worm.Win32.NetSky detected on your machine.
This virus is distributed via the Internet through e-mail and Active-x objects.
This worm has its own SMTP engine which means it gathers e-mails from your local computer and re-ditributes itself.
In worst cases this worm can allow attachers to access your computer, stealing passwords and personal data.
Viruses can damage your confidential data and work on your computer.
Continue working in unprotected mode is very dangerous.

Type: Virus
System Affected: Windows 2000, NT, ME, XP, Vista, 7
Security Risk (0-5): 5
Recomendations: It is necessary to perform a full system scan."

After that message, all I see is my background picture. There are no shortcut icons, no startbar, no sidebar, only my background picture and the occasional message saying "Windows Explorer has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."

Other messages similar to this refer to Word not working, Windows Movie Player, Norton Internet Security etc. Somtimes the wording is slightly different.

So if any of you have any idea about what to do then I would love you forever.

Side note: There's nothing on my computer like bank account details or whatever, so that's a plus, but there is a load of stuff I don't want to lose so if there's any way of getting rid of the problem without losing all of my data, that would be great. I know I still have stuff on my computer because my downloaded screen saver, Electric Sheep, is still on there.

Also, sorry about the wall of text!

__________________
Synalon Etuul is offline  
Old 12-27-2009, 08:59 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,846
OS: XP, Vista, Win7



Hi,

Do you have access to another computer that you can download a program and transfer over to the infected PC?

If so please do the following:

Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


If not, can you access your Task Manager?

If you can (Ctrl + Alt + Del)

List out all the running processes for me:

If you are able to successfully run exeHelper, it should free up your computer enough to run the following diagnostic scans:

Please do the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT



Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 12-27-2009, 11:52 AM   #3
Registered Member
 
Join Date: Dec 2009
Posts: 39
OS: Windows Vista



I insert the USB stick and nothing happens. :/

This happens with both USB sticks I've tried.
__________________
Synalon Etuul is offline  
Old 12-27-2009, 12:03 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,846
OS: XP, Vista, Win7



OK, look in your Task Manager processes and list out the running processes for me
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 12-27-2009, 12:13 PM   #5
Registered Member
 
Join Date: Dec 2009
Posts: 39
OS: Windows Vista



Ati2evxx.exe
csrss.exe
dwm.exe
taskmgr.exe
winlogon.exe
winupdate86...

Incidentally, I opened task manager and clicked "file: New task" and tried to open My Computer, or UDISK, or exehelper, but it didn't find any so I clicked Browse and Task Manager stopped working. Also, some of my letter keys have been replaced by numbes (i = 5, j = 1, k = 2, l = 3, m = 0, o = 6, u = 4). Of course the corresponding numbers still just produce numbers.
__________________
Synalon Etuul is offline  
Old 12-27-2009, 12:14 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,846
OS: XP, Vista, Win7



Hi,

Please go back into task manager

select the winupdate86 process and END TASK (don't reboot)

your computer should now be able to download and run the programs
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 12-27-2009, 12:26 PM   #7
Registered Member
 
Join Date: Dec 2009
Posts: 39
OS: Windows Vista



I did that (except it said 'end process' - does that matter?) but still when I insert the UDISK nothing happens. The light flashes red as though it's been registered but no box appears asking me to open folder to view files or something. Of course, lacking the icons and Start bar I can't go into My Computer to get to it either. :/

AND, now sometimes when I start up, I receive a new message:

"WARNING

Attention! System detected a potential hazard (TrojanSPM/XL) on your computer that may infect executable files. You [it actually says 'you' rather than 'your'] private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need to update your current security software. Click OK to download official intrusion detection system (IDS software)."

There is a box marked 'OK' and the red X in the top right. I clicked the X because I don't trust it but it appeared again.
__________________
Synalon Etuul is offline  
Old 12-27-2009, 12:38 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,846
OS: XP, Vista, Win7



Hi,

Yes, that is the Rogue AntiVirus popping up.

press the Windows key + R to open a run box:

browse to your USB drive letter (probably E:)

locate exeHelper.exe and select it > press OK to run it.
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 12-27-2009, 12:43 PM   #9
Registered Member
 
Join Date: Dec 2009
Posts: 39
OS: Windows Vista



If the Windows key is a button with a circle around the Windows logo, then it's not doing anything. :/ I tried ctrl + Windows key + R and alt gr and alt etc. but none of it helped.

Should I restart and try again? My backgrounds have disappeared which happens sometimes but they come back if I reboot.

Also, what is this, a fu***** super-virus?!
__________________
Synalon Etuul is offline  
Old 12-27-2009, 12:53 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,846
OS: XP, Vista, Win7



Yes - reboot and try again.

the windows key + R should open up a run command

or try ctrl + shift + esc. to open task manager go to File > New task > type in the drive letter of your USB and exeHelper.exe (if E: it would be E:\exeHelper.exe > press OK)
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 12-27-2009, 01:04 PM   #11
Registered Member
 
Join Date: Dec 2009
Posts: 39
OS: Windows Vista



gaaaaaah I try to type the whole sequence but the Task Manager stops working before I get there! I only manage 'E:' - if I type the '\' then it closes Task Manager. Also the Windows button and R still isn't doing anything. I made sure to stop the WinUpdate thing beforehand as well.
__________________
Synalon Etuul is offline  
Old 12-27-2009, 01:07 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,846
OS: XP, Vista, Win7



can you get into safe mode with networking and download the file to your desktop?

reboot and press F8 repeatedly on startup till an option menu appears...arrow up to safe mode with networking
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 12-27-2009, 01:18 PM   #13
Registered Member
 
Join Date: Dec 2009
Posts: 39
OS: Windows Vista



ha! I've got to safe mode with networking (it was quite hard). One moment while I see if I can do anything.
__________________
Synalon Etuul is offline  
Old 12-27-2009, 01:31 PM   #14
Registered Member
 
Join Date: Dec 2009
Posts: 39
OS: Windows Vista



I try to log into Guest (because that's the only place where I can open Task Manager - on my account there is just no option to open it at all) - what happens is I receive a message saying

"Windows could not connect to the Sens service.

Please consult your system administrator."

So I log onto my user and all the icons have appeared! Okay I'm pressing Windows button + R now...

Ohh a black box has come up! It keeps saying it's resetting things and deleting things but a box has come up saying "Application cannot be executed. The file is infected. Please activate your antivirus sofware." but it carried on in the background - now it's stopped and says "Press any key to continue..."

Okay I'll be writing the log text and such for a bit...
__________________
Synalon Etuul is offline  
Old 12-27-2009, 01:46 PM   #15
Registered Member
 
Join Date: Dec 2009
Posts: 39
OS: Windows Vista



"exehelperlog - Notepad

exehelper by Raktor
Build 20091220
Run at 21:28:11 on 12/27/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad files...
Deleting file C:\Windows\system32\41.exe
Error deleting C:\Windows\system32\41. exe - Set for removcal on reboot - PLEASE REBOOT
Deleting file C:\Windows\system32\critical_warning.html
Deleting file C:\Windows\msa.exe
Deleting file C:\Windows\system32\sdra64.exe
Error deleting C:\Windows\system32\sdra64.exe - Set for removal on reboot - PLEASE REBOOT
Deleting file C:\Windows\sshnas.dll
Deleting file C:\Windows\twex.exe
Error deleting C:\Windows\twex.exe - Set for removal on reboot - PLEASE REBOOT
Deleting file C:\Windows\winupdate86.exe
Error deleting C:\Windows\winupdate86.exe - Set for removal on reboot - PLEASE REBOOT
Checking for bad registry entries...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe
Deleting file C:\Windows\winupdate86.exe
Error deleting C:\Windows\winupdate86.exe - Set for removal on reboot - PLEASE REBOOT
Resetting file type association for .exe
Resetting file type association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--"

I still have the black screen thing if you need that? It's a lot longer though. :P
__________________
Synalon Etuul is offline  
Old 12-27-2009, 01:48 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,846
OS: XP, Vista, Win7



Have you rebooted?

Reboot - then log into normal mode

see if you can now download and run DDS and GMER
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 12-27-2009, 01:48 PM   #17
Registered Member
 
Join Date: Dec 2009
Posts: 39
OS: Windows Vista



Should I start following the instructions in your first post?
__________________
Synalon Etuul is offline  
Old 12-27-2009, 01:48 PM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,846
OS: XP, Vista, Win7



Yes please
__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
Old 12-27-2009, 01:48 PM   #19
Registered Member
 
Join Date: Dec 2009
Posts: 39
OS: Windows Vista



What are DDS and GMER?
__________________
Synalon Etuul is offline  
Old 12-27-2009, 01:49 PM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
CatByte's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2009
Location: Canada
Posts: 8,846
OS: XP, Vista, Win7



The programs I asked you to run in this post:

http://www.techsupportforum.com/f100...ml#post2510566

__________________


Microsoft MVP 2010, 2011, 2012, 2013
CatByte is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 05:05 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts