Abebot and trojandownloader.xs problem

[a-train360]

Hi,
Below is a problem some others are having that I'm am having too. I was also getting a yellow warning banner under the google task bar saying""Warning possible spyware or adware infection. Click here to check for spyware or adware infection". I found a thread in yahoo answers which said run smitfrraudfix in safe mode, then run a scan from Superantispyware . This got rid off the yellow banner but I'm still getting the annoying popups and warnings stated below. I will run a hijackthis system scan and post the log at the bottom of this thread.
please help.....

I continually receive a red, white, and grey alert window ---
| Alert details: File - C:\WINDOWS\wml.exe
| Threat: Abebot
| "Possible Spyware infection has been detected on your computer by Security
| System."
| "To remove detected threat you need to update our PC-Antispyware protection."
| "Click here to visit PC-Antispyware website"(link)
| ----- |
| These boxes show up next, unshaded and "unclickable"
| Clean, Rename, & Delete
|
| Then another link
| Update PC-Antispyware protection and remove detected threats
| -----take me to same:
|| --------------
| Additionally, in the lower right hand corner I have a triangle icon states
| which automatically populates a message: "Your computer is infected with
| sypware! Windows has detected spyware infection on your PC. It is
| recommended that you update your antispyware protection to prevent data loss.
| Click here to download and
| install the most up-to-date antispyware for you. Click here for more
| information."

Also receiving...
|
| Window titled: System Integrity Scan Wizard
|
| Warning: Your computer may have critical errors in Windows registry and file
| system!
|
| The registry and file system errors lead to computer freezes; system crashes
| and slowdowns; corrumption of files and documents.
|
| Immediate system integrity scan and repair is strongly recommended.
|
| To scan your computer for errors please click the "next" button below.
|
| A small window appears after clicking "next" and then there is a window
| titled "Installer" -- PC Cleaner...Welcome to the Installer! This program
| will install PC-Cleaner on your PC. By clicking the continue button below
| you are accepting our Terms and conditions.

| I have attached my hijackthis log.
please help

 

[Blind Dragon]

You aren't running Firewall Software. Please download and install one of these first!

Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
Comodo
Kerio
Online Armor
Zonealarm


Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• Type "1" (and Enter) to start the fix.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[a-train360]

I have now comodo firewall, and have done the processes you asked.
here is the mbam log copied and pasted. and the combo and hijackthis logs attached.

Malwarebytes' Anti-Malware 1.10
Database version: 589

Scan type: Full Scan (A:\|C:\|E:\|F:\|)
Objects scanned: 165611
Time elapsed: 1 hour(s), 20 minute(s), 58 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 13

Memory Processes Infected:
C:\WINDOWS\system32\cxklibaf.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\cxklibaf.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{f0cf5598-33f4-4191-92be-aa43520e52cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f95fe966-7487-4850-8bff-f48a80acd934} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cb1a2124-59ca-4c03-a632-9caef57a6c25} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f742e03d-8892-42ae-8049-cb5a51be5b14} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f742e03d-8892-42ae-8049-cb5a51be5b14} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5c7f15e1-f31a-44fd-aa1a-2ec63aaffd3a} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC-Antispyware (Rogue.PC-Antispyware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\Program Files\PC-Antispyware (Rogue.PC-Antispyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Desktopvirii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\cxklibaf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PC-Antispyware\PopupBlocker.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1A859AD6-551A-408F-98FC-F1075C46EA1C}\RP273\A0087813.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{1A859AD6-551A-408F-98FC-F1075C46EA1C}\RP273\A0087870.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.

 

[Blind Dragon]

CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\system32\cxklibaf.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"efyyjlob"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.


Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[a-train360]

how do I open notepad?

 

[Blind Dragon]

start => all programs => accessories => notepad

make sure you use notepad and not wordpad

 

[a-train360]

ive done the cfscript with the combofix and am now doing the Kaspersky Online AV Scanner. This scan looks like it might take a while so I will get back to you when I finish.
During my time online, Ive had no pop-up messages at all from pc-antispyware. So fingers crossed.... get back to you with the attachments asap.

 

[a-train360]

the scan is only at 6% and its already been half an hour, is that right?

 

[a-train360]

all done.
combo fix log is- log.txt
then Ive attached the kaspersky and hjackthis logs.
thanks.

 

[Blind Dragon]

Looks good! Follow below


Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

---------------------------------------------------------------------------
I recommend you keep
1 anti virus program
1 firewall
Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

For Spybot you can download the latest version from HERE.

keep them updated.

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

And just to be sure
Set correct settings for files

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

clear system restore points

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

 

[a-train360]

done.
the computer is running perfect.
Thanks for helping me out and g'day from sydney, australia.
you guys are pro's.
cheers.
a-train

 

[Blind Dragon]

Not a problem. If you have any more issues let us know.

Regards,

Blind Dragon

 

[piket112]

Abebot & Trojandownloader problem

Hello!

I had the same problem, but after reading your thread my computer works perfect again!! Thanx alot

I have one problem right now,, I got a black blank desktop when i restored the system and restarted the computer and im unable to change it.

Can you please help me??

Thanx again

Sam.

 

[kritius]

What exactly did you do? The fixes are for specific computers, you may have ruined it if you did something that was meant for another computer.

 

[piket112]

First, i got the same warnings as a-train360 and found this thread through my search.. i realized that everything agreed with my problem.. I followed the instructions above and when i did the last step "clear system restore points" and restarted the computer then the desktop turned black, but everything running just perfect.

 

[kritius]

Did you use the CFScript?

 

[piket112]

No, I didn't. Can i use it now or??

 

[kritius]

NOT AT ALL. Start your own thread and state your problems.

 

[rubywinkles]

Hi there,
I am having the same problem.
at first i had the blue screen of death in wallpaper form that my computer is infected. my wallpaper is gone,popups gallore!
I keep getting popups one is Red that I am infected with windows .wml.exe abebot and another popup is Trojan xs downloader

then on the sytem tray. i have a yellow triangle then it pops up that my computer is seruiously infected. run scan now.

. I used pc tools spyware cleaner, Spyhunter3.
Norton as well as mcafee stinger. It clean some but still have problems

I have run Hijack this.but never did anything with it because iam not sure what files to get rid of so,
Here I am.
but have no idea what to do from there.

No luck.
How do I get rid of this and what steps to do first?
If any of you fine thinking brains can help this ole lady with this. IT would be greatly appreciated.
Thank you
Rubywinkles

 

[kritius]

start you own thread.

 

[Blind Dragon]

Go https://www.techspot.com/vb/menu28.html

and select new thread