HELP! Something just took control of my computer and ITS NOT ME!!

I think i just watched my computer be taken over my something and its not a good something…I sent all the virus i could as fast as i could to the chest… but my comodo was adding things faster than i could even read them… now im getting all kids of alerts saying my computer is infected and wanting me to download things…I am not but i keep getting repeated messages and lots of ads. Also when i retart my computer (which I did) my main page is not the same and it has a message on it too that reads “warning: payware threat has been detected on your PC. Your computer has several fatal errors due to spyware activity. It is strongly recommended to install an antispyware to close all secrutiy vulnerabilitlies. Click here to scan your pc” I did not intall any of it but thats what it says now on my main screen… I maybe talking in circles now… What should I do…? sorry i need your help again!
SasySusie

Just to let you know what im doing at this time… I am running SuperAntiSpyWare and ill post the results and then i will run a HJT and post those results as well… any other things i should do for now let me know other wise ill post results here soon i get thru it!
Thanks
SasySusie

Hi there!

Same thing here for a month now, it’s my forth re-boot now(and the time frequency is shrinking fast, because instead of in between years, months or weeks, its now in days from one to an other re-boot).
I’ve only been invited to download anti-virus software for a couple of days now, and no, I was not heading for potentialy dangerous web-page, it just covered the actualy web-page with somekind flash like kind of apps to give the look that I was in the anti-virus invitation page(which has all the looks of a real secured web-page, though I don’t think it is)

btw; I can’t even find the history record of my browser being there(!!!)
And I cannot save favorites on IE nor add or change any of what was in my favorite’s folder in the folder itself before this last re-boot, because I have not still try in this new re-boot, I wanna find whats wrong before adding anything this time. And if I add anything, it will be one by one, untill I find if it’s in whichever one of my apps.

And I was heading, to avast tonight, to find a place where I could drop my avast’s anti-virus scan report here, because I firstly intended to leave this avast email, but I can’t find it.

So here it is; Why can’t avast anti-virus and also avast virus cleaner tool can’t read these files???
(and it doesn’t even give me the full path)

avast! Virus Cleaner Tool - version 1.0.211 Unicode

Creating log file: C:\Users\IamThatIam\Downloads\Dowloads\Software\Avast\asw7337.log

07/06/2008, 10:12:19 PM
Memory scanning started…
No virus body found in memory.
Memory scanning finished (89.8s).

Files scanning started…
C:\Boot\BCD… file could not be scanned!
C:\Boot\BCD.LOG… file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log… file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log… file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb… file could not be scanned!
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb… file could not be scanned!
C:\Users\IamThatIam\ntuser.dat.LOG1… file could not be scanned!
C:\Users\IamThatIam\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1… file could not be scanned!
C:\Users\IamThatIam\AppData\Local\Microsoft\Windows Defender\FileTracker{60688DA3-9260-4B17-A071-FE0537DBEABE}… file could not be scanned!
C:\Users\IamThatIam\AppData\Local\Microsoft\Windows Live Mail\edb.log… file could not be scanned!
C:\Users\IamThatIam\AppData\Local\Microsoft\Windows Live Mail\Mail.MSMessageStore… file could not be scanned!
C:\Users\IamThatIam\AppData\Local\Microsoft\Windows Live Mail\tmp.edb… file could not be scanned!
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1… file could not be scanned!
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat… file could not be scanned!
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat… file could not be scanned!
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1… file could not be scanned!
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0… file could not be scanned!
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0… file could not be scanned!
C:\Windows\System32\catroot2\edb.log… file could not be scanned!
C:\Windows\System32\catroot2{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb… file could not be scanned!
C:\Windows\System32\catroot2{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb… file could not be scanned!
C:\Windows\System32\config\COMPONENTS.LOG1… file could not be scanned!
C:\Windows\System32\config\DEFAULT.LOG1… file could not be scanned!
C:\Windows\System32\config\SAM.LOG1… file could not be scanned!
C:\Windows\System32\config\SECURITY.LOG1… file could not be scanned!
C:\Windows\System32\config\SOFTWARE.LOG1… file could not be scanned!
C:\Windows\System32\config\SYSTEM.LOG1… file could not be scanned!
C:\Windows\System32\config\RegBack\COMPONENTS… file could not be scanned!
C:\Windows\System32\config\RegBack\DEFAULT… file could not be scanned!
C:\Windows\System32\config\RegBack\SAM… file could not be scanned!
C:\Windows\System32\config\RegBack\SECURITY… file could not be scanned!
C:\Windows\System32\config\RegBack\SOFTWARE… file could not be scanned!
C:\Windows\System32\config\RegBack\SYSTEM… file could not be scanned!
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT… file could not be scanned!
C:\Windows\System32\SMI\Store\Machine\schema.dat.LOG1… file could not be scanned!
No virus body found.
Files scanning finished (71916 files, 0 infected, 503.8s).
Drives scanned: C:

maybe your computer was infiltrated by script viruses and rootkits which sometimes cannot be detected by avast 4.8. tip is to boot your os to safe mode and restore points. if that will not work, format your os and install a new version of avast1

Ghis…Im sorry you are having these problems but I was hoping to get help here myself … I can’t really help you…so sorry! Did you have an earlier post you were wanting to drop that log into??? If not you might want to start a topic yourself and see if someone here can help you.
Susie

Please run though the standard routines and see if that helps.

Try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

Try a scan with DrWeb CureIT!

Try the usual free adware/spyware scanners.

Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free

Scamware/foistware remover:

RogueRemover FREE

Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

Try some online scans. (Disable avast! while scanning.)

F-Secure
BitDefender
Trend Micro Housecall
ESET Online Scanner

If still having problems, post a HijackThis! log.

I REALLY NEED SOME HELP… I CAN BARELY TYPE ITS MOVING THAT SLOW. I RAN THE SUPERANTISPYWARE AND IT FOUND ABOUT 140 THINGS I QUARANTEENED ALL OF THEM BUT THEN IT WOULD NOT LET ME RESTART MY COMPUTER I KNOW SEVERAL INVOLVED MY REGISTTRY. THE ONLY WAY I WAS ABLE TO GET THE COMPUTER TO RESTART IS WHEN I TRIED TO RESTORE MY COMPUUTER TO AN EARLIER DATE… WHEN IT CAME BACK ON TO TELL ME IT COULD NOT RESTORE TO AN EARLIER DATE IT THEN REPOPENED. I CANNNOT SEEM TO GET THE LOG FROM SUPERANTISPYWARE TO POST HERE. ALSO WHEN I TRIED JUST NOW TO RUN HJT I GORT A MESSAGE FROM COMODO THAT READ "WHIJACKTHIS.EXE IS TRYING TO MODIFY A PROTECED FILE OR REDIRECTING… DO I ALOOW THIS??? PLEASE SOMEONE HELP… I REALLY HAVE A BAD ONE THIS TIME…THE WORSE IVE EVER HAD… I NEED AN EXPERT!!!
IT TOOK OVER 20 MINS FOR THE THINGS I JUST TYPED TO APPEAR ON THE SCREEN… EXCURE THE ERRORS BUT ITS HARD TO CORREC T WHEN YOU CAN’T EVEN SEE WHAT YOU JUST TYPED.
THANK YOU
A DESPERATE SASYSUSIE

sasysusie, you know the protocol… no CAPS…

Hi sasy. As Tech said, you know the protocol :wink:

Where’s the HJT log you where going to post?

And

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[
]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

iM sorry i guess i did not know the no cap im vrey sorry… i was lucky to type here at all since im in a strangle hold. It takes about 10 mins for my typing to appear here… here is the hijack lof it looks longggg!
thank you
Sasy

Wow, such an improvement… i can acutally type and it appears as i type! ok Olman here is the combo fix log and a new hijackthis log as ordered… Thank you again for your help… I would do it myself if i onlu knew how to! Thank you
Susie

Hi sasy. You posted the HJT log twice, no combofix log. I really need that one.

Ugh soo typical of me! Here it is…i guess i left it behind!

Hi sasy. No problem. Let me know how it’s going after you do this next fix.

Please follow all previous instructions regarding security programs.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

KillAll::

File::
C:\WINDOWS\444.470
C:\WINDOWS\system32\105772
C:\Temp\ndcdll2.exe
C:\WINDOWS\444.0
C:\WINDOWS\system32\expo\mtcon66225.exe.dll
C:\Program Files\QdrModule\QdrModule17.exe

Folder::
C:\WINDOWS\system32\xrem
C:\Program Files\QdrModule
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\inet2
C:\WINDOWS\system32\expo
C:\WINDOWS\system32\btz
C:\WINDOWS\444.470
C:\WINDOWS\system32\105772
C:\WINDOWS\444.0

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Open HJT, run a system scan only, check mark these lines if present
[b]

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {7564A330-6676-4076-9C2F-6F052C4D8A6A} - \C:\WINDOWS\system32\expo\mtcon66225.exe.dll (file missing)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKCU..\Run: [QdrModule17] “C:\Program Files\QdrModule\QdrModule17.exe”[/b]

Close all other browsers/windows, click fix checked, close HJT.

Reboot if you had to fix anything with HJT. Then get a new HJT log to post along with the combofix log.

Ok did my work for you and i am will be attaching BOTH logs this time you asked for. Ok 2 things i noticed upon the reboot… well 3… right at the beginning after the reboot as things were opening back up on my screen in the upper left of my screen a very tiny box appeared for maybe not even a second, so fast i could not read it even…but that is not usual. 2nd i have lost my Avast Ball in the lower right of my computer on the tack bar… so im worried it is still not abled since i diabled it to run all the scans. 3rd… my wallpaper that i now have on my screen is different looking than it was before the virus. Please let me know what you think of all that and how the scans are looking now.
Thank you for taking your time with me it is soo appreciated.
Sasy

Hi, let’s deal with this one at a time.

The icon diasappearing seems to be quite common after using combofix. Usually a repair of avast fixes it.

Go to add/remove programs, click on avast
Click uninstall/remove
On the next screen, scroll down to repair
Click repair.

You may have to reboot. Let me know if the icon is back.

BTW, avast is running.

I don’t know what the small box that appears in the upper left corner is. You will have to try to catch it if it appears again.

Describe your desktop. What is different? Right click on a blank portion of your desktop and click properties. On the screen that appears is Windows XP selected?

Next, click the start button, click run

In the run box that appears, copy and paste the following lines. one at a time, hitting enter after each

sc stop fipss
sc delete fipss

Answer these and we will carry on.

Sorry I was late getting to the computer tonight. Ok I wil try to answer these one at a time and without going around too big a bush… which is not easy for me!

I did the repair on avast and yes the icon is back :slight_smile:

As for the small box… its more like a window that is opening but its just a very small rectangular size and its only like a tiny piece of the top toll bar of it… It appears for only a portion of a second so fast even when im looking right there for it i cannot read any portion of it or grab it. It seems to me that I had that same thing back when i had that grandaddy of all Trojans hiding way away in my computer but i could be mistaken.

Ok thirdly as for my main screen looking different… well it looks the same as it always used to now… the screen itself had the picture we were using as wallpaper but it was on stretch mode instead of centered like it was before the whole virus hit. My daughter came along today without really knowing all that had been going on with the computer and changed the picture back to centered so now my screen looks like it did before the virus. So actually when i right click on windows since my daughter has a picture for our background screen it does not read windows xp it reads windows classic modified.

I did this next step… In the run box that appears, copy and paste the following lines. one at a time, hitting enter after each
sc stop fipss
sc delete fipss
So with that step being complete as well I think I am up to where you wanted me to be and i hope i answered all your questions that you had for me.

You are a treasure and ty again for all your time.
Susie

Hi
All right. I think the icon issue and the desktop issue are resolved. Windows XP is the default, but if you are using classic, that’s fine. Just as long as it has returned to normal.

Let’s see if there are any stragglers.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Note: your computer may boot a little slower the first couple of times after using ATF.

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Hi… ok this next check list is complete… Ran the ATF Cleaner and did the Malwarebytes and have attached that log.
Let me know how you think things are looking…The computer seems be be running much happier. I honestly do not know how I could have done this to my computer again. I have my avast and I am using Comodo. All I know is I am so grateful for your help. You are truely amazing!
Thanks
Susie

Hi sasy. The time/date of the files/folders we removed would indicate some of this came from a utorrent download.

Keep malwarebytes and use it as a backup on demand scanner.

  1. Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

  1. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  1. Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
  1. Go to http://java.sun.com/javase/downloads/index.jsp

Scroll down to “Java Runtime Environment (JRE) 6 Update 6…allows end-users to run Java applications”.
Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

Select the platform (Windows, in your case), mutli language.
Accept the license agreement, click continue.

You do not have to install the Java Web Start ActiveX Control

Scroll down and click on Windows Offline Installation,
Save the file jre-6u6-windows-i586-p.exe to your desktop;
Do not select Run . Do not install it yet.

When the download is complete, close your browser.

Open Control Panel > Add/Remove Programs:

Uninstall the old versions of Sun Java, Java JRE, or similar.
Do not uninstall Java TM 6 Update 6 if found!

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files[b]Java[/b] <=this folder, if found.
Delete any subfolders it may contain.

Do NOT delete jre1.6.0_06 if found!
Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

  1. You should also uninstall Adobe Reader 6 and replace it with version 8.1.2 . Instructions can be found here.
    http://kb.adobe.com/selfservice/viewContent.do?externalId=327675

Be sure to move any documents you have saved in Program Files\Adobe\Acrobat 6.0\Reader to another folder before you uninstall the program

Download the new version from http://www.adobe.com/go/getreader

The google tool bar is optional, uncheck it if you don’t want it.

  1. I think you should add a resident antispyware scanner to your defences. Use either of these

Winpatrol
Windows Defender

  1. Maybe even consider this Spyware Blaster to help immunize your computer.

will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

Take care and keep safe.