Serious computer problems, is it a virus?

June 2, 2011 at 19:57:32
Specs: Windows XP
I can't download anything, as it all just end up being zero bytes and I can't run any executables. Google is Constantly redirecting me to other sites, sometimes several tries in a row. On my other account on the pc, I can't start firefox up at all, because some official-looking window pops up (that I've never seen before) saying something about how I need to activate my firewall, and there's two options, activate or go on without it. Whichever one I choose, it doesn't let firefox or internet explorer work anyway, and it opens up a bunch of windows. On firefox, it shows that no pages can be opened, not even google.Obviously it's some sort of infection, because I've never seen a page that looked like that before and a legit program never opens a bunch of windows and confuses you on purpose. I even tried safemode, which has worked before, but it won't let me access the internet there either, and I can't download the norton 360 security update thing that I've used before. What should I do?

See More: Serious computer problems, is it a virus?

June 2, 2011 at 20:16:20
physically remove the HD and slave it to another PC and then scan it.

Some HELP in posting on plus free progs and instructions Cheers

Report •

June 2, 2011 at 21:08:08

If you cannot download the following file, the malware may be blocking the attempt. You need to download the file to a clean computer and then transfer it to the infected one using a USB flash drive, or external media (an external drive or a CD).

Please download exeHelper from one of these two places:

Save it to your USB drive, and then transfer it to the Desktop

Vista or Windows 7 users right click the downloaded file and select “Run as Administrator"
XP users, double-click on the downloaded file to run the program

A black window should pop up
Press any key to close, once the fix is completed.

>>Please post the contents of the exehelperlog.txt in your reply.<<
[It is created in the directory where you ran exeHelper, and should also open at the end of the scan.]

Next, see if you can download RogueKiller

Save it to your Desktop.

Close all open programs.

For Vista/Windows 7, right click the file and select: Run as Administrator
For Windows XP, double-click the downloaded file.

Note: If the program is getting blocked, do not hesitate to try running it several times. If it does not work at all, delete the previous download, download it again, and in the Save as prompt, File Name area, rename it: winlogon.exe

When prompted, type 1 and hit Enter.

An RKreport.txt should appear on your Desktop.

>>Also post the contents of the RKreport.txt in your reply.<<

Report •

June 2, 2011 at 21:30:07
I'll try and do that right now

Report •

Related Solutions

June 2, 2011 at 21:38:21
It allowed me to download that file, maybe because it was a link? It didn't seem to redirect when there was a direct link to a site either, so maybe that's something? Of course, I can't be sure. There's the contents of the first log; looks like nothing's wrong with it, but again, I don't know for sure, obviously, as I'm not familiar with it.

exeHelper by Raktor
Build 20100414
Run at 21:30:26 on 06/02/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...

...and here's the log for the second one.

RogueKiller V5.2.1 [06/02/2011] by Tigzy
contact at
mail: tigzyRK<at>gmail<dot>com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: d [Admin rights]
Mode: Scan -- Date : 06/02/2011 21:35:32

Bad processes: 3
[SUSP PATH] conhost.exe -- c:\documents and settings\a\application data\microsoft\conhost.exe -> KILLED
[SUSP PATH] csrss.exe -- c:\docume~1\d\locals~1\temp\csrss.exe -> KILLED
[SUSP PATH] dwm.exe -- c:\documents and settings\d\application data\dwm.exe -> KILLED

Registry Entries: 15
[SUSP PATH] HKLM\[...]\Run : conhost (C:\Documents and Settings\a\Application Data\Microsoft\conhost.exe) -> FOUND
[SUSP PATH] HKCU\[...]\Winlogon : Shell (explorer.exe,C:\Documents and Settings\d\Application Data\dwm.exe) -> FOUND
[SUSP PATH] HKCU\[...]\Windows : load (C:\DOCUME~1\d\LOCALS~1\Temp\csrss.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-937394762-3329895286-1349952404-1008[...]\Winlogon : Shell (explorer.exe,C:\Documents and Settings\d\Application Data\dwm.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-937394762-3329895286-1349952404-1008[...]\Windows : load (C:\DOCUME~1\d\LOCALS~1\Temp\csrss.exe) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http= -> FOUND
[FILEASSO] \ "C:\DOCUME~1\v\LOCALS~1\Temp\0.8871048425115549.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe": -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command : ("C:\Documents and Settings\a\Local Settings\Application Data\hfo.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command : ("C:\Documents and Settings\a\Local Settings\Application Data\hfo.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) -> FOUND
[FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\DOCUME~1\v\LOCALS~1\Temp\0.8871048425115549.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> FOUND

HOSTS File: localhost

Finished : << \RKreport[1].txt >>

Anything wrong with either? Thanks for the help.

Report •

June 2, 2011 at 21:40:30
Also, it seems as though what's affecting the really bad account is seperate from this account, as nothing of the same kind is appearing on the account that I can access the internet on. Perhaps I should try running the same programs while logged into the badly affected account?

Report •

June 4, 2011 at 20:24:10
Sorry, omamder5, I did not see your reply!! My bad.

You do need to run the programs on the infected account, and post the information. We will then take it from there.

If you want to engage in removing the hard drive from your PC and slaving it to another PC (which needs to be clean, and have an AntiVirus program installed), keep in mind that this action will detect and clean/delete some infected files. However, it will not fix changes that much of the current malware makes to the Registry, because the Registry is not active when the drive is slaved. If Registry keys were created by the virus, then, they also have to be deleted from the Registry to completely remove the impact of the virus.

So, when you return the previously infected, but now what you think is a "cleaned" drive, back in the computer where it came from, and boot from it, you may still have problems and errors showing up. These will need to be fixed manually with Regedit, or, using specialized tools.

Bottom line...very little is accomplished by slaving a drive to remove infections, these days.

Report •

June 4, 2011 at 20:34:38
'Bottom line...very little is accomplished by slaving a drive to remove infections, these days.'
I tend to disagree on that. I have slaved many different drives at different times, removed the problems, and the HD boots right up....different strokes I presume...

Some HELP in posting on plus free progs and instructions Cheers

Report •

June 4, 2011 at 22:44:03

On the User account you just ran RougeKiller on, please run RogueKiller once again, and use option 2.
Please post the log that is produced.

If your shortcuts and files/folder of desktop/startup menu/etc. have disappeared, run RougeKiller one more time, and use option 6.
Also post the log produced.

Now, download Malwarebytes’ Anti-Malware (black button with green and white icon) Save to the Desktop:

Double-click mbam-setup.exe and follow the prompts to install the program. (For Vista or Windows 7, select: Run as Administrator)

Run Malwarfebytes’ AntiMalware and update the program.
Once updated, select Perform Full Scan and click the scan button.

When the scan finishes, click OK in the message box, and you will see the results of the scan.

Click the Remove Selected button to get rid of the malware.

When Malwarebytes finishes, you may be prompted to reboot. If so, reboot.

>>Please, also post the Malwarebytes log in your reply so we can see where we are at, and plan any additional removal strategy, if necessary.<<

Report •

Ask Question