TechSpot

Have spyware infection Abebot on my PC!

By Esuper
Mar 31, 2008
Topic Status:
Not open for further replies.
  1. Hi all the Guru here,

    My PC has infected the same problem as others. I have attached the Hijack.log file.
    this is my first time doing this, hope i have given enough info here. And I really hope to receiving some sort of help/advice that can help elimnate this problem.

    ................................................................................

    Warning!!!
    File: C:\WINDOWS\wml.exe

    Threat:Abebot

    Click here to visit PC-Antispyware web site..

    There is also another similar one;

    System Integrity Scan Wizard
    Warning: Your ocmputer may have critical errors in Windows registry and file system!
    ................................................................................

    Thanks
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Hi Esuper,

    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    This thread is for the use of Esuper only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Esuper

    Esuper TS Rookie Topic Starter Posts: 34

    Hi Blind Dragon.

    There is no Y, in SDFix?? What should i choose from here?

    1. Download/Run a-squared
    2. Download/Run Norman Malware Cleaner
    3. Download/Run SAV32CLI

    A. Create System Report
    B. Create Service/Drive List
    C. Create Catchme Log
    D. Export SafeBoot Key

    U. Download Latest version of SDFix
    E. EXIT

    Thanks
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Did you type Y?

    If so, did it not work?

    Thanks
     
  5. Esuper

    Esuper TS Rookie Topic Starter Posts: 34

    Yes, i did type Y, and the SDFix Window close.
     
  6. Esuper

    Esuper TS Rookie Topic Starter Posts: 34

    And this is the log file from Malwarebytes' Anti-Malware.

    Thanks
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Boot into Safe mode, use your regular account (not admin)

    Type 2 to begin the cleanup process.

    With MBAM everything says NO ACTION TAKEN, Be sure that everything is checked, and click Remove Selected.
     
  8. Esuper

    Esuper TS Rookie Topic Starter Posts: 34

    Thank,

    Certain items could not be remove! The first few are listed below. All items that could not be removed hav been added to the delete on reboot list. and ask me to restart?

    here is the file:
    HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d}
    HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c}
    HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338}

    Continue restart?
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    yes then attach the log here afterwards
     
  10. Esuper

    Esuper TS Rookie Topic Starter Posts: 34

    Here is the Norman_Malware_Cleaner log file.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Did you crash while running the scan?

    I need to see a fresh Hijackthis log
     
     
  12. Esuper

    Esuper TS Rookie Topic Starter Posts: 34

    yes crash(but the system is ok).
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Run SDFix from Safemode again this time selecting option 3

    Then when it's done, and you have restarted run yet another scan with Hijackthis from normal mode and attach both logs here
     
  14. Esuper

    Esuper TS Rookie Topic Starter Posts: 34

    I have to run the Run SDFix from Safemode option 3 agin, cannt find where is the log file located.
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    it's in the SDFix folder as Report.txt

    I don't think it will remove all of it though so in addition

    Run Smitfraudfix
    • Download Smitfraudfix by S!ri from HERE
    • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infected files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
     
  16. Esuper

    Esuper TS Rookie Topic Starter Posts: 34

    This is the file
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • Type "1" (and Enter) to start the fix.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  18. Esuper

    Esuper TS Rookie Topic Starter Posts: 34

    Have been stop by Spywaredoctor. And now the window prompt say:
    Window cannot open this file:
    To open this file, Windows need to know what program created it. Windows can go online to look it up automatically, or you can manually select from a list of program on your computer.

    What to do?
    Use the web service to find the appropriate program OR select the program from a list?
     
  19. Esuper

    Esuper TS Rookie Topic Starter Posts: 34

    Spyware Doctor Block!!!
    Thread:Trojan
    Risk:High
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit.

    try again if it still doesn't work

    go to start -> run -> type combofix /u

    reattempt the above instructions after it is uninstalled
     
  21. Esuper

    Esuper TS Rookie Topic Starter Posts: 34

    Here is the files
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
     
  23. Esuper

    Esuper TS Rookie Topic Starter Posts: 34

    Thanks!! Here is the files
     
  24. kritius

    kritius TS Guru Posts: 2,087

    Depending on whether HijackThis was run before or after the CFScript then that line is still there, its getting quite resilient.
     
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Boot into Safe Mode -you may want to save this in a notepad file on your desktop so you can have it while in safe mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    O4 - HKLM\..\Policies\Explorer\Run: [rgWFEtNPPQ] I:\Documents and Settings\All Users\Application Data\ezclqdql\gxwzsbil.exe

    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following folder:

    Files:
    I:\Documents and Settings\All Users\Application Data\ezclqdql <-This folder only

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.