TechSpot

Abebot removal help

By RopeWarrior
Apr 6, 2008
  1. Can someone please help me get rid of abebot. i don't know a whole lot about this kind of thing but i've been reading around a lot and i already downloaed hijackthis. the hijackthis log is attached. thank you
     
  2. kritius

    kritius TS Guru Posts: 2,084

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Download and Run ComboFix
    • Download this file to your desktop from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Rename HijackThis.exe to RopeWarrior.exe by doing the following;

    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to RopeWarrior.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
    • Post the fresh HijackThis log here.
     
  3. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    nothing is happening when i click on combofix. a green meter fills up and then a small blue screen pops up but then disappears. i don't think i did anything wrong when i downloaded it. thanks for helping me out!
     
  4. kritius

    kritius TS Guru Posts: 2,084

    Disconnect from the internet and disable any real time monitoring programs

    : Download and Run DSS

    Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
    • Close all applications and windows.
    • Double-click on dss.exe to run it, and follow the prompts.
    • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
    • Attach Main.txt and the extra.txt in your reply.
     
  5. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    i figured out what i did wrong, i hadn't downloaded it to my desktop. it's working now. should i still download DSS or just include the logs for malewarebytes and combofix?
     
  6. kritius

    kritius TS Guru Posts: 2,084

    Work with combo if youve got it running.
     
  7. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    i have the combofix and hijackthis logs but i can't find the malwarebytes log. i followed the search criteria you posted but there is no Application Data folder under my username
     
  8. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    nevermind, i found it. here are the three logs.
     
  9. kritius

    kritius TS Guru Posts: 2,084

    Looking over now, will be back with you later with results.
     
  10. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    thank you so much. since i've run all those scans, the pop ups have stopped and the little yellow triangle telling me i was infected has gone away. but i don't know if that means it's completely fixed or not.
     
  11. kritius

    kritius TS Guru Posts: 2,084

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    Create an uninstall list
    • Launch Hijackthis
    • Click the Open the Misc Tools section button
    • Click the Open Uninstall Manager button.
    • Click the Save list button.
    • Copy and paste this log into your next reply


    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\WINDOWS\system32\C7D5AA596A.sys
      C:\WINDOWS\system32\hefunglo.exe
      
      Folder::
      C:\VundoFix Backups
      C:\Program Files\Trend Micro
      C:\Program Files\Common Files\Symantec Shared
      C:\Documents and Settings\All Users\Application Data\Symantec
      C:\Documents and Settings\All Users\Application Data\vsdavqhs
      
      Registry::
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "rnhrfkaq"=-
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBsQjjg]
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    O2 - BHO: (no name) - {C5816B13-D249-4FEF-8ED0-52DB3DFBF91D} - C:\WINDOWS\system32\fccdCsqo.dll (file missing)
    O4 - HKCU\..\Run: [rnhrfkaq] C:\WINDOWS\system32\hefunglo.exe
    O20 - Winlogon Notify: geBsQjjg - geBsQjjg.dll (file missing)

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary


    In the next post you should include,
    1) ComboFix log that is produced
    2) HijackThis uninstall list
    3) Fresh HijackThis scan
    4) How is the computer running now
     
  12. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    i got through the first three parts ok but after combofix rebooted my computer hijackthis won't work. i attached a screenshot (because I don't know how to just post the picture) of my desktop so you can see what's happening.
     
  13. kritius

    kritius TS Guru Posts: 2,084

    show the screenshot, if it continues to not work uninstall and reinstall it.
     
  14. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    here's the screenshot of my desktop and hijackthis
    [​IMG]
     
  15. kritius

    kritius TS Guru Posts: 2,084

    yes, uninstall it and reinstall it.
     
  16. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    ok, i reinstalled it but the entry O4 - HKCU\..\Run: [rnhrfkaq] C:\WINDOWS\system32\hefunglo.exe isn't showing up. the other three are there but not this one
     
  17. kritius

    kritius TS Guru Posts: 2,084

    Thats ok, we got it with the CFScript, I only put it in there as a backup. Post the requested logs please.
     
  18. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    once again, i may have messed up. since i uninstalled and reinstalled hijackthis, the uninstall list that i saved before has been deleted. is it okay to just do it again and save it?
     
  19. kritius

    kritius TS Guru Posts: 2,084

    Yes thats grand, no worries there at all.
     
  20. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    ok, here are all the logs. everything seems to be running normal. i haven't experienced any of the problems i was having before (i.e. yellow spyware triangle and pop ups).
     
  21. kritius

    kritius TS Guru Posts: 2,084

    Delete bad programs
    • Click Start
    • Go to Control Panel
    • Go to Add/Remove Programs
    • Find and click Remove for the following (if present):

      Java 2 Runtime Environment, SE v1.4.2_03
      LiveUpdate 3.2
      Viewpoint Media Player

    NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

    ATF Cleaner

    • Download and Run ATF Cleaner
      Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

      Under Main choose:

      • Windows Temp
        Current User Temp
        All Users Temp
        Temporary Internet Files
        Java Cache

        *The other boxes are optional*
        Then click the Empty Selected button.
      if you use Firefox:

      • Click Firefox at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
      if you use Opera:

      • Click Opera at the top and choose: Select All
        Click the Empty Selected button.
        NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

      Click Exit on the Main menu to close the program

    Rename HijackThis.exe to RopeWarrior.exe by doing the following;

    • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to RopeWarrior.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
    • Attach the fresh HijackThis log here.

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
     
  22. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    it won't let me delete liveupdate. here's what it looks like

    [​IMG]
     
  23. kritius

    kritius TS Guru Posts: 2,084

    Thats ok, we got most of it with the CFScript theres nothing running at the minute,

    Try this and see if it works,

    Norton Removal Tool. Follow the instructions on the site.

    Then continue on with the rest of the steps.
     
  24. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    here you go.
     
  25. RopeWarrior

    RopeWarrior TS Rookie Topic Starter Posts: 22

    after performing the last couple scans, i've noticed that some web pages either aren't loading correctly or not loading at all
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...