TechSpot

Abebot Trogan Downloader

By goinggoinggone
Apr 14, 2008
  1. Can someone help me fix this nasty anooying pop-ups, blue screen, yellow triangle, fake windows defender screens, red spyware alert screens, and such. this is annoying.
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt



    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
     
  3. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

  4. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

    Newer MBAM log

    I have a newer MBAM log but it says attachment in progress still so i will send Asap
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I am still working on your fix but in the mean time, please do the following:

    search for the following file then upload it to virus total: Start-> search -> all files and folders->
    tskcert6.exe -> find the path because you will need it when you visit virus total

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file tskcert6.exe
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.
     
  6. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

    file not found

    i couldn't locate that file but i tried... but i have that other MBAM log attached
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
     
  8. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

    Furthe Info PLease

    Sorry Blind Dragon, I tried that but i wasn't sure if you meant have File:: at the top or Folder:: so i did folder and then i ended up having to reboot my comp manually cause it froze or something. to avoid further scares to me can you clarify which one needs to be at the top?
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I am sorry about that, please retry as I have edited the script.
     
  10. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

    Cool

    Will do thanks alot BD
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Be sure to close all windows including this one.

    Talk to you soon!
     
  12. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

    OK

    Heres what i got. I did have to manually reboot again though let me know if i need to redo
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Most of it worked, the rest we will do manually:

    Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
    I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :
    1. Click Start, point to Settings, and then click Control Panel.
    2. In Control Panel, double-click Add or Remove Programs.
    3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.

      How to prevent it from being recreated every time you run the AOL software:
      • Open AOL
      • Go to Help on the toolbar
      • Select About AOL
      • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.



    You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    O4 - HKCU\..\Policies\Explorer\Run: [upjpcdupri.exe] C:\WINDOWS\system\upjpcdupri.exe

    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following files:

    Files:
    C:\WINDOWS\system\upjpcdupri.exer <-This file only

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log
    ********************************************************************************************************

    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.



    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  14. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

    HTJ log

    Heres the hJT log
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Getting better how is your computer running?

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
      O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
      O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
      O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
      O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.


    I will wait for the kaspersky log
     
  16. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

    My computer is running alot smoother than when we first started... i couldn't remove that one file you told me to C:\WINDOWS\system\upj.... because i couldn't find it. i got the kaspersky log but the attachments wont work. so im waiting for the attachments to work again
     
  17. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

    i just used htj to remove those 5 files as said. but i still cant seem to attach stuff...
     
  18. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

    yo BD

    i sent my kasperlog to your e-mail hope thats ok... im just ready to have a clean comp again. thanks for all your help so far i dont know where id be without your help.
     
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Thats fine, I will have look through it shortly and replay back
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You sent me an empty notepad file named Kaspersky, it was only 2kb
     
  21. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

    oh sorry will retry
     
  22. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

    damn that one didnt work either
     
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Whats the problem?
     
  24. goinggoinggone

    goinggoinggone TS Rookie Topic Starter Posts: 16

    Rtf File

    i sent an rtf file that seemed to work. i dunno but under my sent e-mail they showed up as 1kb too. But when i attached them they said the full amount of 37kb i dunno but the rtf file should work if you can open it.
     
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    It was a clean log anyways, everything in quarantine and restore points. We can clear that up now.

    First launch Symantec and delete everything in quarantine!!!!!!!!!!!

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------
    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
    ------------------------------------------------------------------------------------------
    I recommend you keep
    1 anti virus program
    1 firewall
    Multiple Anti-Spyware (Spybot S&D and MBAM, will list more options below)
    1 program to clean temp files (CCleaner or ATF cleaner)

    This is what I have saved, take your pick and feel free to experiment with any of these to find what fits your needs.
    • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

      A tutorial on installing & using this product can be found here:

      Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

    • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

      A tutorial on installing & using this product can be found here:

      Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

    • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...