Abebot c windows/wml.exe and Trojan downloader problem

Status
Not open for further replies.

rubywinkles

Posts: 7   +0
Abebot C windows/wml.exe infection Trojan Downloader?

--------------------------------------------------------------------------------

Hi there,
I am having the same problem.
at first i had the blue screen of death in wallpaper form that my computer is infected. my wallpaper is gone,popups gallore!
I keep getting popups one is Red that I am infected with windows .wml.exe abebot and another popup is Trojan xs downloader

then on the sytem tray. i have a yellow triangle then it pops up that my computer is seruiously infected. run scan now.

. I used pc tools spyware cleaner, Spyhunter3.
Norton as well as mcafee stinger. It clean some but still have problems

I have run Hijack this.but never did anything with it because iam not sure what files to get rid of so,
Here I am.
but have no idea what to do from there.

No luck.
How do I get rid of this and what steps to do first?
If any of you fine thinking brains can help this ole lady with this. IT would be greatly appreciated.
Thank you
Rubywinkles

p.s I posted in wrong area earlier, oopes.
--------------------------------------------------------------------------------
Last edited by rubywinkles : Today at 11:49 AM.
 
For this particular infection we need you to run the following programs and attach the requested logs.

Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt



Highjackthis Instructions
  • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
  • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
  • After installing, the program launches automatically, select Scan now and save a log
  • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
 
Blind Dragon
thank you for the info , when you get a chance , please let me know what i should do next. I know there is alot of requests as well I have alot of muck on my computer.

Thanks again

Rubywinkles
 
Update your Java Runtime Environment
  • First try going to Start -> Control Panel -> double click Java
  • Select the Update Tab at the top of the Java console
  • Click the Check for Updates button at the bottom
  • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
  • After it installs the newest version Go back to Control Panel -> Add/remove programs
  • Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.
  • Click the following link
    Java Runtime Environment 6 Update 5
  • The 4th option down is the one you want (click Download)
  • Check the box to agree to terms of service
  • Check the box for your operating system and click 'Download selected'at the bottom
  • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
  • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder



You need to disable either symantec or Zone Alarm, not good to have 2 active firewalls. 2 firewalls doesn't = double protection.



Download\install 'SuperAntiSpyware Home Edition Free Version' from HERE
  • Launch SuperAntiSpyware and click on 'Check for updates'.
  • Once the updates have been installed,exit SuperAntiSpyware.

Scan with SuperAntiSpyware
  • Start SuperAntiSpyware.
  • On the main screen click on 'Scan your computer'.
  • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
  • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
  • Make sure everything found has a checkmark next to it,then press 'Next'.
  • Click on 'Finish' when you've done.

    It's possible that the program will ask you to reboot in order to delete some files.

    Obtain the SuperAntiSpyware log as follows:
    Click on 'Preferences'.
    Click on the 'Statistics/Logs' tab.
    Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
    It will then open in your default text editor,such as Notepad.
    Attach the notepad file here on your next reply



Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\SYSTEM32\zllictbl.dat
C:\Documents and Settings\All Users\Application Data\nuzcruti\zylshsxw.exe

Folder::
C:\Documents and Settings\All Users\Application Data\nuzcruti

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"qMxESeiLXu"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"qMxESeiLXu"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
 
Dear Blind Dragon,
thank you once again, below are the scan results that are attached.

Let me know if there is more or is there hope or not?
i have notice the sytems is a little fast and less popup junk.

the scan files.
I have them number for my reference on my desk top. so dont let that confuse you..

Thanks again

rubywinkles
 
First go to start- control panel -> add/remove programs and uninstall AWS or Weatherbug

You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKLM\..\Policies\Explorer\Run: [qMxESeiLXu] C:\Documents and Settings\All Users\Application Data\nuzcruti\zylshsxw.exe
O4 - HKCU\..\Policies\Explorer\Run: [qMxESeiLXu] C:\Documents and Settings\All Users\Application Data\nuzcruti\zylshsxw.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)


Select Fix Checked

Close Hijackthis

Show hidden files through windows explorer
  • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
  • On the Tools menu in Windows Explorer, click Folder Options.
  • Click the View tab.
  • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Use Windows Explorer to navigate to and delete the following folder:

Folder:
C:\Program Files\AWS <-This folder
C:\Documents and Settings\All Users\Application Data\nuzcruti <-This folder

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log



Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
Abebot c windows/wml.exe and Trojan downloader problem the saga continues..

Hi There Blind Dragon,

Ok i did the procedure as you requested but had problem finding the files they were not there?

your instructions below:
Use Windows Explorer to navigate to and delete the following folder:
this is want you stated below.
Folder:
C:\Program Files\AWS <-This folder
C:\Documents and Settings\All Users\Application Data\nuzcruti <-This folder

Restart your computer into normal mode

So i continued with the rest of the instructions.

I have attached them.

Thank you again,
things are improving..
But just aggravating that there isnt a program to wipe all the bugs out at one time.. and the people who do this kind of evil thing. lol.

Let me know what I should do next.
or is it time to throw the computer out the window..:) not..

Laters,

Thank you

Rubywinkles
 
Looking much better, you need to empty quarantined files for Norton and for MBAM

Also need you to navigate to a delete:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll <-this file

Then empty your recycle bin.
---------------------------------------------------------------------------------------------------------

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

---------------------------------------------------------------------------
I recommend you keep
1 anti virus program
1 firewall
Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)
1 program to clean temp files (ATF cleaner or CCleaner)

For Spybot you can download the latest version from HERE.

keep them updated.

You can also turn on tea timer in Spybot:
  • Click on Mode at the top and make sure that Advanced is checked
  • Expand the Tools tab in the left pane
  • Single click on the Resident Icon also in the left pane
  • check Resident "TeaTimer" (Protection of over-all system settings) Active
  • Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

And just to be sure
Set correct settings for files
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please check Hide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK

clear system restore points

  • This is a good time to clear your existing system restore points and establish a new clean restore point:
    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    This will remove all restore points except the new one you just created.
 
Blind dragon

thank you so very much,
I was unable to get the tea timer to work ., I got a I/O error
and was unable to locate that poploader file.

Was there something i missed?
Let me know .. please.
every thing else is working fantastic!
Thank you Rubywinkles
 
It's ok, your firewall should also notify you when something is trying to access your registry.

Everything looks good from this end, if you have any more issues feel free to post them.


Regards,

BD
 
I created a new thread titled "I also got the Abebot / Trojan Downloader Problem" in the "Security and The Web" forum. I tried to delete this posting but could not.
 
I created a new thread titled "I also got the Abebot / Trojan Downloader Problem" in the "Security and The Web" forum. I tried to delete this posting but could not.
 
I created a new thread titled "I also got the Abebot / Trojan Downloader Problem" in the "Security and The Web" forum. I tried to delete this posting but could not.
 
I created a new thread titled "I also got the Abebot / Trojan Downloader Problem" in the "Security and The Web" forum. I tried to delete this posting but could not.
 
Status
Not open for further replies.
Back