Another Abebot, Trojan Downloader query

[theafterglow]

Hi

I too am really struggling with Adebot and TrojanDownloader.XS.

Have tried many fixes listed in the 'Preliminary section' including Spybot, Adaware, AVG Antispy etc. although they were still alive and kicking.

I've run Malawarebytes Anti-Malaware and have attached the log below.

I've also run Combofix too, however it didn't work so well so I went for the dss alternative and attached 'extra' and 'main'.

Finally I've also done an HJT log (although the .exe is renamed 'Crusty' as advised!) and attached that too.

I'm really grateful for any help as this is really getting me down!

Cheers

TAG

 

[Blind Dragon]

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update Tab at the top of the Java console
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

You aren't running Firewall Software. Please download and install one of these first!

Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:

Vista Compatible
Comodo
Zonealarm




You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
O4 - HKCU\..\Run: [naHT7HC5Pp] C:\ProgramData\wpopufsh\qrepwnch.exe
O4 - HKCU\..\Run: [trhdvmps] C:\ProgramData\trhdvmps\yjwrsjwd.exe
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home (file missing)

Select Fix Checked

Close Hijackthis

Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options.
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Use Windows Explorer to navigate to and delete the following files:

Files:
C:\Users\Phil\DesktopFWebdEditor.exe<-This file only
C:\Users\Phil\Desktopfwebd.exe<-This file only
C:\Users\Phil\Desktopfilemanagerclient.exe <-This file only

Any other file in the Phil folder that starts with Desktopf
Also look in there for files that look out of place I have seen a lot that say system32XXXXXX <-Let me know if anything looks off.

Folders:
C:\Users\All Users\wpopufsh<-This folder only
C:\Users\All Users\kibkqlbw<-This folder only
C:\Users\All Users\trhdvmps<-This folder only

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log




Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[theafterglow]

Hi BD

Thanks a lot for taking the time to help - much appreciated.

Anyway - performed all of what you suggested and attached the HJT log.

A few points though - had trouble accessing 'view' in safe mode (no tab!), although I think hidden files were viewable anyway (looked it up in help and support). Also I couldn't delete the following:

C:\Users\All Users\wpopufsh<-This folder only
C:\Users\All Users\kibkqlbw<-This folder only
C:\Users\All Users\trhdvmps<-This folder only

As there was no 'All users' folder under 'Users'. Only 'Public' and 'Default', and the folders you mentioned were present under neither.

Also I couldn't see any of the 'system32***' files you mentioned - I'm a bit of a luddite so you may have to tell me exactly where you noticed them!

I ran the Kapersky scan, and there were no infected objects. However there didn't appear to be an option to save the results. I tried to install the GUI through ActiveX, although it reset the process!

Anyway - have a gander at the HJT log at let me know what to do next. If I need to do the Kapersky scan again I will, however it's way after midnight over here so it may have to wait until I've slept!

Thanks again mate - really appreciate the help.

TAG

 

[Blind Dragon]

The registry entries are gone but the files are obviously not removed.

Go to start -> Computer
# Tools -> Folder Options.
# Click the View tab.
# Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Search for the files listed and remove them

 

[theafterglow]

OK - will do this when I get home from work later.

Best to do this in safe or normal mode?

Cheers
TAG

 

[Blind Dragon]

safe mode, that way the files aren't running. They shouldn't be since we removed the startup entries from the registry, but better to do it right and be sure. Let me know if you have any issues.

 

[theafterglow]

No problems - thanks very much for all your help!

Pop-ups have vanished - think I'm clear.

What sort of frequency do you recommend I run/operate all this new software I've downloaded? Should I leave the machine on and schedule it?

Cheers
TAG

 

[Blind Dragon]

Just to be sure we got everything, I would like to have 1 more look over a fresh Hijackthis log. Then I will make recommendations on the software that you should/shouldn't keep as well as re-hide files and clear restore points.

 

[theafterglow]

Just to be sure we got everything, I would like to have 1 more look over a fresh Hijackthis log. Then I will make recommendations on the software that you should/shouldn't keep as well as re-hide files and clear restore points.

Ok chief - HJT attached as requested. If I could find a piece of software that can harmonise the many I've downloaded that would be great. You'll have to let me know how to stay on top of threats like the one I've recently experienced.

Thanks again mate

TAG

 

[Blind Dragon]

One thing that is often overlooked is Microsoft updates, make sure to double check for updates regularly even if you have automatic updates enabled.

We are going to remove a lot of the programs right now that we downloaded, as they are not suggested for use without supervision. Hijackthis can be removed through add/remove programs:

I recommend you keep:
1) Zone Alarm as firewall
2) Your current Anti-virus (AVG or AVAST free editions)
3) MBAM
4) Spybot
5) ATF cleaner

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

---------------------------------------------------------------------------

For Spybot you can download the latest version from HERE.

keep them updated.

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

And just to be sure
Set correct settings for files

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

clear system restore points

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

 

[theafterglow]

Thanks again mate! All problems sorted!

 

[Blind Dragon]

Glad to here it, if you have any more issues you know where to find us

Regards,

BD