TechSpot

Abebot / TroganDownloader.XS/ Windows.wml.exe

By Manjit
Apr 6, 2008
  1. Hiya,

    I'd really appreciate some help with getting rid of some spyware or whatever nasty thing is infecting my laptop currently, it's making it run very slugglishly.

    Looking at the forum a number of people have had a similar problem with this 'Abebot' threat. I keep getting pop's up warning me of a TroganDownloader.XS and threat from windows.wml.exe and from Abebot, also a small yellow trinangle in the taskbar keeps appearing linking to a site about PC spyware. Also pop up keeps appearing about critical errors to the rigistery (called sysyem integrity scan)

    I'm not computer savvy, but so far far i've run scans of my with Norton, Windows Defender, Spybot and Spyware Doctor in normal mode. Also i've run scans with Windows Defender, Spybot and Spyware Doctor in safe mode. These have cleared my computer of plenty of spyware that i did not know was there, but this main problem does not seem to be going away. I'd really appreciate any help.

    In the post below i'll put the log from hijackthis:
     
  2. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:04:53, on 06/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\All Users\Application Data\behwdklo\tuvmtujm.exe
    C:\WINDOWS\system32\atiptaxx.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\WINDOWS\system32\lelgvufo.exe
    C:\Program Files\blueyonder IST\bin\mpbtn.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
     
  3. kritius

    kritius TS Guru Posts: 2,084

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Download and Run ComboFix
    • Download this file from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  4. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Thanks you, really apprectiate your help, i'll do that now.
     
  5. kritius

    kritius TS Guru Posts: 2,084

    Just remember to attach them
     
  6. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    When Malwarebytes' Anti-Malware is removing the selected files should it take a long time? Because it appears that it has been removing them for an age and appears frozen. Or should I just be patient and wait for the log to appear in Notepad?
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    It is possible that it froze, but the more infections the longer it will take so keep that in mind
     
  8. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    I'm pretty sure it's froze given it's not responding, so should I run a full scan again?
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    yes, try it again, if it freezes again you should just move on to combofix. MBAM is a great tool and will remove a good bit of your infection for sure, so its well worth another shot.
     
  10. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Ok i'm having some problems, i've run a second full MBAM scan and it froze up again. It has not produced any logs i've checked ' C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt'. Is this a problem?

    Having said that since running the two full scans and pressing 'remove selected' i've had no more pop ups.

    I've moved onto Combofix, unfortuntuntly i car'nt seem to get this running properly, having saved it to my desktop each time I open it i get a message saying that 'Windows cannot open this file: pv.cfexe', also a blue screen appears. Not sure if I've done something wrong. Any help would be appreciated.

    Thanks
     
  11. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Log from MBAM

    I've run three scans now for MBAM, and each time when I remove the selected items it freezes up.

    I've managed to obtain the log.

    I'm still struggling to get ComboFix to work properly. Any help would be appreciated.

    Thanks.
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Please download Deckard's System Scanner (DSS) and save it to your Desktop.
    DISCONNECT FROM THE INTERNET...REMOVE THE PLUG FROM THE BACK OF THE COMPUTER

    Close all other windows before proceeding.

    This means TURN OFF ALL other security programmes.
    Norton Anti-virus, AVG Anti-spyware or any other security programmes you`re running.

    Double-click on dss.exe and follow the prompts.
    When it has finished, dss will open two Notepads main.txt and extra.txt -- please attach the main.txt and extra.txt in your next reply.

    Re-enable your security programmes and reconnect to the net.
     
  13. lisa64

    lisa64 TS Rookie

    same problem with abebot/trojandownloader.xs

    I am going through the same thing. I did the scans, etc. Have you heard anything? I hope this goes through. I've never gone online like this for anything. Thanks.
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    lisa the instructions in this thread are for the use of the thread starter only

    Please go http://www.techspot.com/vb/menu28.html and select to start a new thread with your symptoms, also attach any logs that you may have
     
  15. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Sorry it's taken me so long to get back to you but i've been at work, but i've got the day off so i'm gonna try and get the problem sorted today.

    I've done the scan with DSS and the logs are attached. Any help will be really appreciated. Thanks.
     
  16. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Any further advice?
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Download OTMoveIt2 by OldTimer.
    • Save it to your desktop

    • Right Click OTMoveIt2.exe and choose Run As Administrator).
    • Copy the lines in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\xfmbnobr
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\pyyrnkdz
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\jkscrhmz
    C:\Documents and Settings\All Users\Application Data\behwdklo
    C:\Documents and Settings\manjit\Application Data\PC-Cleaner
    C:\WINDOWS\system32\efiQBcdd.ini2
    C:\WINDOWS\system32winlogonpc.exe
    C:\WINDOWS\system32hoproxy.dll
    C:\WINDOWS\system32taack.exe
    C:\WINDOWS\system32taack.dat
    C:\WINDOWS\system32sncntr.exe
    C:\WINDOWS\system32mwin32.exe
    C:\WINDOWS\system32hxiwlgpm.exe
    C:\WINDOWS\system32hxiwlgpm.dat
    C:\WINDOWS\a.bat
    C:\Documents and Settings\manjit\Desktopvirii
    C:\WINDOWS\system32psoft1.exe
    C:\WINDOWS\system32psof1.exe
    C:\WINDOWS\system32ps1.exe
    C:\WINDOWS\system32bsva-egihsg52.exe
    C:\WINDOWS\system32ssurf022.dll
    C:\WINDOWS\system32smp
    C:\WINDOWS\system32netode.exe
    C:\WINDOWS\system32msnbho.dll
    C:\WINDOWS\system32medup020.dll
    C:\WINDOWS\system32medup012.dll
    C:\WINDOWS\system32temp#01.exe
    C:\WINDOWS\system32mtr2.exe
    C:\WINDOWS\system32msgp.exe
    C:\WINDOWS\system32h@tkeysh@@k.dll
    C:\WINDOWS\system32dpcproxy.exe
    C:\WINDOWS\system32ssvchost.exe
    C:\WINDOWS\system32ssvchost.com
    C:\WINDOWS\system32regm64.dll
    C:\WINDOWS\system32regc64.dll
    C:\WINDOWS\system32msvchost.exe
    C:\WINDOWS\system32thun32.dll
    C:\WINDOWS\system32thun.dll
    C:\WINDOWS\system32Rundl1.exe
    C:\Documents and Settings\manjit\DesktopFWebdEditor.exe
    C:\Documents and Settings\manjit\Desktopfwebd.exe
    C:\Documents and Settings\manjit\Desktopfilemanagerclient.exe
    C:\WINDOWS\system32vcatchpi.dll
    C:\WINDOWS\system32newsd32.exe
    C:\WINDOWS\system32emesx.dll
    C:\WINDOWS\system32anticipator.dll
    C:\WINDOWS\system32akttzn.exe
    C:\WINDOWS\system32WINWGPX.EXE
    C:\WINDOWS\system32winsystem.exe
    C:\WINDOWS\system32sysreq.exe
    C:\WINDOWS\system32mssecu.exe
    C:\WINDOWS\system32bdn.com
    C:\WINDOWS\system32awtoolb.dll
    C:\WINDOWS\system32vbsys2.dll
    C:\WINDOWS\unins000.exe
    C:\WINDOWS\unins000.dat
    C:\WINDOWS\system32\lelgvufo.exe
    C:\WINDOWS\system32\zslmbahy.exe
    C:\WINDOWS\system32\hqribozu.exe
    • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
      IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you.
    • Right-click and choose Paste.
    • Click the red Moveit! button.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    ***Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

    Reboot the computer.
     
  18. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Here's what came up under the green results bar, not totally sure if I did it right:

    LoadLibrary failed for C:\WINDOWS\system32vcatchpi.dll
    C:\WINDOWS\system32vcatchpi.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32vcatchpi.dll scheduled to be moved on reboot.
    File move failed. C:\WINDOWS\system32newsd32.exe scheduled to be moved on reboot.
    LoadLibrary failed for C:\WINDOWS\system32emesx.dll
    C:\WINDOWS\system32emesx.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32emesx.dll scheduled to be moved on reboot.
    LoadLibrary failed for C:\WINDOWS\system32anticipator.dll
    C:\WINDOWS\system32anticipator.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32anticipator.dll scheduled to be moved on reboot.
    File move failed. C:\WINDOWS\system32akttzn.exe scheduled to be moved on reboot.
    File move failed. C:\WINDOWS\system32WINWGPX.EXE scheduled to be moved on reboot.
    File move failed. C:\WINDOWS\system32winsystem.exe scheduled to be moved on reboot.
    File move failed. C:\WINDOWS\system32sysreq.exe scheduled to be moved on reboot.
    File move failed. C:\WINDOWS\system32mssecu.exe scheduled to be moved on reboot.
    File move failed. C:\WINDOWS\system32bdn.com scheduled to be moved on reboot.
    LoadLibrary failed for C:\WINDOWS\system32awtoolb.dll
    C:\WINDOWS\system32awtoolb.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32awtoolb.dll scheduled to be moved on reboot.
    LoadLibrary failed for C:\WINDOWS\system32vbsys2.dll
    C:\WINDOWS\system32vbsys2.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32vbsys2.dll scheduled to be moved on reboot.
    File move failed. C:\WINDOWS\unins000.exe scheduled to be moved on reboot.
    File move failed. C:\WINDOWS\unins000.dat scheduled to be moved on reboot.
    File/Folder C:\WINDOWS\system32\lelgvufo.exe not found.
    File/Folder C:\WINDOWS\system32\zslmbahy.exe not found.
    File/Folder C:\WINDOWS\system32\hqribozu.exe not found.

    OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04122008_205609
     
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Have you rebooted the computer yet
     
  20. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Yes I have rebooted computer, sorry about the delay in replying.
     
  21. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Are their further steps I should take?
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    please run Deckard System Scanner again and attach main.txt here

    afterwards
    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  23. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Deckard scan

    Sorry it's taken a while to get back to you, i'm sure you know how work can be.

    I've run the Deckard system scan and attached the main.txt file. I'm currently downloading Kapersky as instructed and will attach that file as soon as that scan is completed.
     
  24. Manjit

    Manjit TS Rookie Topic Starter Posts: 82

    Kapersky Report

    Here is the file that was produced from the scan you instructed me to do Kapersky Online AV Scanner.
     
  25. jonathon7500

    jonathon7500 TS Rookie

    Same exact problem but add Xp Antivirus

    I have all the same problems and my desktop screen changes to a blue color. It seems that I may have rid my computer of most of the problem but its still crap. Here is MBAM logfile.

    Now I will begin the
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...