TechSpot

Abebot Problem

By restricteditaly
Apr 1, 2008
  1. Hello,

    I like many other people managed to infect my system with some nasty spyware detailed below are the ones causing problems:

    1)

    " Security System Protection Control Panel " TrojanDownloader.XS.

    It is a White and Blue window that says 'Security system Waring"

    2)
    A red box mentioning something to the extent of:

    Alert Details
    File: C:\WINDOWS\wml.exe

    Threat:Abebot

    3)

    System Integrity Scan Wizard
    Warning: Your computer may have critical errors in Windows registry and file system!

    and 4)

    Yellow Triangle with exclamation mark in the bottom right corner where the clock is located. Its constantly prompting me there is spyware infecting my system and is directing me to a website to download some spyware remover.

    If some could lend me a hand to fix these problems that would be greatly appreaciated.

    Thanks so much in advance.
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hi welcome to TechSpot

    Are you running XP or Vista?

    First of all

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.


    IF YOU ARE RUNNING XP DO THE FOLLOWING:
    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    If you are running vista please still follow MBAM instructions and let me know you are running vista

    In your next reply attach:
    1)MBAM log
    2)Report.txt (if you have xp and can run SDFix)
    3)hijackthis log

    This thread is for the use of restricteditaly only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    I've noticed from most other threads that a hickjackthis log is required so i've attached one.

    Thanks Again
     
  4. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    I'm running windows XP
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    hopefully we can get this infection off then you can run through the preliminary removal instructions. Normally we would do it the other way around, but this infection has become so popular we will just get it off first.

    Go ahead and run through my instructions above since you are on xp
     
  6. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    Prior to posting i ran all these scans so as requested here are what you're looking for

    The hijackthis file is attached in an above post.

    Thanks so much for your prompt response and help!
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I really need to know exactly which program will remove this

    Download and run these three tools. Follow the instructions for using each tool on the download site for each tool.

    Tool1 Tool2 Tool3

    With tool 1 here are some details of what needs to be done
    Run Smitfraudfix
    • Download Smitfraudfix by S!ri from HERE
    • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infected files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Navigate to C:\Windows\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Clean out your Temporary Internet files. Proceed like this:

    For Internet Explorer 7

    * Click Start, click Control Panel, and then double-click Internet Options.
    * On the General tab, click Delete... under Browsing History.
    * Next to Temporary Internet Files, click Delete files, and then click OK.
    * Next to Cookies, click Delete cookies, and then click OK.
    * Next to History, click Delete history, and then click OK.
    * Click the Close button.
    * Click OK.

    For Mozilla 1.x and Up

    * Click Edit from the Mozilla menubar.
    * Click Preferences... from the Edit menu.
    * Expand the Advanced menu by clicking the plus sign.
    * Click Cache.
    * Click the Clear Cache button.

    For Opera

    * Click File from the Opera menubar.
    * Click Preferences... from the File menu.
    * Click the History and Cache menu.
    * Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
    * Click Ok to close the Preferences menu.

    Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


    Afterwards attach rapport.txt and a fresh Hijackthis log
     
  8. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    I have followed the above instructions and as requested the fresh hijackthis file and the rapport.txt is attached.
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Did you already run tool2 and tool3?

    The entries are still there

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

    You aren't running Firewall Software. Please download and install one of these first!

    Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
    Comodo
    Kerio
    Online Armor
    Zonealarm

    'The Avenger by Swandog46'

    • Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Click the Execute button.
    • You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log.
     
  10. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    Yes, I did run Tool2 and 3.

    Also note i am running Norton 360 which i believe is equipped with firewall software.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Good then all you need to do run the deldomains utility and then get avenger.
     
  12. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    The avenger log as requested:
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Sorry avenger isn't going to work for the whole infection as I can't see everything

    I could write a script with it to remove what we can see, but I would rather be safe than sorry.


    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • Type "1" (and Enter) to start the fix.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  14. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    Whats our next course of action?
     
  15. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    As requested:
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You have 2 really nasty infections

    While I put together a script to remove the infections we need to go ahead and run this program to repair the damage that has been done by the trojans

    FindAWF

    Click here to download FindAWF.exe and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to Press any key to continue.
    • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
    • Attach AWF.txt file in your next reply.
     
  17. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    I figured it was bad!

    Attached is the requested log
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
     
  19. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    Combofix log attached:

    Did that do it?? Are they gone?
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    We still have a little ways to go, i didn't want to put everything in one post as it can be overwhelming

    Fix AWF Infection
    Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • Press 2 then Enter
    • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for bak folders.
    • It may take a few minutes to complete, so please be patient.
    • When it is complete, it will open a text file in Notepad called AWF.txt.
    • Please attach AWF.txt file in your next reply
     
  21. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    awf.txt attached
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Fix AWF Folders
    Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
    • Press 3, then press Enter.
    • Press any key to continue.
    • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
    • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
    • The program will proceed to remove the bad folders and will perform another scan for .bak folder
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt.
    • Please attach the AWF.txt file in your next reply.
     
  23. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    awf attached:
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Good job now
    Run Fix AWF one more time and press 4, then press Enter.

    And I missed one thing with combo fix so...

    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word Folder:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
     
  25. restricteditaly

    restricteditaly TS Rookie Topic Starter Posts: 19

    Did we get them??
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...