Security warning popups saying I have Abebot

Status
Not open for further replies.
M

motherofsix

Posts: 14   +0
I have been getting popups every 20 minutes or so. They vary in look some red and white some blue and white and also warning triangles on my bottom toolbar . All these popups direct me to a website selling pc cleaner software. I have run norton antivirus , adaware and ccleaner to no affect. Can some one help me to get rid of these things? I have seen several threads relating to this problem but it seems that every solution is unique. I am not desperately confident with the computer but hate having this malicious software. It makes me feel like a victim !
Any help would be very gratefully recieved.
Thank you
 
Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt



Highjackthis Instructions
  • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
  • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
  • After installing, the program launches automatically, select Scan now and save a log
  • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
 
Thanks for your reply

Thank you for your reply and instructions. I am not going to be able to do the things you have suggested for a couple of days. It is the school holidays and I am up to my eyes! I really appreciate the help and support. Please bear with me and the slowness of my response. I am pretty green at this computer business and I need to work up the courage to have a go at following your instructions. I am worried about messing up the computer permanantly . Will let you have the files as soon as I have got them .
Thanks
 
No worries, just make sure you follow the instructions exactly, in order, and don't do additional steps between my replies, it will be fine.
 
malware scan files you asked for

Hi,
I managed to do the first part of your instructions yesterday and I hope I have successfully attached the file you asked for. I am ready to carry on with the second instruction which means running the combofix software. Before I do this , can you tell me if I need to turn off my Norton Internet Security / Antivirus soft ware? If I do , how do I do it , do I just turn all the options to the 'off' position. Sorry to be so thick about what I am supposed to do.
Many thanks for your help
 
Yes please disable any real time protection

If you have any anti-spyware such as Teatimer through spybot that also needs to be disabled while combofix is run.
 
Same problem i encountered

hello blind dragon, i had also encountered the same problem.
i did follow your instructions and here is the log files..

So, what's my next thing to do?
 
Completed all the steps

Thanks Blind Dragon, for your last reply and the information. I managed to turn the protection off and complete the combofix scan and also the HJT . I am attaching all the files you asked for malwarebytes scan log I sent a few days ago.
Hope they are OK . Will wait for your next instructions. Thanks so much for your help.
 
jersey8786 said:
hello blind dragon, i had also encountered the same problem.
i did follow your instructions and here is the log files..

So, what's my next thing to do?
Click to expand...
I can't do 2 sets of instructions in one thread and The instructions in this thread are specific to the original thread starter. Can you please start your own thread in our security and the web section. Attach your logs there, you may have to go to edit profile in the blue bar above -> scroll down to attachments in the left pane and remove them all in order to repost them into your own thread.
----------------------------------------------------------------------------------------------------

@Motherofsix ->
CFScript
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
Folder::
C:\Documents and Settings\All Users\Application Data\tzrwfkze
C:\Documents and Settings\All Users\Application Data\tqgvsuar
C:\Documents and Settings\All Users\Application Data\uyqaqehk
C:\Documents and Settings\All Users\Application Data\zoalwmhj
C:\Documents and Settings\All Users\Application Data\svkrsbwl
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
----------------------------------------------------------------------------------------------------

Update your Java Runtime Environment
  • First try going to Start -> Control Panel -> double click Java
  • Select the Update Tab at the top of the Java console
  • Click the Check for Updates button at the bottom
  • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
  • After it installs the newest version Go back to Control Panel -> Add/remove programs
  • Uninstall any older versions of Java
------------------------------------------------------------------------------------------------------

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.
---------------------------------------------------------------------------------------------------

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply

Next reply =
Combofix log
Hijackthis log
Kaspersky log
 
The rest of the log reports

Hi Blind Dragon ,
Thank you for your last set of instructions, I have tried to follow them . My Java had been updated so no updates to be downloaded. I ran the ATF cleaner and that was fine. I don't know what Firefox or Opera are , so I don't think I have them and so ignored this instruction.Hope that was ok. I have attached the log files you asked for. Once again thank you for your continued support and patience.
I am having trouble with uploading the kaspersky scan log and have had to put it into 4 files for it to fit . Sorry. I have uploaded my quota of five files so will post another reply with the last log report. I have probably done something wrong if the reports are so long , my apologies.
 
Are you still out there

Hi Blind Dragon.
I was just wondering if you have been able to look at my last log files and have any further instructions for me.
Thanks very much for your help
 
Everything looks good except for a few minor things. The main one being that you have loads of cookies and temp files stored on your computer. We need to delete all that junk and free up that space.

First
Remove bad HijackThis entries
  • Run HijackThis
  • Click on the System Scan Only button
  • Put a check beside all of the items listed below (if present):
    O9 - Extra button: BT - {14034BB3-7BCE-47AE-A056-C2177234B8EE} - http://www.bt.com (file missing) (HKCU)
    O9 - Extra button: Homepage - {CABE248F-44CA-4C2E-8918-54A9BF46AFBF} - http://www.btopenworld.com/default (file missing) (HKCU)
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

Next
Manually clear cache
  • Open a folder window (for example, double-click My Computer).
  • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
  • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
  • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
  • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.

And Last
CCleaner
  • Download from HERE
  • Close all browsers.
  • Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
  • Click the run cleaner button. Do this several times
  • You can also click th registry icon then scan and fix broken entries ect.
--------------------------------------------------------------------------------------------------
First
*Launch Norton, select Quarantine and delete/remove all
*While there, make sure any real time protection gets turned back on after removing from Quarantine

Next
Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
* When finished exit out of OTMoveIt2

clear system restore points

  • This is a good time to clear your existing system restore points and establish a new clean restore point:
    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    This will remove all restore points except the new one you just created.
---------------------------------------------------------------------------------

Additional info for staying safe:

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:
    Virus, Spyware, and Malware Protection and Removal Resources
  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
 
Not sure how to manually clear cache.

Hi Blind Dragon.
Thanks very much for your last reply. I really appreciate your help. I have done the highjack this operation . Found and deleted the keys you told me to. I am having carrying out the next instruction . I can open the folder called Temporary internet files. I click on the button at the top called folders and the list of folders appears on the right hand side of the box. I cannot then rename the folder. It won't let me add the character \ . I feel sure I am doing something wrong but just don't know what I have really looked hard for a way to add the text you have described. Am I looking in the wrong place for the address bar.? I am not sure where this is. I have a title bar at the top of the box showing the address but I cannot change this at all.
If it is of any use , when i first click on view files and get the box up on the right hand side is a line saying details. Under this it says Temporary Internet Files , Attributes Hidden. Has this got something to do with it? I definately clicked on show all hidden files and unchecked hide protected operating files .
Could you give me little more guidance.
Thanks very much
 
Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.

This doesn't say rename the file, it says in the address area add \content.ie5 to the end of the address

Let me know if this help or if you need further details, I can try to do it with pictures possibly. ;)
 
Still not sure what to do!

Hi Blind Dragon
I'm so sorry , I still don't know what to do. What do you mean by the address area of the folder?. On the left hand side of the box I get a long vertical list of all the folders with a + or - sign and the folder picture ( yellow orange rectangle) with the name of the folder next to it, in this case temporary internet files. If I put the cursor on this and try to write \content.ie5 then it tells me that the file name cannot have the \ character. Am I putting the cursor in the wrong place? The only place with the whole of the address of the file is written is the title bar at the top of the box , but this cannot be edited.
Hope you can help some more
Thanks
 
Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.

IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.


The address area of the folder that internet explorer opened up, as in where you would type the address as if you were on the internet.

it will say c:\Windows\Temporary Internet Files

copy and paste \content.ie5 at the end of that address.

hope this helps.

Or double click c:\ open up windows open up temp open up temporary internet files and open content.ie5
 
mine doesn't look like that

Hi Blind Dragon,
Thanks for the picture I see where you mean now, but my screen doesn't look like that . The title bar at the top of the box is not editable I had to change my folder settings to display the whole of the file name. Initially it just said Temporary Internet Files. Now it says the whole file name from C: but I cannot change it. There is no search box or drop down box at the end of the filename. I will try later to send you a picture but at the moment I am not at my home computer.
Any Ideas?

Thanks.
 
Ok thanks to both Blind Dragon and Kiritus for putting me straight. Sorry I was so thick . I actually in the end typed the whole address in the IE address space to bring up the folders with the 8 digit characters. I have deleted them but I got a warning on some of them that desktop.ini is a system file and did I want to delete it. I answered no to that as it didn't seem sensible to without some advice. Consequently 3 of the folders were not empty so they haven't been removed.
Do I leave it as it is or should I delete the system file desktop.ini?
Thanks for your help
and sorry again for being so thick about the previous instructions.
Speak soon
 
Leave desktop.ini there. Continue with instructions. There wasn't an infection in there just a lot of clutter, which was why kaspersky was so long.
 
Hi Blind Dragon,
I have followed the rest of the instructions . Thanks very much for your help.
I still have CCleaner , HJT , ATF cleaner and Malware Bytes on my desktop. Is it OK to keep these or should I uninstall them? If i keep them , should i run them regularly to keep my computer clean?
As you will have realised , I am not very computer literate and I am a little afraid of what I could do with these programmes if not supervised. Your advice would be great to have
Thanks again.
 
I would keep MBAM and either ATF cleaner OR CCleaner you don't really need both, whichever you like better.

MBAM is safe I would scan with it at a minimum of once every 2 weeks. If it finds something it will quarantine it, you can check the quarantine tab to see what it caught and make sure to let me know if it ever does.

ATF cleaner and CCleaner are good to run every once in a while to clean up clutter from surfing the internet or running programs, they basically clean up tempororary files that you don't need anyways. So no fear of doing anything bad, the worst that will happen is that you will lose saved passwords and have to re-enter them on your next visit to some websites.

Uninstall Hijackthis through Start -> control panel -> add/remove programs

Hope this helps

Regards,

BD
 
Status
Not open for further replies.

Similar threads

E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
503
eriksnyman1
E
Bob O'Donnell
AMD makes AI statement with new hardware and roadmap, set to rival Nvidia in the data...
Replies
4
Views
274
pcnthuziast
pcnthuziast
midian182
The CEO who replaced 90% of his support staff with AI warns that copy-paste jobs are dead
2
Replies
34
Views
1K
Jack77
J

Latest posts

Back