Abebot

Status
Not open for further replies.
T

toolegion

I seem to have a problem I cant figure out how to get rid of. I copied from another post but I have the same problem.

1)
" Security System Protection Control Panel " TrojanDownloader.XS.

It is a White and Blue window that says 'Security system Waring"

2)
A red box mentioning something to the extent of:

Alert Details
File: C:\WINDOWS\wml.exe

Threat:Abebot

3)

System Integrity Scan Wizard
Warning: Your computer may have critical errors in Windows registry and file system!

and 4)

Yellow Triangle with exclamation mark in the bottom right corner where the clock is located. Its constantly prompting me there is spyware infecting my system and is directing me to a website to download some spyware remover.
 
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please attach the C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please Download VirtumundoBeGone by secured2k
  • Save the file to your desktop
  • Close all running programs (including your Internet Browser)
  • Double-click VirtumundoBeGone.exe on the desktop
  • Read the introductory information, and then click Continue
  • Click Start
  • When asked if you want to continue, click Yes to run the fix
  • Click "Save Log"

Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

Empty Recycle Bin.

Reboot and attach the VBG.TXT into this thread.
Also please describe how your computer behaves at the moment.

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please attach that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Yous also need to rerun the Malwarebytes scan again and make sure that it removes what it finds.
 
Launch Hijackthis -> System Scan only -> check the following -> close all windows even this one

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {4A9181AD-4C10-4683-BB41-D9251B8A2620} - (no file)
O3 - Toolbar: (no name) - {C575CD79-3701-4816-B08F-CD3B61F84E19} - (no file)
O21 - SSODL: AvpCD - {f6c57798-79dc-411c-86aa-71829f59a9a0} - C:\WINDOWS\Installer\{f6c57798-79dc-411c-86aa-71829f59a9a0}\AvpCD.dll (file missing)
O21 - SSODL: RamSrv - {6abf1907-0bbc-4af9-a88a-76ae8a816860} - C:\WINDOWS\Installer\{6abf1907-0bbc-4af9-a88a-76ae8a816860}\RamSrv.dll (file missing)
O21 - SSODL: MonRunOnce - {5bfe7b3b-80d1-4092-8525-d50d33b827dc} - C:\WINDOWS\Installer\{5bfe7b3b-80d1-4092-8525-d50d33b827dc}\MonRunOnce.dll (file missing)
O21 - SSODL: SysChk - {649ae542-7986-4b1f-9b55-8ccb2943b945} - C:\WINDOWS\Installer\{649ae542-7986-4b1f-9b55-8ccb2943b945}\SysChk.dll (file missing)
O21 - SSODL: AlrtRam - {1b77f4c5-2b02-4733-9ecd-592e0dba8dab} - C:\WINDOWS\Installer\{1b77f4c5-2b02-4733-9ecd-592e0dba8dab}\AlrtRam.dll (file missing)
O21 - SSODL: CheckBoot - {01fd30b2-525d-4828-8f11-7c55af38ad2a} - C:\WINDOWS\Installer\{01fd30b2-525d-4828-8f11-7c55af38ad2a}\CheckBoot.dll (file missing)

Select Fix checked


There is still an infected entry in the Hijackthis log that I didn't list above
Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • Type "1" (and Enter) to start the fix.
  • When the scan completes it will open a text window. Please attach that log back here
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt
 
CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\bqpgrmry.exe

Folder::
C:\Documents and Settings\All Users\Application Data\rofitkxy

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tkfwpvbf"=-
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
----------------------------------------------------------------------------------------------------

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.



    How to prevent it from being recreated every time you run the AOL software:
    • Open AOL
    • Go to Help on the toolbar
    • Select About AOL
    • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.
-----------------------------------------------------------------------------------------------

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.
------------------------------------------------------------------------------------------------

Run the other Hijackthis log to attach back with Combofix's report

--------------------------------------------------------------------------------------------------'

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
Ok, logs are looking good. How is your computer running?

Remove bad HijackThis entries
  • Run HijackThis
  • Click on the System Scan Only button
  • Put a check beside all of the items listed below (if present):

    O21 - SSODL: AvpCD - {f6c57798-79dc-411c-86aa-71829f59a9a0} - (no file)
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.


I didn't notice an active firewall, if you have one just let me know what it is as I may have overlooked it. If not then please...
You aren't running Firewall Software. Please download and install one of these first!

Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
Comodo
Kerio
Online Armor
Zonealarm



Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

---------------------------------------------------------------------------
I recommend you keep
1 anti virus program
1 firewall
Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

For Spybot you can download the latest version from HERE.

keep them updated.

You can also turn on tea timer in Spybot:
  • Click on Mode at the top and make sure that Advanced is checked
  • Expand the Tools tab in the left pane
  • Single click on the Resident Icon also in the left pane
  • check Resident "TeaTimer" (Protection of over-all system settings) Active
  • Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

And just to be sure
Set correct settings for files
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
  • If unchecked please check Hide protected operating system files (Recommended)
  • If necessary check "Display content of system folders"
  • If necessary Uncheck Hide file extensions for known file types.
  • Click OK

clear system restore points

  • This is a good time to clear your existing system restore points and establish a new clean restore point:
    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    This will remove all restore points except the new one you just created.
 
Status
Not open for further replies.

Similar threads

J
  • Locked
PC Anti-spyware Popup
Replies
11
Views
5K
rrovai
R
D
Solved Requesting redirect & popup virus help
Replies
15
Views
4K
Broni
Broni
R
  • Locked
Abebot Problem
2
Replies
33
Views
4K
Blind Dragon
Blind Dragon

Latest posts

Back