Security System Warning -Popup

Well sometimes this random popup appears saying

"Alert details"
File:
C:\WINDOWS\wml.exe
Threat
Abebot
Possible Spyware infection has been detected on your computer by "Security System"

To remove detected threat you need to update your PC-Antispyware protection.
Click here to visit PC-Antispyware web site

Update PC-Antispyware protection and remove detected threats.

 

Hi patyfatycake,
Welcome to Mjoar Geeks!

I was sort of waiting for your MGlogs.zip file to show up. Please attach it to your next post. When you press the Manage Attachments button here, you can browse into your computer to the files located directly under C:\ and the above logs are just above the superman icon.

Thanks.
abri

 

here you go

 

Hi patyfatycake,

MGlogs.zip is not located in the MGTools folder where you found GetUnKeys.txt. It is located directly under C:\ as a file (not a folder). Please click on the Post Reply button here and go down till you see the Manage Attachments button and click on that. Click on the browse button and go to C:\ in your Windows Explorer. Click on C on the left (not on the + sign). On the right you'll see all the contents of C. Scroll down until you see the superman icon. Just above the superman icon, you'll see a file called MGlogs.zip. Please upload this file, close the window and be sure to write something in your message body before clicking on the submit button.

Thanks.
abri

 

I got this from the zip file but il upload the zip

 

Hi patyfatycake,

I'm not sure the scan ran to completion. Please go to the MGTools folder under C and open it. Look for the file called GetLogs.bat. Double-click on this file and allow it to run until you see the line that says "Click on any key to ..."
Once you get that line, it means the scan has completed. After that, go back to the position I described which is directly under C and just above the superman icon, and look inside the zip file again. See if at least 4 and hopefully 5 logs are in there. Then come back here and attach the MGlogs.zip again. If it still only contains one log, please describe any error messages that may be appearing inside the black window where the scan is running.

Thanks.
abri

 

this should be it

 

Hi patyfatycake,

Please do the following:


1) What is in the following folder? (You can look in the folder, but do not open any files if you don't know what they are.)

C:\WINDOWS\system32\GroupPolicy


2) Go to add/remove programs and uninstall the below:

Java(TM) 6 Update 3
Java(TM) 6 Update 5

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

6) Continue by downloading a tool we will need

- Process Explorer


Extract it to its own folder somewhere that you will be able to locate it later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of winrkp32.dll once and then click the kill button. After you have killed all of the winrkp32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of winrkp32.dll and kill it. (If you do not find the dll, just continue on.)

When you finish just exit Process Explorer.

7) Now run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)

After you click fix, just close hijackthis.

8) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

9) Now run CCleaner at the default setting with the Windows tab as the top one.

10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

It seems to be fine now thanks for your help. I attached the log and to 1) the file contains 3 folders adm machine and user with a file called gpt.ini

Adm has 5.adms and admfiles.ini
Machine has nothing in it
User has a registry.pol

Anyway thanks for your help

 

Hi patyfatycake,

It looks like the key is gone. Can you post the log for Avenger so I can check the a.bat file as well? It should be at C:\Avenger.txt.

Thanks.
abri

 

here ya go

 

hey! That looks good!
Think we got it.

If you aren't having any further malware symptoms, please run the final cleanup instructions in the box:

abri