Dear Experts

Yesterday whilst browsing a few websites i accidently (i know LOL) saved and opened what NORTON described as a Download.Trojan and spent most of my day off from work trying to resolve the situation and eliminate the blasted thing. As you have probably gathered i'm no IT expert but always been interested in the technical and scientific aspects of all computing areas including coding. On this note i think i have eliminated most of the trojan files but there seems to be a few that remain as i keep getting a number of pop ups every hour or so.

I have attached a print screen of one of the pop ups that my system has to put up with and another one i have described;

It is a red and grey window that says 'Security system Waring"

Alert Details
File: C:\WINDOWS\wml.exe

Threat:Abebot

Click here to visit PC-Antispyware web site..

There is also another similar one;

System Integrity Scan Wizard
Warning: Your ocmputer may have critical errors in Windows registry and file system!

I must also point out that i also receive a pop up in the the right system tray which alerts the following

To scan your computer for errors please click the 'Next' button below

In addition an exclamation mark still appears in the bottom right system tray that says click here to fix problem (It is beginning to wind me up LOL)
This might also be of help i have noticed in the manage add on area 2 dll files kdftlboerfg.dll & qvdntlmw.dll which i disabled.

Hope this is enough information and really look forward to receiving some sort of help/advice that can help elimnate this pain in the backside and destroy it forever.

Kind Regards
Scott

Hi RendeZvous147, :wave:

Im Kritius,

I need you to follow all the steps HERE and then post back with the three requested logs as attachments

• AVG antispyware
• ComboFix
• Hijackthis (step 15)

Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.

If you have any questions then just ask.

Good luck and welcome to techspot.

P.S you're not going to get far with Norton

This thread is for the use of RendeZvous147 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Hi Kritius

Many thanks for your prompt replay and as requested i have followed the procedure advised and attach the logs you require in order to wipe out this trojan once and for all.

Many thanks once again and look forward to your response.

Please note i could not obtain a log for ComboFix. The software run but didnt produce a log etc...

Ill look over them as soon as I can, im a bit backlogged here so hang tight.

Hijack entry looks suspicious: C:\WINDOWS\system32\qtkrkpqr.exe

O4 - HKCU\..\Run: [grlhtwam] C:\WINDOWS\system32\qtkrkpqr.exe
O4 - HKLM\..\Policies\Explorer\Run: [NItNvta8W5] C:\Documents and Settings\All Users\Application Data\wnmvylwp\wvcbmbwb.exe

Hi Joe Beard

Many thanks for this additional information.
What do you suggest I do as i am starting to have difficulties on my computer after a period of just pop ups.

An installer registry log is not functioning
My Norton Antivirus will not update
I deleted the exe file you located qtkrkpqr.exe and the pop ups stopped.
I could not locate the other exe file it seems to be hidden even after i have selected the show all files and folders.

I have decided to just recover my computer using the VAIO recovery tool as ive burnt all my important files onto discs.

Do you think this would be wise as once the computer has formatted itself will there be any trace of virus/trojan etc...

Look forward to your comments and once again thanks for checking my attched log.

KR

Rendezvous

try the shorter path first Restore a System Restore Point.

the question is when did you LAST install something --
pick a R.P. one day later

This is yet another infection of downloader.xs or abebot

Download and Install SDFix

• Download SDFix and save it to your Desktop.
  
• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)

Run SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• Type "1" (and Enter) to start the fix.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

Many many thanks for your time and help on this particular scenario.

However i took the time out to save all my important files onto a number of DVDs in order for me to use the VAIO RECOVERY TOOL which i performed last night and the computer is back to normal.

All i have to do now is transfer all the files i copied onto DVD and my system will be back to normal. Please note all my files that were sent onto DVd were on a partitioned drive away from the C:

However i do have a question?

As i have performed a system recovery what is the likelyhood that this damn pest otherwise known as Downloader is still present on the computer even though it states the computer will go back to the original factory settings?

Once again many thanks for your help and i once again look forward to your response.

Rendezvous

Post a Hijackthis log and it will show if it is on there

Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.

Hi Blind Dragon

As requested i have attached the log from Hijack This following my system recovery which in all honesty has done the computer a world of good given it a new lease of life.

Please assess the log and confirm whether there is any trace of that blasted trojan

Many thanks to yourself and all the other users who have helped I am so grateful for your help and will become an avid user of this board as i work my way to becoming an I.T. Jedi !!!

Rendezvous147

I don't see any trace of the infection

But to prevent future infections here are a few things I noticed

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update Tab at the top of the Java console
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

You aren't running Firewall Software. Please download and install one of these first!

Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
Comodo
Kerio
Online Armor
Zonealarm


I recommend you keep
1 anti virus program
1 firewall
Spybot S&D, Adaware 2007, and another anti-spyware of your choice (I like MBAM)
keep them updated.

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.