TechSpot

C:\windows\wml.exe, trojans and pop-ups

By michael_joe
Apr 23, 2008
Topic Status:
Not open for further replies.
  1. Hi, over the past week or so I've been getting quite a lot of pop-ups and keep getting one particular one which says adebot and that I have a trojan on my computer. Ive tried avast, mcaffee, avg, spybot but the problem still appears to be there. my machine has also started to slow up.

    would really appreciate if someone could help me, many thanks.
  2. hynesy

    hynesy TechSpot Maniac Posts: 445

    Please download and run this tool from here (majorgeeks.com/download3155.html).
    Scan and save a log file, upload it in a new reply, do not fix anything using this program unless you know exactly what your going.
    cheers
    Hynesy
  3. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  4. michael_joe

    michael_joe Newcomer, in training Topic Starter

    Hi, thank for your reply..i have done a scan and attached the file.
  5. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    michael_joe due to hynesy post, you are using an older version of HijackThis (v1.99.1) which now must be uninstalled !

    You will need to use the HijackThis link that I stated above, only.

    Also, for your and my benefit, please do the following in order:

    1. Uninstall the obsolete version of HijackThis (presently installed)
    2. Download and run CCleaner and remove all temp files
    3. Download and run Startup, remove any unwanted startup programs, then restart
    4. Download HijackThis (as per my link!)
    5. Run a full scan and post back in a new reply
    6. Be aware that I myself, can not review your hijackthis log, this must be done by the spyware specialists here.

    @hynesy see the mess you made by one post !
  6. kritius

    kritius TechSpot Guru Posts: 2,087

    O4 - HKCU\..\Run: [rpsqjyel] C:\ProgramData\rpsqjyel\zkreryvq.exe
    O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Gurprit\AppData\Local\Temp\geBqPGWM.dll,#1
    O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Gurprit\AppData\Local\Temp\mljjgFxV.dll,c
    O4 - HKCU\..\Run: [be296965] rundll32.exe "C:\Users\Gurprit\AppData\Local\Temp\idcyqxnq.dll",b

    Oh joy, I spy an old friend.

    In addition to what Kimsland has said,

    color=blue]Download and Run Malwarebytes' Anti-Malware[/color]
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please Attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.
  7. michael_joe

    michael_joe Newcomer, in training Topic Starter

    hey guys, can i thank everyone for their kind help. i have done as was requested and have attached the scans, many thanks
  8. kritius

    kritius TechSpot Guru Posts: 2,087

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Gurprit\AppData\Local\Temp\mljjgFxV.dll,c
    O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
    O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=h ome (file missing)

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary


    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Download and Run ComboFix
    • Download this file to your desktop from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  9. michael_joe

    michael_joe Newcomer, in training Topic Starter

    as per ur request i have attached a scan, thanks for ur help.
  10. kritius

    kritius TechSpot Guru Posts: 2,087

    Can you move ComboFix to the desktop and then rerun the scan.
  11. michael_joe

    michael_joe Newcomer, in training Topic Starter

    I've just run the combofix from my desktop, the scan is attached. thanks
     
  12. kritius

    kritius TechSpot Guru Posts: 2,087

    Disable Teatimer
    Please disable Teatimer as it may interfere with the fix.
    First:
    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    Second:
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.
    Once your log is clean you can re-enable those settings in TeaTimer.

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\ProgramData\rpsqjyel\zkreryvq.exe
      
      Folder::
      C:\ProgramData\zobovwro
      C:\ProgramData\rpsqjyel
      
      Registry::
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "rpsqjyel"=-
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Post a fresh HijackThis log as well
  13. michael_joe

    michael_joe Newcomer, in training Topic Starter

    hello my friend, i hope i've done this right. thanks for your help, really do appreciate it.
  14. michael_joe

    michael_joe Newcomer, in training Topic Starter

    sorry below is the fresh HJT
  15. kritius

    kritius TechSpot Guru Posts: 2,087

    Disable Teatimer
    Please disable Teatimer as it may interfere with the fix.
    First:
    • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    • Choose Exit Spybot S&D Resident
    Second:
    • Open Spybot S&D
    • Click Mode, check Advanced Mode
    • Go To Left Panel, Click Tools, then also in left panel, click Resident
    • If your firewall raises a question, say OK
    • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.
    Once your log is clean you can re-enable those settings in TeaTimer.

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Gurprit\AppData\Local\Temp\mljjgFxV.dll,c

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      C:\Users\Gurprit\AppData\Local\Temp\mljjgFxV.dll
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  16. michael_joe

    michael_joe Newcomer, in training Topic Starter

    please find attached the scan, thanks
  17. kritius

    kritius TechSpot Guru Posts: 2,087

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.