Abebot; trojondownloader.xs; missing nsmss.exe

I get pop ups saying I have Spyware, Abebots, and a trojandowloader.xs

Also, on startup I get the msg saying I'm missing C:\system32\nsmss.exe

The logs should be attached

 

ComboFix log here

 

Hi Anautikus!
Welcome to Major Geeks!

Your computer is quite a mess! Please use it as little as possible (except for the following instruction) and avoid any unnecessary reboots until someone can post a set of instructions to you.

I don't know if you skipped running CCleaner, but you need to run it. If it didn't work the first time, please try it again. Run it in the default setting with the Windows tab as the one on top.

Let me know if this works.

Thanks.
abri

 

Hi Anautikus,

Here's a thread at Safer Networking which bears some similarity to your own. They recommend reformatting. I will help you try to fix yours, but it might be useful to read what they have to say: http://forums.spybot.info/archive/index.php/t-21373.html

And now I will post you two sets of instructions, which I hope will make the work easier for both of us. In between I will ask you to rerun your logs, so I can get a fresh copy of hijackthis to work with. Then I will see if there are still entries in HJT that need to be removed and give you instructions for that. Please proceed as follows:

1) I need to know what's in the following three folders. You can open them, but don't open any files they might contain.

C:\Documents and Settings\Master Anant\Local Settings\Application Data\Downloaded Installations
C:\Program Files\Common Files\Download Manager
C:\Documents and Settings\All Users\Application Data\enibuhat


2) Please disable your guest account if this has not already been done.

3) Next go to add/remove programs and uninstall the following:

J2SE Runtime Environment 5.0

4) If you have not run CCleaner yet, as I asked you in the last post, please run it now.

5) Download and install Erunt. Use it to create a backup of your registry.

6) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry. Let me know if you get a success message after you run this REGEDIT4 patch.

7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

8) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log. Also, let me know if you got a success message with the registry patch.


10) Let me know how things are running now? As soon as I have your new logs, I will post a second set of instructions to you.

abri

 

Yes there was a success message for the registry patch. Also, I ran CCleaner.

I have also attached the new MGlog and the Avenger log.

Also, in those folders you asked about:

C:\Documents and Settings\Master Anant\Local Settings\Application Data\Downloaded Installations - has file called Raptor, but the file is not named normally

C:\Program Files\Common Files\Download Manager - has MBAM

C:\Documents and Settings\All Users\Application Data\enibuhat - has nothing in it; possibly hidden files? I couldn't find any

 

Hi Anautikus,

Your computer's looking a lot better. I think both of those folders I had you look at are okay.

Please continue as follows:


1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


2) Install the current version of Sun Java from: Sun Java Runtime Environment


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

023 - Service: Windows Network Service Monitor (nsmss) - Unknown owner - C:\system32\nsmss.exe (file missing)
O23 - Service: Print Spooler Service (oeldy1bfyefa2) - Unknown owner - C:\WINDOWS\system32\mck.exe (file missing)


Do the following belong to programs you know or want to keep? If not, please fix them as well.


O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe

After you click fix, just close hijackthis.


4) Now run CCleaner at the default setting with the Windows tab as the top one.


5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

Let me know how things are running now?

abri

 

My comp is running quite well now, thanks! However, there's still a lag; is it just because there are so many files on my comp?

Also, my comps startup is still slow. Is that attributed to too many files also? Thanks again so much!

 

Hi Anautikus,
I haven't had a chance yet to go through your logs to make sure they're clean, but three comments. First of all, we just removed a lot of malware, so your computer will be making some adjustments. Additionally, there are still a lot of tools and logs left over from the cleaning process which I will have you remove. And thirdly, you have a lot of programs running at startup. While you can use msconfig for diagnostic purposes and to see which programs you can run your comptuer without at startup, for the long run, you need to always have your computer set in normal startup mode. The reason for this is because if you have your computer in diagnostic mode when you uninstall programs, it leaves remnants in the startup menu. So, this means you need another means of removing things which don't need to run at startup but which you do still want to keep. Below the following list of programs, I am putting instructions for managing your startup items. I'll post the final cleanup instructions after awhile.

How to deal with startup processes.

• First you should uninstall any software that you do not use.
• Second if you have processes still trying to load at startup even though you have uninstalled them. You can simple use HijackThis to easily remove the startup. That way you will not have to manually edit the registry.
• Third for software you do not want to uninstall but you don't want it to load at startup, look in the program for an option not to load when Windows starts and disable it this way. If you cannot find an option like that you have two possible actions:
  • if you never want it to load at startup, use HJT to permanently remove the startup.
  • if you sometimes want it to load at startup, use a program like Startup CPL to enable or disable as you see fit.

abri