TechSpot

Security warning popups saying I have Abebot

By motherofsix
Apr 12, 2008
Topic Status:
Not open for further replies.
  1. I have been getting popups every 20 minutes or so. They vary in look some red and white some blue and white and also warning triangles on my bottom toolbar . All these popups direct me to a website selling pc cleaner software. I have run norton antivirus , adaware and ccleaner to no affect. Can some one help me to get rid of these things? I have seen several threads relating to this problem but it seems that every solution is unique. I am not desperately confident with the computer but hate having this malicious software. It makes me feel like a victim !
    Any help would be very gratefully recieved.
    Thank you
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt



    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
     
  3. motherofsix

    motherofsix TS Rookie Topic Starter

    Thanks for your reply

    Thank you for your reply and instructions. I am not going to be able to do the things you have suggested for a couple of days. It is the school holidays and I am up to my eyes! I really appreciate the help and support. Please bear with me and the slowness of my response. I am pretty green at this computer business and I need to work up the courage to have a go at following your instructions. I am worried about messing up the computer permanantly . Will let you have the files as soon as I have got them .
    Thanks
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    No worries, just make sure you follow the instructions exactly, in order, and don't do additional steps between my replies, it will be fine.
     
  5. motherofsix

    motherofsix TS Rookie Topic Starter

    malware scan files you asked for

    Hi,
    I managed to do the first part of your instructions yesterday and I hope I have successfully attached the file you asked for. I am ready to carry on with the second instruction which means running the combofix software. Before I do this , can you tell me if I need to turn off my Norton Internet Security / Antivirus soft ware? If I do , how do I do it , do I just turn all the options to the 'off' position. Sorry to be so thick about what I am supposed to do.
    Many thanks for your help
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Yes please disable any real time protection

    If you have any anti-spyware such as Teatimer through spybot that also needs to be disabled while combofix is run.
     
  7. jersey8786

    jersey8786 TS Rookie

    Same problem i encountered

    hello blind dragon, i had also encountered the same problem.
    i did follow your instructions and here is the log files..

    So, what's my next thing to do?
     
  8. motherofsix

    motherofsix TS Rookie Topic Starter

    Completed all the steps

    Thanks Blind Dragon, for your last reply and the information. I managed to turn the protection off and complete the combofix scan and also the HJT . I am attaching all the files you asked for malwarebytes scan log I sent a few days ago.
    Hope they are OK . Will wait for your next instructions. Thanks so much for your help.
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    I can't do 2 sets of instructions in one thread and The instructions in this thread are specific to the original thread starter. Can you please start your own thread in our security and the web section. Attach your logs there, you may have to go to edit profile in the blue bar above -> scroll down to attachments in the left pane and remove them all in order to repost them into your own thread.
    ----------------------------------------------------------------------------------------------------

    @Motherofsix ->
    CFScript
    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
    ----------------------------------------------------------------------------------------------------

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java
    ------------------------------------------------------------------------------------------------------

    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.
    ---------------------------------------------------------------------------------------------------

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply

    Next reply =
    Combofix log
    Hijackthis log
    Kaspersky log
     
  10. motherofsix

    motherofsix TS Rookie Topic Starter

    The rest of the log reports

    Hi Blind Dragon ,
    Thank you for your last set of instructions, I have tried to follow them . My Java had been updated so no updates to be downloaded. I ran the ATF cleaner and that was fine. I don't know what Firefox or Opera are , so I don't think I have them and so ignored this instruction.Hope that was ok. I have attached the log files you asked for. Once again thank you for your continued support and patience.
    I am having trouble with uploading the kaspersky scan log and have had to put it into 4 files for it to fit . Sorry. I have uploaded my quota of five files so will post another reply with the last log report. I have probably done something wrong if the reports are so long , my apologies.
     
  11. motherofsix

    motherofsix TS Rookie Topic Starter

    The lasfo of the log reports

    Here is the last report attached. Thanks
     
     
  12. motherofsix

    motherofsix TS Rookie Topic Starter

    Are you still out there

    Hi Blind Dragon.
    I was just wondering if you have been able to look at my last log files and have any further instructions for me.
    Thanks very much for your help
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Sorry, I was really busy this weekend and got behind a bit on here, I will have a look through them shortly and reply back with instructions. Sorry for the delay

    These are a good alternative for Internet Explorer, I don't use IE unless I have to, Here are 2 more secure browsers to choose from
    1)Firefox -> http://www.mozilla.com/en-US/firefox/
    2)Opera -> http://www.opera.com/
     
  14. motherofsix

    motherofsix TS Rookie Topic Starter

    No Worries

    Hi ,
    No worries, it is just good to know that you are still there.
    Speak to you soon.
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Everything looks good except for a few minor things. The main one being that you have loads of cookies and temp files stored on your computer. We need to delete all that junk and free up that space.

    First
    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):
      O9 - Extra button: BT - {14034BB3-7BCE-47AE-A056-C2177234B8EE} - http://www.bt.com (file missing) (HKCU)
      O9 - Extra button: Homepage - {CABE248F-44CA-4C2E-8918-54A9BF46AFBF} - http://www.btopenworld.com/default (file missing) (HKCU)
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    Next
    Manually clear cache
    • Open a folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.

    And Last
    CCleaner
    • Download from HERE
    • Close all browsers.
    • Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
    • Click the run cleaner button. Do this several times
    • You can also click th registry icon then scan and fix broken entries ect.
    --------------------------------------------------------------------------------------------------
    First
    *Launch Norton, select Quarantine and delete/remove all
    *While there, make sure any real time protection gets turned back on after removing from Quarantine

    Next
    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------
    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
    * When finished exit out of OTMoveIt2

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
    ---------------------------------------------------------------------------------

    Additional info for staying safe:

    • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:
      Virus, Spyware, and Malware Protection and Removal Resources
    • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
    • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls
    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

      A tutorial on installing & using this product can be found here:

      Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
    • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

      A tutorial on installing & using this product can be found here:

      Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
    • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware
    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software
     
  16. motherofsix

    motherofsix TS Rookie Topic Starter

    Not sure how to manually clear cache.

    Hi Blind Dragon.
    Thanks very much for your last reply. I really appreciate your help. I have done the highjack this operation . Found and deleted the keys you told me to. I am having carrying out the next instruction . I can open the folder called Temporary internet files. I click on the button at the top called folders and the list of folders appears on the right hand side of the box. I cannot then rename the folder. It won't let me add the character \ . I feel sure I am doing something wrong but just don't know what I have really looked hard for a way to add the text you have described. Am I looking in the wrong place for the address bar.? I am not sure where this is. I have a title bar at the top of the box showing the address but I cannot change this at all.
    If it is of any use , when i first click on view files and get the box up on the right hand side is a line saying details. Under this it says Temporary Internet Files , Attributes Hidden. Has this got something to do with it? I definately clicked on show all hidden files and unchecked hide protected operating files .
    Could you give me little more guidance.
    Thanks very much
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.

    This doesn't say rename the file, it says in the address area add \content.ie5 to the end of the address

    Let me know if this help or if you need further details, I can try to do it with pictures possibly. ;)
     
  18. motherofsix

    motherofsix TS Rookie Topic Starter

    Still not sure what to do!

    Hi Blind Dragon
    I'm so sorry , I still don't know what to do. What do you mean by the address area of the folder?. On the left hand side of the box I get a long vertical list of all the folders with a + or - sign and the folder picture ( yellow orange rectangle) with the name of the folder next to it, in this case temporary internet files. If I put the cursor on this and try to write \content.ie5 then it tells me that the file name cannot have the \ character. Am I putting the cursor in the wrong place? The only place with the whole of the address of the file is written is the title bar at the top of the box , but this cannot be edited.
    Hope you can help some more
    Thanks
     
  19. kritius

    kritius TS Guru Posts: 2,087

    Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.

    IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.


    The address area of the folder that internet explorer opened up, as in where you would type the address as if you were on the internet.

    it will say c:\Windows\Temporary Internet Files

    copy and paste \content.ie5 at the end of that address.

    hope this helps.

    Or double click c:\ open up windows open up temp open up temporary internet files and open content.ie5
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Not the folders -> the address bar at the top

    [​IMG]
     
  21. motherofsix

    motherofsix TS Rookie Topic Starter

    mine doesn't look like that

    Hi Blind Dragon,
    Thanks for the picture I see where you mean now, but my screen doesn't look like that . The title bar at the top of the box is not editable I had to change my folder settings to display the whole of the file name. Initially it just said Temporary Internet Files. Now it says the whole file name from C: but I cannot change it. There is no search box or drop down box at the end of the filename. I will try later to send you a picture but at the moment I am not at my home computer.
    Any Ideas?

    Thanks.
     
  22. motherofsix

    motherofsix TS Rookie Topic Starter

    Ok thanks to both Blind Dragon and Kiritus for putting me straight. Sorry I was so thick . I actually in the end typed the whole address in the IE address space to bring up the folders with the 8 digit characters. I have deleted them but I got a warning on some of them that desktop.ini is a system file and did I want to delete it. I answered no to that as it didn't seem sensible to without some advice. Consequently 3 of the folders were not empty so they haven't been removed.
    Do I leave it as it is or should I delete the system file desktop.ini?
    Thanks for your help
    and sorry again for being so thick about the previous instructions.
    Speak soon
     
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Leave desktop.ini there. Continue with instructions. There wasn't an infection in there just a lot of clutter, which was why kaspersky was so long.
     
  24. motherofsix

    motherofsix TS Rookie Topic Starter

    Hi Blind Dragon,
    I have followed the rest of the instructions . Thanks very much for your help.
    I still have CCleaner , HJT , ATF cleaner and Malware Bytes on my desktop. Is it OK to keep these or should I uninstall them? If i keep them , should i run them regularly to keep my computer clean?
    As you will have realised , I am not very computer literate and I am a little afraid of what I could do with these programmes if not supervised. Your advice would be great to have
    Thanks again.
     
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    I would keep MBAM and either ATF cleaner OR CCleaner you don't really need both, whichever you like better.

    MBAM is safe I would scan with it at a minimum of once every 2 weeks. If it finds something it will quarantine it, you can check the quarantine tab to see what it caught and make sure to let me know if it ever does.

    ATF cleaner and CCleaner are good to run every once in a while to clean up clutter from surfing the internet or running programs, they basically clean up tempororary files that you don't need anyways. So no fear of doing anything bad, the worst that will happen is that you will lose saved passwords and have to re-enter them on your next visit to some websites.

    Uninstall Hijackthis through Start -> control panel -> add/remove programs

    Hope this helps

    Regards,

    BD
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.