Abebot / TroganDownloader.XS/ Windows.wml.exe

[Manjit]

Hiya,

I'd really appreciate some help with getting rid of some spyware or whatever nasty thing is infecting my laptop currently, it's making it run very slugglishly.

Looking at the forum a number of people have had a similar problem with this 'Abebot' threat. I keep getting pop's up warning me of a TroganDownloader.XS and threat from windows.wml.exe and from Abebot, also a small yellow trinangle in the taskbar keeps appearing linking to a site about PC spyware. Also pop up keeps appearing about critical errors to the rigistery (called sysyem integrity scan)

I'm not computer savvy, but so far far i've run scans of my with Norton, Windows Defender, Spybot and Spyware Doctor in normal mode. Also i've run scans with Windows Defender, Spybot and Spyware Doctor in safe mode. These have cleared my computer of plenty of spyware that i did not know was there, but this main problem does not seem to be going away. I'd really appreciate any help.

In the post below i'll put the log from hijackthis:

 

[Manjit]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:53, on 06/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\All Users\Application Data\behwdklo\tuvmtujm.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\lelgvufo.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

 

[kritius]

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix

• Download this file from either of the two below listed places :
  
  HERE or HERE
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[Manjit]

Thanks you, really apprectiate your help, i'll do that now.

 

[kritius]

Just remember to attach them

 

[Manjit]

When Malwarebytes' Anti-Malware is removing the selected files should it take a long time? Because it appears that it has been removing them for an age and appears frozen. Or should I just be patient and wait for the log to appear in Notepad?

 

[Blind Dragon]

It is possible that it froze, but the more infections the longer it will take so keep that in mind

 

[Manjit]

I'm pretty sure it's froze given it's not responding, so should I run a full scan again?

 

[Blind Dragon]

yes, try it again, if it freezes again you should just move on to combofix. MBAM is a great tool and will remove a good bit of your infection for sure, so its well worth another shot.

 

[Manjit]

Ok i'm having some problems, i've run a second full MBAM scan and it froze up again. It has not produced any logs i've checked ' C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt'. Is this a problem?

Having said that since running the two full scans and pressing 'remove selected' i've had no more pop ups.

I've moved onto Combofix, unfortuntuntly i car'nt seem to get this running properly, having saved it to my desktop each time I open it i get a message saying that 'Windows cannot open this file: pv.cfexe', also a blue screen appears. Not sure if I've done something wrong. Any help would be appreciated.

Thanks

 

[Manjit]

Log from MBAM

I've run three scans now for MBAM, and each time when I remove the selected items it freezes up.

I've managed to obtain the log.

I'm still struggling to get ComboFix to work properly. Any help would be appreciated.

Thanks.

 

[Blind Dragon]

Please download Deckard's System Scanner (DSS and save it to your Desktop.
DISCONNECT FROM THE INTERNET...REMOVE THE PLUG FROM THE BACK OF THE COMPUTER

Close all other windows before proceeding.

This means TURN OFF ALL other security programmes.
Norton Anti-virus, AVG Anti-spyware or any other security programmes you`re running.

Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please attach the main.txt and extra.txt in your next reply.

Re-enable your security programmes and reconnect to the net.

 

[lisa64]

same problem with abebot/trojandownloader.xs

I am going through the same thing. I did the scans, etc. Have you heard anything? I hope this goes through. I've never gone online like this for anything. Thanks.

 

[Blind Dragon]

lisa the instructions in this thread are for the use of the thread starter only

Please go https://www.techspot.com/vb/menu28.html and select to start a new thread with your symptoms, also attach any logs that you may have

 

[Manjit]

Sorry it's taken me so long to get back to you but i've been at work, but i've got the day off so i'm gonna try and get the problem sorted today.

I've done the scan with DSS and the logs are attached. Any help will be really appreciated. Thanks.

 

[Manjit]

Any further advice?

 

[Blind Dragon]

Download OTMoveIt2 by OldTimer.

• Save it to your desktop

• Right Click OTMoveIt2.exe and choose Run As Administrator).
• Copy the lines in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\xfmbnobr
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\pyyrnkdz
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\jkscrhmz
C:\Documents and Settings\All Users\Application Data\behwdklo
C:\Documents and Settings\manjit\Application Data\PC-Cleaner
C:\WINDOWS\system32\efiQBcdd.ini2
C:\WINDOWS\system32winlogonpc.exe
C:\WINDOWS\system32hoproxy.dll
C:\WINDOWS\system32taack.exe
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32sncntr.exe
C:\WINDOWS\system32mwin32.exe
C:\WINDOWS\system32hxiwlgpm.exe
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\a.bat
C:\Documents and Settings\manjit\Desktopvirii
C:\WINDOWS\system32psoft1.exe
C:\WINDOWS\system32psof1.exe
C:\WINDOWS\system32ps1.exe
C:\WINDOWS\system32bsva-egihsg52.exe
C:\WINDOWS\system32ssurf022.dll
C:\WINDOWS\system32smp
C:\WINDOWS\system32netode.exe
C:\WINDOWS\system32msnbho.dll
C:\WINDOWS\system32medup020.dll
C:\WINDOWS\system32medup012.dll
C:\WINDOWS\system32temp#01.exe
C:\WINDOWS\system32mtr2.exe
C:\WINDOWS\system32msgp.exe
C:\WINDOWS\system32h@tkeysh@@k.dll
C:\WINDOWS\system32dpcproxy.exe
C:\WINDOWS\system32ssvchost.exe
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32regm64.dll
C:\WINDOWS\system32regc64.dll
C:\WINDOWS\system32msvchost.exe
C:\WINDOWS\system32thun32.dll
C:\WINDOWS\system32thun.dll
C:\WINDOWS\system32Rundl1.exe
C:\Documents and Settings\manjit\DesktopFWebdEditor.exe
C:\Documents and Settings\manjit\Desktopfwebd.exe
C:\Documents and Settings\manjit\Desktopfilemanagerclient.exe
C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32newsd32.exe
C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32akttzn.exe
C:\WINDOWS\system32WINWGPX.EXE
C:\WINDOWS\system32winsystem.exe
C:\WINDOWS\system32sysreq.exe
C:\WINDOWS\system32mssecu.exe
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\unins000.exe
C:\WINDOWS\unins000.dat
C:\WINDOWS\system32\lelgvufo.exe
C:\WINDOWS\system32\zslmbahy.exe
C:\WINDOWS\system32\hqribozu.exe

• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
  IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you.

• Right-click and choose Paste.
• Click the red Moveit! button.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

***Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Reboot the computer.

 

[Manjit]

Here's what came up under the green results bar, not totally sure if I did it right:

LoadLibrary failed for C:\WINDOWS\system32vcatchpi.dll
C:\WINDOWS\system32vcatchpi.dll NOT unregistered.
File move failed. C:\WINDOWS\system32vcatchpi.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32newsd32.exe scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32emesx.dll
C:\WINDOWS\system32emesx.dll NOT unregistered.
File move failed. C:\WINDOWS\system32emesx.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32anticipator.dll
C:\WINDOWS\system32anticipator.dll NOT unregistered.
File move failed. C:\WINDOWS\system32anticipator.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32akttzn.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32WINWGPX.EXE scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32winsystem.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32sysreq.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32mssecu.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32bdn.com scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32awtoolb.dll
C:\WINDOWS\system32awtoolb.dll NOT unregistered.
File move failed. C:\WINDOWS\system32awtoolb.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINDOWS\system32vbsys2.dll
C:\WINDOWS\system32vbsys2.dll NOT unregistered.
File move failed. C:\WINDOWS\system32vbsys2.dll scheduled to be moved on reboot.
File move failed. C:\WINDOWS\unins000.exe scheduled to be moved on reboot.
File move failed. C:\WINDOWS\unins000.dat scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\lelgvufo.exe not found.
File/Folder C:\WINDOWS\system32\zslmbahy.exe not found.
File/Folder C:\WINDOWS\system32\hqribozu.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04122008_205609

 

[Blind Dragon]

Have you rebooted the computer yet

 

[Manjit]

Yes I have rebooted computer, sorry about the delay in replying.

 

[Manjit]

Are their further steps I should take?

 

[Blind Dragon]

please run Deckard System Scanner again and attach main.txt here

afterwards
Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[Manjit]

Deckard scan

Sorry it's taken a while to get back to you, i'm sure you know how work can be.

I've run the Deckard system scan and attached the main.txt file. I'm currently downloading Kapersky as instructed and will attach that file as soon as that scan is completed.

 

[Manjit]

Kapersky Report

Here is the file that was produced from the scan you instructed me to do Kapersky Online AV Scanner.

 

[jonathon7500]

Same exact problem but add Xp Antivirus

I have all the same problems and my desktop screen changes to a blue color. It seems that I may have rid my computer of most of the problem but its still crap. Here is MBAM logfile.

Now I will begin the