TechSpot

Spyware problem c:\windows\wml.exe and trojandownloader.xs

By rolando_romp
Apr 23, 2008
  1. Hi there,
    I keep getting popups one is Red that I am infected with windows .wml.exe abebot and another popup is Trojan xs downloader

    then on the sytem tray. i have a yellow triangle then it pops up that my computer is seruiously infected. run scan now.

    please help
     
  2. rolando_romp

    rolando_romp TS Rookie Topic Starter

    i also have that xp antivirus
     
  3. kritius

    kritius TS Guru Posts: 2,084

    Download and Install SuperAntiSpyware Free
    • Launch SuperAntiSpyware
    • Click Check for Updates and update to the latest definitions.
    • Click Scan your Computer
      • Check all boxes in the Scan Location box.
      • Check the Complete Scan radio button.
      • Click Scanning Preferences/Control Centre button.
        • Uncheck Ignore files larger than 4MB (recommended)
        • Check Scan Alternate Data Streams.
        • Click Close.
      • Click Next
    • SuperAntiSpyware will now scan your computer for infection. (This could take in excess of an hour depending on the number of files scanned)
    • When finished it will present you with a summary of its findings.
    • Click OK.
    • The Removal Screen will open.
      • Check the items in the list to mark them for Quarantine.
      • Click Next and SAS will Quarantine them.
    Please send me the log.
    • Click the Preferences button.
      • Click the Statistics/Logs tab.
        • Logs are listed by date and time, click on the latest one to highlight it (at the top).
        • Click View log.
      • This will open a log page.
      • Attach it here please.
    CAUTION: SuperAntiSpyware comes with a programme called Bootsafe, do not for any reason use this programme, if used on an infected computer it could render it UNBOOTABLE.

    Download and Run Malwarebytes' Anti-Malware
    Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please Attach the log into your next reply.
    • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Download and Run ComboFix
    • Download this file to your desktop from either of the two below listed places :

      HERE or HERE
    • Then double click combofix.exe & follow the prompts.
    • When finished, it shall produce a log for you. Attach that log in your next reply
    WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  4. rolando_romp

    rolando_romp TS Rookie Topic Starter

    SUPERAntiSpyware Scan Log

    Generated 04/23/2008 at 09:10 PM

    Application Version : 4.0.1154

    Core Rules Database Version : 3446
    Trace Rules Database Version: 1438

    Scan type : Complete Scan
    Total Scan Time : 01:44:29

    Memory items scanned : 869
    Memory threats detected : 0
    Registry items scanned : 8053
    Registry threats detected : 2
    File items scanned : 119971
    File threats detected : 2

    Adware.Tracking Cookie
    C:\Users\roland\AppData\Roaming\Microsoft\Windows\Cookies\roland@2o7[2].txt
    C:\Users\roland\AppData\Roaming\Microsoft\Windows\Cookies\roland@pc-antispyware[2].txt

    Trojan.DNSChanger-Codec
    HKU\S-1-5-21-1888220204-662823554-1505966377-1001\Software\uninstall

    Rogue.PC-Antispyware
    HKLM\Software\PC-Antispyware
     
  5. rolando_romp

    rolando_romp TS Rookie Topic Starter

    Malwarebytes' Anti-Malware 1.11
    Database version: 672

    Scan type: Full Scan (C:\|)
    Objects scanned: 182713
    Time elapsed: 2 hour(s), 3 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 9
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 14

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorertoolbar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\OneMoreKey (Rogue.Installer) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Users\roland\Desktopvirii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Users\roland\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\Desktopblackbird.jpg (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\DesktopEditorFKWP1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\DesktopEditorFKWP2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\Desktopfilemanagerclient.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\Desktopfkwp1.5.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\Desktopfkwp2.0.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\Desktopfwebd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\DesktopFWebdEditor.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\Users\roland\DesktopTrojan.Win32.BlackBird.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
     
  6. rolando_romp

    rolando_romp TS Rookie Topic Starter

    i cant run combo fix my antivirus says its not safe i have mcafee, spyware doctor and avast the pop ups have stop are they gone i mean the spyware?
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Disable your antivirus and get combofix downloaded, then disconnect from the internet and let it run. Also attach the documents rather than cutting and pasting them.
     
  8. hydrois2nice

    hydrois2nice TS Rookie

    spyware

    Hi Kritius,

    I scanned my computer with SAS; i have attached the log
     
  9. hydrois2nice

    hydrois2nice TS Rookie

    Hi Kritius,

    I have attached the log from the Malwarebytes' Anti-Malware
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...