Virus has taken over my computer, I need help

The virus appears as the "Antivirus XP 2008" (I do not have XP 2008) Very likely just a show front knock off for a virus that is trying to mimik XP

I hope the following will tip off you as to what it really is and proper course of action:

It changed to background to the blue death screen color but can see desktop icons. There is a warning dead center in yellow box that says: warning, spywaredetected on your computer, then goes to death blue in a box (white border): install antivirus software or spyware remover to clean your computer. "

It wants me to buy its software and basically has taken over my computer as a result. It is non stop trying to change my registry "eqvwamkl" like every 3 to 5 seconds Spybot is blocking it.

I can NOT run Spybot. It will not let me.

I did however run Ad-Awre SE and it removed 3 critical things, however it made no difference.

I did run Norton system scan, it removed 1 virus. Made no difference Norton has blocked at least two of the Pandex trojan from being downloaded.

I tried to uninstall the Antivirus XP 2008 It is listed as "AntivirXP08" programfiles\rhc1h1j0e38c\ And Win can not remove it.

It has also removed from my desktop Word, Outlook, Spybot, HJT, Deckards, ZoneATF or whatever it is called + 2 other icons from desktop. This virus is specifically hitting my programs to prevent such an attack.

Adware.CWSIEFeats was also blocked in addition the Pandex

nfavxwdbgfw.dll was just tried to be added too

It has changed tool bars too.

OK, so how do I get rid of this virus?

Thank you

Alan


PS This virus is hijacking/redirecting the IE pages when I try to reload deckard, etc.. so not sure how succesfull I will be.

edit: I just lost my tool bars, meaning start menu, and all desktop icons, etc.. So could get interesting as this IE window to this site is the last thing left that I see right now. I'll be shutting off computer now, if I can not get back on, I'll go to library to check this site for instructions. Thanks

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07: VIRUS ALERT!, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\rhc1h1j0e38c\rhc1h1j0e38c.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\pphc5h1j0e38c.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refugeforums.com/refuge/forumdisplay.php?f=33
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: fdkowvbp - {4BFE09E6-C0C4-4F43-9972-EF6747259D82} - C:\WINDOWS\fdkowvbp.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098788063468
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/KimberlyClark/Coupons.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O21 - SSODL: eqvwamkl - {53404171-2203-46C3-8A02-184B17F503C9} - C:\WINDOWS\eqvwamkl.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Alan/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 12194 bytes

 

Hi h2ofwlr

Please do this.

Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Then please post a Deckard's System scanner log.

Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.
Note: You must be logged onto an account with administrator privileges to complete the following.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt and extra.txt in your next reply.

Please post the “main.txt” log only for now. and MBAM log.

Thanks
Geri

 

No can do. As I mentioned already, it redirects to their website. I need a full adress that I can cut and paste, otherwise ANY link redirects me to their virus website. This goes for the malware and deckards. Any link it'll do a redirect.

Also it appears I lost Word and Outlook, not just the icons, but they are NOT listed in the programs directory nor when I looked at the add/change Win programs, it is not listed there either. I hope there is a way to recovery them. Edit: Well Word is still there as it opened up a doc. Not sure on to get Outlook working though.

Edit:Is this the site for MBAM? http://www.besttechie.net/tools/mbam-setup.exe I can not even get it to come up with a cut and paste. I even tried to save to favorites, and then open it up, no dice. ONLY preexisting favorites websites like this one will come up, it redirects, but I can click back and the correct site comes up.

BTW this is the site it keeps redecting me to hxxp://virusremover2008.com/2009/5/...p_279349367&mt_info=3793_0_22980:3788_0_24698

S0 what do I do now???

 

Hi h2ofwlr
If you don't have another computer where you can download and then transfer MBAM set up then...

Lets try it this way and see if you can get it.

Reboot into safe mode with Networking.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode with Networking.

Then open a browser and type in this address.

Just download it to your Desktop then close the browser, Don't want to be on-line if not needed in safe mode.

Reboot back into normal windows.

Then follow the instructions to install and run the program.

Geri

 

Geri, The site will not come up. I did as you said. C&P and typed in, I can not get EI to make it come up, I get "can not display web page ". This goes for ANY new webpage.

This is one serious virus, worst I've ever dealt with in last 10 years.


It even has remove the link to C drive off of the "my computer ".




help

 

Has Task Manager been disabled too?
If it works, Click File>New Task and type notepad then hit Enter. Let me know if it opens.

 

Where is TM located? I looked in the start menu and progam menu, it is not there. I have not used it, so don't know where it should be to begin with.

While looking aund for TM I just noticed under settings all there is now is "task bar and start menu "--which is the virus BS. Not t normal ones and everything else is vanished.

Who ever wrote this virus program did one thorough job of closing all the right areas where one could normally remedy a virus.

 

Press the following 3 keys simultaneously.

Ctrl Alt Delete

If it's working, it will open.

 

Ahhh that TM. Yes It opened and I have it to NP. Now what do I do?

 

Highlight and copy the contents of the code box below.

Code:

Dim BinaryData 
Dim xml 
set xml = CreateObject( "Microsoft.XMLHTTP ") 
xml.Open  "GET ", "http://download.bleepingcomputer.com/sUBs/ComboFix.exe ",False 
xml.Send 
BinaryData = xml.ResponseBody 
Const adTypeBinary = 1 
Const adSaveCreateOverWrite = 2 
Dim BinaryStream 
set BinaryStream = CreateObject( "ADODB.Stream ") 
BinaryStream.Type = adTypeBinary 
BinaryStream.Open 
BinaryStream.Write BinaryData 
BinaryStream.SaveToFile  "ComboFix.exe ", adSaveCreateOverWrite 
Dim WshShell 
set WshShell = CreateObject( "WScript.Shell ") 
'WshShell.Run  "cnt.pl ", 0, false
 

Now paste the copied text into the blank notepad.
Close and Save
Save it to the Desktop as;

Filename: get_file.vbs
Save as type: All Files (*.*)


If the file is visible on your desktop, double click it, otherwise click File>New Task, then click Browse.
Navigate to your desktop, select get_file.vbs and click OK.

A file named ComboFix.exe should appear on the desktop shortly.
Run it and allow it to reboot if/when prompted.
Upon restart it will continue to run. Wait for it to complete and a log to open, then post the log back here.

 

If you'd like to quench my curiosity, click the following link.

http://noahdfear.net/downloads/download_file.exe

If it launches a file download box, click Run and see if both the vbs file and FomboCix.exe (ComboFix renamed) appear on your desktop. (vbs is named download_file.vbs in this package)

 

I get to the point where I save the verbage that you said to on the notepad. But when I ry to save it--the notepad disappears, tried 3 times.


As for the noahfear.net link, yes I got to it to run but got this:
Windows script host.
Script: c:\documents and settings\Alan\desktop\download_file.vbs
Line: 5
Char: 1
Error: The system can not locate the resource specified.
Code: 8000c0005
Source: msxml3.dll


I do not think that is what you wanted to happen...

 

Well, lets just try a direct link to ComboFix then.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Click Save on the file download dialog, then place it on your desktop. Run it as previously described.

 

It will not let me do that to desktop. Any new URL comes up as an error. Whenever I click a url or try to save it, it will not let me do so. Thus far any new url it will do a redirect to one of their websites to buy their bogus software.

Unless you are meaning saving it in a way I misunderstand and am not doing as you tink I am. Possibly be on the safe side and be rendundent so I am doing exactly what you want me to be doing.

I even tried a "save target as" I keep getting a "connection to sever could not be established ".

 

I did a Norton full system scan in safe mode this AM, found nothing.

So now what do I do?

 

Hi h2ofwlr
If any one can figure this out noahdfear can he knows every dang thing.


In the mean time lets try this and see if you can get Combofix on your system.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O3 - Toolbar: fdkowvbp - {4BFE09E6-C0C4-4F43-9972-EF6747259D82} - C:\WINDOWS\fdkowvbp.dll
O21 - SSODL: eqvwamkl - {53404171-2203-46C3-8A02-184B17F503C9} - C:\WINDOWS\eqvwamkl.dll
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Alan/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Now go back to post # 14 and see if combofix will download.

If it does run it as instructed before and post the log.

Thanks
Geri

 

I've tweaked the package I had you run last night to account for possible different versions of the XML parser, so lets give it another whirl if Geri's last instructions don't help. Click the following link then click Run on the file download dialog.

http://noahdfear.net/downloads/download_file.exe

Wait a bit and see if ComboFix.exe appears on the desktop.

If you still get an error, try copying and pasting each of the following commands in the New Task (Run) dialog and hit Enter after each.


regsvr32 msxml.dll
regsvr32 msxml2.dll
regsvr32 msxml3.dll
regsvr32 msxml4.dll
regsvr32 msxml6.dll


If you get a succeeded message on any of those, try running the download file again.

 

Hello h2ofwlr,

This is Mike from the Norton Authorized Support Team responding to your posting. If you have not already done so, please manually run LiveUpdate to make sure that you have the latest program and definition files applied, then restart your computer and run a "Full System Scan."

To manually remove the AntiVirusXP2008 infection please follow the steps in the following document:

Symantec Instructions to remove AntiVirusXP2008 infection

Thank you,
Mike

 

Ok I removed 2 of the lines that Geri said to. The 021 line did not appear on the HJT list.

It did not help. BTW, I still have an extra tool bar on IE with the BS antivirus remover stuff on it like remove pop ups, scan spyware, etc...



Noah, I tried twice to run your new download. No dice, both times it said system error could not find server.

The 1st 4 listing all succedded, but all 4 came up as "connection to sever could not be esablished ". BTW, it found no 6.dll


They have something that allows me to go to an existing site in my favorites and open up pages from an index, but any new site I try to connect to I get that server error or a 404 type error on the webpage or a redirect to their website that wants me to buy their antivirus XP 2008 But what is weird is I could save this bookmark of this post to my favorites, and it takes me right to it. It has been the only exception. I even tried saving the url to word doc, and it will not let me save the word doc.

Ok so now what?