HELP! Something just took control of my computer and ITS NOT ME!!

[sasysusie]

I think i just watched my computer be taken over my something and its not a good something...I sent all the virus i could as fast as i could to the chest... but my comodo was adding things faster than i could even read them... now im getting all kids of alerts saying my computer is infected and wanting me to download things..I am not but i keep getting repeated messages and lots of ads. Also when i retart my computer (which I did) my main page is not the same and it has a message on it too that reads "warning: payware threat has been detected on your PC.  Your computer has several fatal errors due to spyware activity.  It is strongly recommended to install an antispyware to close all secrutiy vulnerabilitlies. Click here to scan your pc"  I did not intall any of it but thats what it says now on my main screen.. I maybe talking in circles now... What should I do..?  sorry i need your help again!
SasySusie

[sasysusie]

Just to let you know what im doing at this time... I am running SuperAntiSpyWare and ill post the results and then i will run a HJT and post those results as well..  any other things i should do for now let me know other wise ill post results here soon i get thru it!
Thanks
SasySusie

[Ghis1964]

Hi there!

Same thing here for a month now, it's my forth re-boot now(and the time frequency is shrinking fast, because instead of in between years, months or weeks, its now in days from one to an other re-boot).
I've only been invited to download anti-virus software for a couple of days now, and no, I was not heading for potentialy dangerous web-page, it just covered the actualy web-page with somekind flash like kind of apps to give the look that I was in the anti-virus invitation page(which has all the looks of a real secured web-page, though I don't think it is)

btw; I can't even find the history record of my browser being there(!!!!??!?!!!?!??!!!!)
And I cannot save favorites on IE nor add or change any of what was in my favorite's folder in the folder itself before this last re-boot, because I have not still try in this new re-boot, I wanna find whats wrong before adding anything this time. And if I add anything, it will be one by one, untill I find if it's in whichever one of my apps.


And I was heading, to avast tonight, to find a place where I could drop my avast's anti-virus scan report here, because I firstly intended to leave this avast email, but I can't find it.

So here it is; Why can't avast anti-virus and also avast virus cleaner tool can't read these files???
(and it doesn't even give me the full path)

avast! Virus Cleaner Tool - version 1.0.211 Unicode

Creating log file: C:\Users\IamThatIam\Downloads\Dowloads\Software\Avast\asw7337.log

07/06/2008, 10:12:19 PM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (89.8s).
----------
Files scanning started...
C:\Boot\BCD... file could not be scanned!
C:\Boot\BCD.LOG... file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log... file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log... file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb... file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb... file could not be scanned!
C:\Users\IamThatIam\ntuser.dat.LOG1... file could not be scanned!
C:\Users\IamThatIam\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1... file could not be scanned!
C:\Users\IamThatIam\AppData\Local\Microsoft\Windows Defender\FileTracker\{60688DA3-9260-4B17-A071-FE0537DBEABE}... file could not be scanned!
C:\Users\IamThatIam\AppData\Local\Microsoft\Windows Live Mail\edb.log... file could not be scanned!
C:\Users\IamThatIam\AppData\Local\Microsoft\Windows Live Mail\Mail.MSMessageStore... file could not be scanned!
C:\Users\IamThatIam\AppData\Local\Microsoft\Windows Live Mail\tmp.edb... file could not be scanned!
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1... file could not be scanned!
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat... file could not be scanned!
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat... file could not be scanned!
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1... file could not be scanned!
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0... file could not be scanned!
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0... file could not be scanned!
C:\Windows\System32\catroot2\edb.log... file could not be scanned!
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb... file could not be scanned!
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb... file could not be scanned!
C:\Windows\System32\config\COMPONENTS.LOG1... file could not be scanned!
C:\Windows\System32\config\DEFAULT.LOG1... file could not be scanned!
C:\Windows\System32\config\SAM.LOG1... file could not be scanned!
C:\Windows\System32\config\SECURITY.LOG1... file could not be scanned!
C:\Windows\System32\config\SOFTWARE.LOG1... file could not be scanned!
C:\Windows\System32\config\SYSTEM.LOG1... file could not be scanned!
C:\Windows\System32\config\RegBack\COMPONENTS... file could not be scanned!
C:\Windows\System32\config\RegBack\DEFAULT... file could not be scanned!
C:\Windows\System32\config\RegBack\SAM... file could not be scanned!
C:\Windows\System32\config\RegBack\SECURITY... file could not be scanned!
C:\Windows\System32\config\RegBack\SOFTWARE... file could not be scanned!
C:\Windows\System32\config\RegBack\SYSTEM... file could not be scanned!
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT... file could not be scanned!
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG1... file could not be scanned!
No virus body found.
Files scanning finished  (71916 files, 0 infected, 503.8s).
Drives scanned: C:
----------

[robbscitechphil]

maybe your computer was infiltrated by script viruses and rootkits which sometimes cannot be detected by avast 4.8. tip is to boot your os to safe mode and restore points. if that will not work, format your os and install a new version of avast1

[sasysusie]

Ghis...Im sorry you are having these problems but I was hoping to get help here myself ... I can't really help you..so sorry! Did you have an earlier post you were wanting to drop that log into??? If not you might want to start a topic yourself and see if someone here can help you.
Susie

[FreewheelinFrank]

Please run though the standard routines and see if that helps.

Try a boot time scan with avast! Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested.

Try a scan with DrWeb CureIT!

Try the usual free adware/spyware scanners.

Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free

Scamware/foistware remover:

RogueRemover FREE

Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

Try some online scans. (Disable avast! while scanning.)

F-Secure
BitDefender
Trend Micro Housecall
ESET Online Scanner

If still having problems, post a HijackThis! log.

[sasysusie]

I REALLY NEED SOME HELP... I CAN BARELY TYPE ITS MOVING THAT SLOW.  I RAN THE SUPERANTISPYWARE AND IT FOUND ABOUT 140 THINGS I  QUARANTEENED ALL OF THEM BUT THEN IT WOULD NOT LET ME RESTART MY COMPUTER I KNOW SEVERAL INVOLVED MY REGISTTRY.  THE ONLY WAY I WAS ABLE TO GET THE COMPUTER TO RESTART IS WHEN I TRIED TO RESTORE MY COMPUUTER TO AN EARLIER DATE.. WHEN IT CAME BACK ON TO TELL ME IT COULD NOT RESTORE TO AN EARLIER DATE IT THEN REPOPENED.  I CANNNOT SEEM TO GET THE LOG FROM SUPERANTISPYWARE TO POST HERE.  ALSO WHEN I TRIED JUST NOW TO RUN HJT I GORT A MESSAGE FROM COMODO THAT READ "WHIJACKTHIS.EXE IS TRYING TO MODIFY A PROTECED FILE OR REDIRECTING.. DO I ALOOW THIS??? PLEASE SOMEONE HELP.. I REALLY HAVE A BAD ONE THIS TIME..THE WORSE IVE EVER HAD... I NEED AN EXPERT!!!
IT TOOK OVER 20 MINS FOR THE THINGS I JUST TYPED TO APPEAR ON THE SCREEN.. EXCURE THE ERRORS BUT ITS HARD TO CORREC T WHEN YOU CAN'T EVEN SEE WHAT YOU JUST TYPED.
THANK YOU
A DESPERATE SASYSUSIE

[Lisandro]

sasysusie, you know the protocol... no CAPS...

[oldman]

Hi sasy. As Tech said, you know the protocol 

Where's the HJT log you where going to post?

And

Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
  
  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
  
• When finished, it will produce a report for you. 
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[sasysusie]

iM  sorry i guess i did not know the no cap im vrey sorry.. i was lucky to type here at all since im in a strangle hold. It takes about 10 mins for my typing to appear here.. here is the hijack lof it looks longggg!
thank you
Sasy

[sasysusie]

Wow, such an improvement.. i can acutally type and it appears as i type! ok Olman here is the combo fix log and a new hijackthis log as ordered... Thank you again for your help... I would do it myself if i onlu knew how to! Thank you
Susie

[oldman]

Hi sasy. You posted the HJT log twice, no combofix log. I really need that one.

[sasysusie]

Ugh soo typical of me!  Here it is..i guess i left it behind! 

[oldman]

Hi sasy. No problem. Let me know how it's going after you do this next fix.

Please follow all previous instructions regarding security programs.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

KillAll::

File::
C:\WINDOWS\444.470
C:\WINDOWS\system32\105772
C:\Temp\ndcdll2.exe
C:\WINDOWS\444.0
C:\WINDOWS\system32\expo\mtcon66225.exe.dll
C:\Program Files\QdrModule\QdrModule17.exe

Folder::
C:\WINDOWS\system32\xrem
C:\Program Files\QdrModule
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\inet2
C:\WINDOWS\system32\expo
C:\WINDOWS\system32\btz
C:\WINDOWS\444.470
C:\WINDOWS\system32\105772
C:\WINDOWS\444.0

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**




Open HJT, run a system scan only, check mark these lines if present


R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {7564A330-6676-4076-9C2F-6F052C4D8A6A} - \C:\WINDOWS\system32\expo\mtcon66225.exe.dll (file missing)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKCU\..\Run: [QdrModule17] "C:\Program Files\QdrModule\QdrModule17.exe"

Close all other browsers/windows, click fix checked, close HJT.

Reboot if you had to fix anything with HJT. Then get a new HJT log to post along with the combofix log.

[sasysusie]

Ok did my work for you and i am will be attaching BOTH logs this time you asked for.  Ok 2 things i noticed upon the reboot.. well 3.... right at the beginning after the reboot as things were opening back up on my screen in the upper left of my screen a very tiny box appeared for maybe not even a second, so fast i could not read it even..but that is not usual. 2nd i have lost my Avast Ball in the lower right of my computer on the tack bar.. so im worried it is still not abled since i diabled it to run all the scans. 3rd.... my wallpaper that i now have on my screen is different looking than it was before the virus. Please let me know what you think of all that and how the scans are looking now.
Thank you for taking your time with me it is soo appreciated.
Sasy