Have spyware infection Abebot on my PC!

[Esuper]

Hi all the Guru here,

My PC has infected the same problem as others. I have attached the Hijack.log file.
this is my first time doing this, hope i have given enough info here. And I really hope to receiving some sort of help/advice that can help elimnate this problem.

................................................................................

Warning!!!
File: C:\WINDOWS\wml.exe

Threat:Abebot

Click here to visit PC-Antispyware web site..

There is also another similar one;

System Integrity Scan Wizard
Warning: Your ocmputer may have critical errors in Windows registry and file system!
................................................................................

Thanks

 

[Blind Dragon]

Hi Esuper,

Download and Install SDFix

• Download SDFix and save it to your Desktop.
  
• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)

Run SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

This thread is for the use of Esuper only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Esuper]

Hi Blind Dragon.

There is no Y, in SDFix?? What should i choose from here?

1. Download/Run a-squared
2. Download/Run Norman Malware Cleaner
3. Download/Run SAV32CLI

A. Create System Report
B. Create Service/Drive List
C. Create Catchme Log
D. Export SafeBoot Key

U. Download Latest version of SDFix
E. EXIT

Thanks

 

[Blind Dragon]

Did you type Y?

If so, did it not work?

Thanks

 

[Esuper]

Yes, i did type Y, and the SDFix Window close.

 

[Esuper]

And this is the log file from Malwarebytes' Anti-Malware.

Thanks

 

[Blind Dragon]

Boot into Safe mode, use your regular account (not admin)

Type 2 to begin the cleanup process.

With MBAM everything says NO ACTION TAKEN, Be sure that everything is checked, and click Remove Selected.

 

[Esuper]

Thank,

Certain items could not be remove! The first few are listed below. All items that could not be removed hav been added to the delete on reboot list. and ask me to restart?

here is the file:
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d}
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c}
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338}

Continue restart?

 

[Blind Dragon]

yes then attach the log here afterwards

 

[Esuper]

Here is the Norman_Malware_Cleaner log file.

 

[Blind Dragon]

Did you crash while running the scan?

I need to see a fresh Hijackthis log

 

[Esuper]

yes crash(but the system is ok).

 

[Blind Dragon]

Run SDFix from Safemode again this time selecting option 3

Then when it's done, and you have restarted run yet another scan with Hijackthis from normal mode and attach both logs here

 

[Esuper]

I have to run the Run SDFix from Safemode option 3 agin, cannt find where is the log file located.

 

[Blind Dragon]

it's in the SDFix folder as Report.txt

I don't think it will remove all of it though so in addition

Run Smitfraudfix

• Download Smitfraudfix by S!ri from HERE
• Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Double-click SmitfraudFix.exe
• Select 2 and hit Enter to delete infected files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

 

[Esuper]

This is the file

 

[Blind Dragon]

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• Type "1" (and Enter) to start the fix.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[Esuper]

Have been stop by Spywaredoctor. And now the window prompt say:
Window cannot open this file:
To open this file, Windows need to know what program created it. Windows can go online to look it up automatically, or you can manually select from a list of program on your computer.

What to do?
Use the web service to find the appropriate program OR select the program from a list?

 

[Esuper]

Spyware Doctor Block!!!
Thread:Trojan
Risk:High

 

[Blind Dragon]

Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit.

try again if it still doesn't work

go to start -> run -> type combofix /u

reattempt the above instructions after it is uninstalled

 

[Esuper]

Here is the files

 

[Blind Dragon]

CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
I:\Documents and Settings\All Users\Application Data\ezclqdql\gxwzsbil.exe

Folder::
I:\Documents and Settings\All Users\Application Data\ezclqdql

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"rgWFEtNPPQ"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[Esuper]

Thanks!! Here is the files

 

[kritius]

Depending on whether HijackThis was run before or after the CFScript then that line is still there, its getting quite resilient.

 

[Blind Dragon]

Boot into Safe Mode -you may want to save this in a notepad file on your desktop so you can have it while in safe mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
O4 - HKLM\..\Policies\Explorer\Run: [rgWFEtNPPQ] I:\Documents and Settings\All Users\Application Data\ezclqdql\gxwzsbil.exe

Select Fix Checked

Close Hijackthis

Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options.
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Use Windows Explorer to navigate to and delete the following folder:

Files:
I:\Documents and Settings\All Users\Application Data\ezclqdql <-This folder only

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log