TechSpot

Please Help I'm Pulling My Hair Out

By RendeZvous147
Mar 26, 2008
  1. Dear Experts

    Yesterday whilst browsing a few websites i accidently (i know LOL) saved and opened what NORTON described as a Download.Trojan and spent most of my day off from work trying to resolve the situation and eliminate the blasted thing. As you have probably gathered i'm no IT expert but always been interested in the technical and scientific aspects of all computing areas including coding. On this note i think i have eliminated most of the trojan files but there seems to be a few that remain as i keep getting a number of pop ups every hour or so.

    I have attached a print screen of one of the pop ups that my system has to put up with and another one i have described;

    It is a red and grey window that says 'Security system Waring"

    Alert Details
    File: C:\WINDOWS\wml.exe

    Threat:Abebot

    Click here to visit PC-Antispyware web site..


    There is also another similar one;

    System Integrity Scan Wizard
    Warning: Your ocmputer may have critical errors in Windows registry and file system!


    I must also point out that i also receive a pop up in the the right system tray which alerts the following

    To scan your computer for errors please click the 'Next' button below

    In addition an exclamation mark still appears in the bottom right system tray that says click here to fix problem (It is beginning to wind me up LOL)
    This might also be of help i have noticed in the manage add on area 2 dll files kdftlboerfg.dll & qvdntlmw.dll which i disabled.

    Hope this is enough information and really look forward to receiving some sort of help/advice that can help elimnate this pain in the backside and destroy it forever.

    Kind Regards
    Scott
     

    Attached Files:

  2. kritius

    kritius TS Guru Posts: 2,087

    Hi RendeZvous147, :wave:

    Im Kritius,

    I need you to follow all the steps HERE and then post back with the three requested logs as attachments
    • AVG antispyware
    • ComboFix
    • Hijackthis (step 15)

    Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.

    If you have any questions then just ask.

    Good luck and welcome to techspot.

    P.S you're not going to get far with Norton

    This thread is for the use of RendeZvous147 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. RendeZvous147

    RendeZvous147 TS Rookie Topic Starter

    Hi Kritius

    Many thanks for your prompt replay and as requested i have followed the procedure advised and attach the logs you require in order to wipe out this trojan once and for all.

    Many thanks once again and look forward to your response.

    Please note i could not obtain a log for ComboFix. The software run but didnt produce a log etc...
     
  4. kritius

    kritius TS Guru Posts: 2,087

    Ill look over them as soon as I can, im a bit backlogged here so hang tight.
     
  5. jobeard

    jobeard TS Ambassador Posts: 13,467   +327

    Hijack entry looks suspicious: C:\WINDOWS\system32\qtkrkpqr.exe

    O4 - HKCU\..\Run: [grlhtwam] C:\WINDOWS\system32\qtkrkpqr.exe
    O4 - HKLM\..\Policies\Explorer\Run: [NItNvta8W5] C:\Documents and Settings\All Users\Application Data\wnmvylwp\wvcbmbwb.exe
     
  6. RendeZvous147

    RendeZvous147 TS Rookie Topic Starter

    Hi Joe Beard

    Many thanks for this additional information.
    What do you suggest I do as i am starting to have difficulties on my computer after a period of just pop ups.

    An installer registry log is not functioning
    My Norton Antivirus will not update
    I deleted the exe file you located qtkrkpqr.exe and the pop ups stopped.
    I could not locate the other exe file it seems to be hidden even after i have selected the show all files and folders.

    I have decided to just recover my computer using the VAIO recovery tool as ive burnt all my important files onto discs.

    Do you think this would be wise as once the computer has formatted itself will there be any trace of virus/trojan etc...

    Look forward to your comments and once again thanks for checking my attched log.

    KR

    Rendezvous
     
  7. jobeard

    jobeard TS Ambassador Posts: 13,467   +327

    try the shorter path first Restore a System Restore Point.

    the question is when did you LAST install something --
    pick a R.P. one day later
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    This is yet another infection of downloader.xs or abebot

    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • Type "1" (and Enter) to start the fix.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  9. RendeZvous147

    RendeZvous147 TS Rookie Topic Starter

    Many many thanks for your time and help on this particular scenario.

    However i took the time out to save all my important files onto a number of DVDs in order for me to use the VAIO RECOVERY TOOL which i performed last night and the computer is back to normal.

    All i have to do now is transfer all the files i copied onto DVD and my system will be back to normal. Please note all my files that were sent onto DVd were on a partitioned drive away from the C:

    However i do have a question?

    As i have performed a system recovery what is the likelyhood that this damn pest otherwise known as Downloader is still present on the computer even though it states the computer will go back to the original factory settings?

    Once again many thanks for your help and i once again look forward to your response.

    Rendezvous
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Post a Hijackthis log and it will show if it is on there

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
     
  11. RendeZvous147

    RendeZvous147 TS Rookie Topic Starter

    Hi Blind Dragon

    As requested i have attached the log from Hijack This following my system recovery which in all honesty has done the computer a world of good given it a new lease of life.

    Please assess the log and confirm whether there is any trace of that blasted trojan :)

    Many thanks to yourself and all the other users who have helped I am so grateful for your help and will become an avid user of this board as i work my way to becoming an I.T. Jedi :)!!!

    Rendezvous147
     
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    I don't see any trace of the infection

    But to prevent future infections here are a few things I noticed

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    You aren't running Firewall Software. Please download and install one of these first!

    Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
    Comodo
    Kerio
    Online Armor
    Zonealarm


    I recommend you keep
    1 anti virus program
    1 firewall
    Spybot S&D, Adaware 2007, and another anti-spyware of your choice (I like MBAM)
    keep them updated.

    You can also turn on tea timer in Spybot:
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • check Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.