The virus appears as the "Antivirus XP 2008" (I do not have XP 2008) Very likely just a show front knock off for a virus that is trying to mimik XP
I hope the following will tip off you as to what it really is and proper course of action:
It changed to background to the blue death screen color but can see desktop icons. There is a warning dead center in yellow box that says: warning, spywaredetected on your computer, then goes to death blue in a box (white border): install antivirus software or spyware remover to clean your computer."
It wants me to buy its software and basically has taken over my computer as a result. It is non stop trying to change my registry "eqvwamkl" like every 3 to 5 seconds Spybot is blocking it.
I can NOT run Spybot. It will not let me.
I did however run Ad-Awre SE and it removed 3 critical things, however it made no difference.
I did run Norton system scan, it removed 1 virus. Made no difference Norton has blocked at least two of the Pandex trojan from being downloaded.
I tried to uninstall the Antivirus XP 2008 It is listed as "AntivirXP08" programfiles\rhc1h1j0e38c\ And Win can not remove it.
It has also removed from my desktop Word, Outlook, Spybot, HJT, Deckards, ZoneATF or whatever it is called + 2 other icons from desktop. This virus is specifically hitting my programs to prevent such an attack.
Adware.CWSIEFeats was also blocked in addition the Pandex
nfavxwdbgfw.dll was just tried to be added too
It has changed tool bars too.
OK, so how do I get rid of this virus?
Thank you
Alan
PS This virus is hijacking/redirecting the IE pages when I try to reload deckard, etc.. so not sure how succesfull I will be.
edit: I just lost my tool bars, meaning start menu, and all desktop icons, etc.. So could get interesting as this IE window to this site is the last thing left that I see right now. I'll be shutting off computer now, if I can not get back on, I'll go to library to check this site for instructions. Thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07: VIRUS ALERT!, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.
Double click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select 'Perform Quick Scan', then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Post the entire report in your next reply along with a fresh HijackThis log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Then please post a Deckard's System scanner log.
Please download Deckard's System Scanner (dss.exe) and save it to your Desktop. Note: You must be logged onto an account with administrator privileges to complete the following.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt and extra.txt in your next reply.
Please post the “main.txt” log only for now. and MBAM log.
No can do. As I mentioned already, it redirects to their website. I need a full adress that I can cut and paste, otherwise ANY link redirects me to their virus website. This goes for the malware and deckards. Any link it'll do a redirect.
Also it appears I lost Word and Outlook, not just the icons, but they are NOT listed in the programs directory nor when I looked at the add/change Win programs, it is not listed there either. I hope there is a way to recovery them. Edit: Well Word is still there as it opened up a doc. Not sure on to get Outlook working though.
Edit:Is this the site for MBAM? http://www.besttechie.net/tools/mbam-setup.exe I can not even get it to come up with a cut and paste. I even tried to save to favorites, and then open it up, no dice. ONLY preexisting favorites websites like this one will come up, it redirects, but I can click back and the correct site comes up.
Hi h2ofwlr
If you don't have another computer where you can download and then transfer MBAM set up then...
Lets try it this way and see if you can get it.
Reboot into safe mode with Networking.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode with Networking.
Geri, The site will not come up. I did as you said. C&P and typed in, I can not get EI to make it come up, I get "can not display web page". This goes for ANY new webpage.
This is one serious virus, worst I've ever dealt with in last 10 years.
It even has remove the link to C drive off of the "my computer".
Where is TM located? I looked in the start menu and progam menu, it is not there. I have not used it, so don't know where it should be to begin with.
While looking aund for TM I just noticed under settings all there is now is "task bar and start menu"--which is the virus BS. Not t normal ones and everything else is vanished.
Who ever wrote this virus program did one thorough job of closing all the right areas where one could normally remedy a virus.
Highlight and copy the contents of the code box below.
Code:
Dim BinaryData
Dim xml
set xml = CreateObject("Microsoft.XMLHTTP")
xml.Open "GET","http://download.bleepingcomputer.com/sUBs/ComboFix.exe",False
xml.Send
BinaryData = xml.ResponseBody
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Dim BinaryStream
set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.Type = adTypeBinary
BinaryStream.Open
BinaryStream.Write BinaryData
BinaryStream.SaveToFile "ComboFix.exe", adSaveCreateOverWrite
Dim WshShell
set WshShell = CreateObject("WScript.Shell")
'WshShell.Run "cnt.pl", 0, false
Now paste the copied text into the blank notepad.
Close and Save
Save it to the Desktop as;
Filename: get_file.vbs
Save as type: All Files (*.*)
If the file is visible on your desktop, double click it, otherwise click File>New Task, then click Browse.
Navigate to your desktop, select get_file.vbs and click OK.
A file named ComboFix.exe should appear on the desktop shortly.
Run it and allow it to reboot if/when prompted.
Upon restart it will continue to run. Wait for it to complete and a log to open, then post the log back here.
If it launches a file download box, click Run and see if both the vbs file and FomboCix.exe (ComboFix renamed) appear on your desktop. (vbs is named download_file.vbs in this package)
I get to the point where I save the verbage that you said to on the notepad. But when I ry to save it--the notepad disappears, tried 3 times.
As for the noahfear.net link, yes I got to it to run but got this:
Windows script host.
Script: c:\documents and settings\Alan\desktop\download_file.vbs
Line: 5
Char: 1
Error: The system can not locate the resource specified.
Code: 8000c0005
Source: msxml3.dll
I do not think that is what you wanted to happen...
It will not let me do that to desktop. Any new URL comes up as an error. Whenever I click a url or try to save it, it will not let me do so. Thus far any new url it will do a redirect to one of their websites to buy their bogus software.
Unless you are meaning saving it in a way I misunderstand and am not doing as you tink I am. Possibly be on the safe side and be rendundent so I am doing exactly what you want me to be doing.
I even tried a "save target as" I keep getting a "connection to sever could not be established".
I hope there is a way to recovery them. Edit: Well Word is still there as it opened up a doc. Not sure on to get Outlook working though.
