Computer Support Forum

AWOLA VIRUS - HJT log file included

Question: AWOLA VIRUS - HJT log file included

This morning I had a little yellow triangle with a black exclamation mark appear in my toolbar . Upon doing some investigation and updating Spybot S&D and running it in the safe mode as well as searching files and deleting them from my program files , control panel and other locations , after re-booting , the yellow triangle continues to reappear as well as I can hear my pop-up blocker blocking tons of attempts . I need help getting rid of this cursed thing .I have included my HJT log which I just ran about 5 minutes ago .Thanks in advance for help . I look forward to hearing from anyone who can assist .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:01 AM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\ATT Internet Tools\blsloader.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\jdhfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O1 - Hosts: 207.210.117.53 www.winmx.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\ATT Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {D0285C32-F09A-49bd-BA67-FDAB0A58675E} - (no file)
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\ATT Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Owner\Application Data\jdhfg.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.75\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122546253875
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143504332296
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://fastaccess.drivers.bellsouth.net/software/DSLspeedtool/bls_speedop.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/StandardInstall/static/controls/WebflowActiveXInstaller_4-2-0.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\System32\lxcgcoms.exe

--
End of file - 8222 bytes

Relevance 100%
Preferred Solution: AWOLA VIRUS - HJT log file included

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: AWOLA VIRUS - HJT log file included

Hello biddle1,

Infection is showing here, so assuming you have not made too made changes since posting this log let's work from what shows here for now.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download ComboFix.exe from here to your desktop

Then disconnect from net access. Once you have done that, click the downloaded ComboFix.exe file to run the repair.
When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.

ComboFix will also change the drive autoplay settings there as it's own added security measure. When we have completed all repairs here we will return the default Windows settings.
A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop, however given the infection there ComboFix will likely cause a reboot in order to complete it's repairs.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

Re-enable net access, and post back the C:\ComboFix.txt log as well as a new HijackThis log please.

3 more replies
Relevance 59.45%
Question: Awola virus

How do I get rid of the awola virus?

Answer:Awola virus

Hi and welcome to TSF.

Please start here and follow the instructions.

http://www.techsupportforum.com/secu...sting-log.html

If you cannot complete any of the Steps, simply move on to the next one - remember to let the Analyst know about this when you post your logs.

Do not post your logs back in this thread - follow the guidance in the above link!

Please note that the Security Forum is always busy, so I would ask for your patience while waiting for a reply.

1 more replies
Relevance 59.45%
Question: awola virus

I am running windows xp and believe I caught the awola virus probably bundled with a lot of other things.
Ok, all I really want to do is copy my files to my external hard drive so I can reformat my computer. But, the virus has taken away my administrator status. It has disabled copying files to my external hard drive or dragging and dropping files. I cannot install Norton antivirus. The error message is "Setup was unable to update the MSI system component. If this problem continues please contact Microsoft at www.microsoft.com". I try to open my network connections, and they won't open.

Is my best bet just paying for the phishing scheme and going along with awola? Will it give me back these capabilities after I have paid, so I can reformat my computer?

Please help. I am desperate.

Answer:awola virus

Oh, I am also considering buying XoftSpySE. I downloaded the program of the internet, and it did locate many corrupt files. However, I am worried if I purchase it, I will not be able to install it fully and use it as I wasnt able to install Nortan Antivirus from disk. Is this a legitimate fear, or did this program already install, and when I purchase the license key, it will simply remove the corrupt files?

I hope I explained this well. Please reply.

19 more replies
Relevance 59.04%

I have a simular issue to other but I dont see a common fix - HELP!

I've ran all the programs you recommended. Here are the logs.

This virus puts a yellow bang in my tray and states i've been infected. After closing the message a few times it launches Awola.

I belive it hit me 2 weeks ago.
 

Answer:Awola virus has infected my pc

More files attached.
 

10 more replies
Relevance 59.04%

After reviewing the forums I have found that I have a common issue as others do. I have the same Windows balloon pop-up and when clicked it will install the fake AWOLA anti-spyware. I have already followed the steps required to generate logs and I am posting them now. Could someone please provide me with any additional help to remove this malware from my system and thank you in advance.
 

Answer:AWOLA virus removal help

Welcome to Major Geeks!

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Do you use MusicMatch Jukebox?

You need to go back and follow the instructions in step 1 of the READ ME for MSconfig. You must not use MSconfig to control any startups or services. Select Normal Startup mode and remain in that state.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 12
Java 2 Runtime Environment, SE v1.4.2
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_4\bin\jusched.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O17 - HKLM\System\CS2\... Read more

3 more replies
Relevance 59.04%

I have read that some others have gotten help on the Awola virus, can someone help guide me through removing this malware?

More replies
Relevance 58.22%

Hi there. I believe I contracted a virus / trojan through Awola 6.0 a few weeks back. I started a thread in the 'Am I Infected' section, here's the link for that full thread: http://www.bleepingcomputer.com/forums/t/143729/infected-by-awola-60-and-could-really-use-some-help-removing-it/Long story short, I believe this virus was contracted on Wednesday, April 23 around 745pm. My operating system is Windows XP. Whenever I double-click on any .exe file I get an all-black window, and a little window above it with an error message similar to this: "16-bit MS-DOS SubsystemC:\Documents and Settings\All Users\Desktop\Winamp.InkThe NTVDM CPU has encountered an illegal instruction.CS:054d IP: 013d OP: f0 85 38 90 3a Choose 'Close' to terminate the application." I can right-click certain programs and select "Run As" to use them, but can't double-click on anything. I also think this virus has taken over Administrator duties, changed my registry and is preventing me from properly installing programs. It was also preventing me from running anti-virus scans, but I believe we have found a way around this, and I was finally able to process a scan with DSS (and Hijack This). I also did a scan using the Kaspersky scanner. I will copy and paste all logs below. Thanks in advance for all your help. HIJACK THIS MAIN.TXTDeckard's System Scanner v20071014.68Run by Mania on 2008-05-19 22:51:49Computer is in Normal Mode.---------------------------------------------------------------------------------- ... Read more

Answer:Infected With Awola 6.0 Virus / Trojan

HelloApologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.Thanks and again sorry for the delay.Please download Deckard's System Scanner (DSS) and save to your Desktop.alternate download siteDSS will do the following:Create a new System Restore point in Windows XP and Vista.Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.Check some important areas of your system and produce a report for an analyst to review.Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.You must be logged onto an account with administrator privileges when using.Close all applications and windows.Double-click on dss.exe to run it and follow the prompts.If your anti-virus or firewall complains, please allow this script to run as it is not
malicious.When the scan is complete, two text files will open in Notepad:main.txt <- this one will be maximizedextra.txt <- this one will be minimizedIf not, they both can be found in the C:\Deckard\System Scanner folder.Please copy (Ctrl+C) and paste (Ctrl+V) the c... Read more

18 more replies
Relevance 57.81%

DDS (Ver_09-01-07.01) - NTFSx86
Run by Alan Muther at 21:55:00.50 on Mon 01/26/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.279 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\... Read more

Answer:Too many virus pop-ups...DDS and zip file included

Hello -

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------
Download ComboFix

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recov... Read more

19 more replies
Relevance 57.81%

heyy
uh, well i keep crashing, til a point where i cant even load into my desktop..
today weirdllly, i was able to get into my windows, but everything was gone, but it was okay....it didnt crash.
until a few hours later it started to :\

UPDATE: [4/1/06]
its now restarting on its own each time i happen to leave my computer :|


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:11:45 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.... Read more

Answer:i have a virus HJT log file included.

I don't see anything suspicious in the log. Restarts can also be caused by overheating or bad RAM.
 

2 more replies
Relevance 57.81%

I definitely have a virus. The homepage on IE was changed to coolpics.com and I can not change it (you no longer can highlight the buttons in properties), I also can not open task manger or edit the registry because I get an error message stating that it has been disabled by the administrater (which I am). When I shut down I get svhost.exe is shutting down message which takes forever to end and I also get some small random IE box in the top left corner of my screen showing "page not found". When I do a virus scan I get an infected trojan in svchost32.exe and svhost.exe but quarantining them does nothing. Thanks in advance for your help.

Logfile of HijackThis v1.99.1
Scan saved at 5:47:14 PM, on 12/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA... Read more

Answer:Virus HJ Log File Included

8 more replies
Relevance 57.81%

heyy
uh, well i keep crashing, til a point where i cant even load into my desktop..
today weirdllly, i was able to get into my windows, but everything was gone, but it was okay....it didnt crash.
until a few hours later it started to :\

UPDATE: [4/1/06]
its now restarting on its own each time i happen to leave my computer :|
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:11:45 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
... Read more

Answer:i have a virus HJT log file included.

12 more replies
Relevance 57.4%

Hi I downloaded some stuff that apparently must have had a virus. Here's what happened. The Trend PC Micro Cillin popped up and said I had some sort of malware, which said both C: autorun.inf and D:autorun.inf, and everytime I clicked to remove these files, more would pop up in less than a minute. So I quickly deleted what I could find of these programs and anything else that may have downloaded with it to my computer, and there seemed to be a problem still, as I got the same Trend Micro PC Cillin warning. Then I restarted my computer thinnking that would help. Then I looked on the taskbar (the bar on the bottom of the screen), and the volume and network icons were gone. When I tried to fix these settings,the check boxes were blanked out where I couldn't check them (gray). So I just gave up until today, when I got on my computer, the password thing looked exactly the same (for the computer) but when the page loaded, my background was black, the taskbar and windows looked like the old Windows Basic, (gray and blue boxy), but my pictures and programs all appeared to be the same! So I just freaked out and unplugged the computer, started Windows normally, and now my internet is redirecting me to all these Ads sites such as elle.com and yellowpages.com, (not sure if that's relevant) and now I did a log file so Here it is, if anyone can help me, i guess it serves me right from those stupid downloads. And the taskbar is back to normal but those icons are still gone. P... Read more

Answer:Malware Virus, Please Help! (log file included)

bump
 

2 more replies
Relevance 57.4%

Hi
I have already put a post on - but no replies - probably too long winded - anyway hope you can help with dis infecting my pc.

Logfile of HijackThis v1.99.1
Scan saved at 20:45:05, on 22/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Common Files\Symantec Shared\ccProxy.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\WINNT\system32\stisvc.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\Explorer.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
... Read more

Answer:Help with virus infection - HJT file included

Closing duplicate thread, please continue here: http://forums.techguy.org/security/511810-trojan-horse-dialer-28-win6ea.html
 

1 more replies
Relevance 57.4%

A week or two ago, my Quicken and iTunes files disappeared. I haven't had anything happen since then, but when I look at what is in the Startup tab in SystemConfiguration, there's a blank line. My tech savvy friend said this means I have a virus.

I've tried running (and updating) my virus/spyware scans, but they don't pick anything up. I've run: ZoneAlert, Adaware, and Spybot. I also ran Hijack This. Can anyone tell me if a) the blank line really means I have a virus? b) if there's any other explanation for the missing files (e.g., a hardware problem?) and c) if my Hijack This file looks alright or has picked up something bad?

You know you're at a loss when you don't even know if you *have* a virus...
 

Answer:Possible virus? HijackThis file included

Hi, Welcome to TSG!!
I don't see any anti-virus program running. Do you need a suggestion for a free one?
 

3 more replies
Relevance 57.4%

Sinowal Trojan?

I keep getting a pop up...doesn't look like it is a legit windows defender message...

"Security Center Alert-Windows Firewall has blocked activity of harmful software. Clicking on the "enable" tab takes you to an ad for Perfect Defender 2009, whatever that is.

I ran spybot S&D and Malware bytes

Hopefully you can help.
Thanks in advance.

Here is the log file

Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\A... Read more

More replies
Relevance 56.58%

Hi, my computer has a trojan horse called collected.af

here is the hijackthis log file.
hope you guys can help me
i've scanned with AVG and Spybot but the virus still hangs around.
-------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:27:38 PM, on 13/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\Y... Read more

Answer:Collected.AF trojan virus help (HJT log file included)

7 more replies
Relevance 56.58%

hi, my MSN contact send me a messege ans it says something like "have you seen my new hair?" and then it send me a zip file.

i stupidly accepted it but i when i am going to open the file i hesitated as i thought it may be a virus. i deleted it immediatly and empty my recycle bin but after i restart my computer, theres an error "22A4A32F.exe" i uses the trendmicro housecall to scan my computer and it detect a few more malware such as "troj_nspak.a", "worm_agent.wjw" and "worm_vb.cln". the files detected in my computer were "C:\auto.exe" and " EB417980.dll"

i have no idea what those are and i suspects it was from the MSN virus that i received as my computer become very slow. my hijackthis log file was as follow. please help me !

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:34 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent... Read more

Answer:Solved: MSN virus.. hijackthis log file included.

16 more replies
Relevance 56.58%

Hi guys...
I have been having issues with my computer for a little bit now (my mother likes to dl and save every dang picture, pattern and other random crap she sees) and I have no idea what she has maybe dl'd with a piggyback something.
I have ran multi virus scans, spybot, ccleaner and then I figured HijackThis and some tech savvy people may just do the trick...here's hoping.... Thanks in advance for any and all help/suggestions.

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 10:21:11 AM, on 11/10/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17344)
CHROME: 38.0.2125.111

Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Users\linda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
C:\Users\linda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\linda\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Users\linda\Downloads\HijackThis (1).exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/CQNOT/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Ma... Read more

Answer:Possible Virus/Trojan...HijackThis File included

16 more replies
Relevance 56.58%

I'm not exactly sure at what time it happened or what I was doing, but the "Awola Anti-spyware 6.0" program is installed on my computer and won't uninstall. A pop-up box is constantly at the bottom right-hand corner of the taskbar saying Your computer is infected! , recomending that I use the tool to prevent data loss.

Also - on another note - I'm unable to use any open-source internet browers (ie. Firefox, Opera, Bonjour...). When I attempt to use Firefox (for example) I'm given the message "Firefox can't establish a connection to the server at www.google.com." It won't open any site. I'm given a similar message when I try to any other browser other than IE. The browser suggests that if my computer or network is protected by a firewall or proxy, to make sure make sure that Firefox is permitted to access the Web. I don't think this is the problem - but I really can't be sure. I never did anything to change these settings - nor would I know where to go to do such a thing. I'm not sure if these two things are related as the internet problem happened a good 2 months after the Awola problem started.

I really appreciate any help. From viewing other members' responses, your help seems very effective.

Thanks!

Deckard's System Scanner v20071014.68
Run by Frankie on 2008-02-22 23:17:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore -------------------------... Read more

Answer:Awola Virus :( .... May also be messing with my open-source internet browsers

One more thing I forgot to mention! --- On step 4 of what to do before posting a log - Updating the Operating System - I was unable to update Is there anything I can to do fix this?

Thanks so much!

13 more replies
Relevance 56.17%

I think I'm at my wits end...Here's what I have...

Last night, I was working on a few things for work and all of a sudden, I heard the PC bogging down and getting loud. It stopped, shut itself off and then rebooted. Upon reboot, AVG was disabled, I couldn't run Malwarebytes, my Firewall was turned off, my browser was hacked as Google brought up fake sites and even said this one was no longer on the internet.

After browsing the forums on a work computer, I realized I could start the computer in Safe mode which is how I am on the net now. I did that and was able to scan with Malwarebytes and AVG, both of which noticed problems, it removed them like normal, or so I thought, and rebooted...only to have them start popping up over and over again. If someone could PLEASE check out my Hijack This file and help me...I would be GREATLY appreciative.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:01 PM, on 10/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program F... Read more

Answer:Please Help! Trojans / Worms / Virus / Etc. (HiJack File Included)

I've been able to run Malwarebytes and AVG in safe mode after doing scans...here is the MBAM log:

Malwarebytes' Anti-Malware 1.28
Database version: 1147
Windows 5.1.2600 Service Pack 2
10/30/2008 10:19:57 PM
mbam-log-2008-10-30 (22-19-57).txt
Scan type: Full Scan (C:\|)
Objects scanned: 109761
Time elapsed: 56 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSA (Adware.TargetSaver) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\Steve Miller\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve Miller\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe (T... Read more

1 more replies
Relevance 56.17%

Something is masking itself as a search engine, when it's actually a bogus site. Can anyone help me? -Andrea

Logfile of HijackThis v1.97.3
Scan saved at 11:03:15 PM, on 11/8/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\HP CD-W... Read more

Answer:Virus affecting browser? hijackthis file included

9 more replies
Relevance 56.17%

My computer was running fine last night, but this morning I started having issues with Excel and Word and my computer is freezing up. I ran the anti virus software I had and it showed a Trojan Goldun Virus. I downloaded and ran the Hijack software and this is my file from them:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:17 AM, on 10/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\mobsync.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\MemTurbo 4\MemTurbo.exe
C:\Program Files\Common Fil... Read more

More replies
Relevance 56.17%

Hello dear community.

This afternoon I downloaded a PowerDVD version from a torrent, apparently the file wasnt clean, and know I can do sh*t on my computer.

When I entered my account and password my wallpaper is there, but thats it (explorer.exe is missing)

I tried numerous things, but everytime I try to "open" something using ctrl/alt/delete -> new task I get the message Data Execution Prevention blocked it.

This is really my last hope, since I really dont want to take my PC to the shop, since theyll probably say "all we can do is clean the entire c: drive", which is dont really want..

Anyway, here is the log file, Ill keep looking on these forums every couple of hours or so, hopefully you guys can help me.

King regards,
Danny
 

More replies
Relevance 56.17%

Computer probably has a virus, it wont run explorer.exe... [log file included]
Hello dear community.

This afternoon I downloaded a PowerDVD version from a torrent, apparently the file wasnt clean, and know I can do sh*t on my computer.

When I entered my account and password my wallpaper is there, but thats it (explorer.exe is missing)

I tried numerous things, but everytime I try to "open" something using ctrl/alt/delete -> new task I get the message Data Execution Prevention blocked it.

This is really my last hope, since I really dont want to take my PC to the shop, since theyll probably say "all we can do is clean the entire c: drive", which is dont really want..

Anyway, here is the log file, Ill keep looking on these forums every couple of hours or so, hopefully you guys can help me.

King regards,
Danny

Answer:Computer probably has a virus, it wont run explorer.exe... [log file included]

Hello and welcome to the BleepingComputer.com! I will be helping you today. If you still need help, please let me know by replying to this thread. Please be advised, that I am still in training.For your own protection, I may not offer you any advice without it being checked by more experienced helpers first. This can unfortunately lead to slight delays in the responses. However we are trying to help you as quickly as possible.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Please give me some time to go through your logs, I'll post back soon.regards _temp_

6 more replies
Relevance 55.35%

Exe's are going missing everyday. Infected with some virus. I am including HiJack This logfile. Please help. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:10 PM, on 06-08-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctapsd.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\CiscoTrustAgent\ctatransapt.exe
D:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Google\Google Talk\googletalk.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe
D:\Program Files\EditPlus 2\editplus.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\SQLyog Community\SQLyog.exe
D:\LeapFTP\LeapFTP.exe
C:\Program Fil... Read more

Answer:Infected with virus. Exes are going missing. HiJackThis Log file included.Please help

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
 

1 more replies
Relevance 55.35%

Please help as fast as you can and thank you... Please explain your fixes step by step thank you very muchagain possible google redirected virus infectionHijack This file below let me know what needs to be taken away or steps which need to be taken thanks againLogfile of Trend Micro HijackThis v2.0.2Scan saved at 3:40:40 PM, on 4/12/2010Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v8.00 (8.00.6001.18882)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exeC:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exeC:\Program Files\Motorola\SMSERIAL\sm56hlpr.exeC:\Program Files\Common Files\AOL\1224940649\ee\aolsoftware.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Windows\vVX1000.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exeC:\Program Files\AVG\AVG9\avgtray.exeC:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exeC:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exeC:\Program Files\Linksys\Li... Read more

Answer:possible google redirect virus infection. Hijack This file included

Hello and welcome to Bleeping Computer. *Please Subscribe to this Thread to get immediate notification of replies. See HERE*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.*You must reply within 5 days otherwise this topic will be closed.Please read the preparation guide here => http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/Then post the required logs when you reply and we will begin from there. Thanks.PS - Please do not post your email address here. This is to protect you from spam bots who will pick up your email address and spam you.

2 more replies
Relevance 55.35%

Hello!
So, I download Guitar Tabs online (legally), and after trying to download one ... I instantly knew something was wrong. I got a bunch of pop-ups...and I never got my tablature. This has never happened when trying to get a guitar tab...but. I've gotten a virus before. I've ran Spybot Search and Destroy a few times and it seems like it still doesn't work. Random things have just...stopped working. Like...Google Chrome and sounds from YouTube videos. Sometimes, iTunes says something like no audio source is found so there may be no sound. Also, some things have "encountered a problem and need to close"...not normal things...like Generic Host Process for Win32 Services. One last thing...sometimes...randomly...everything starts turning into like, Default Windows Style setting. Like, gray boxes and the taskbar goes back to how it looked in Windows 98. When looking at my processes, the program svchost.exe (just one of them) takes around 300,000 K of Mem usage, which has never happened before. I hope I've given adequate information. Here's a HiJack This logfile :

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:12:10 PM, on 3/5/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system... Read more

Answer:Virus? Trojan? Websites Redirecting, etc. HiJack This File Included

16 more replies
Relevance 53.3%

Hangs while loading control panel and start menu. It does eventually load, but it takes 30 seconds. WAY too long. All help would be GREATLY appreciated.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:49:26 PM, on 3/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Downloads\HiJackThis_v2.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [DigitalStorm] C:\Windows\System32\Sp... Read more

Answer:Log file included. Specs included. Hanging while trying to access Control Panel and S

Hi boburke

I see you have Trend Micro HijackThis v2.0. This version of HijackThis is still a beta and is undergoing testing at this time. We prefer you to use Deckards System Scanner and then during the course of the fix HijackThis v.1.99.1. If you still need help please uninstall HijackThis v2.0 then follow these instructions.


Download Deckard's System Scanner to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, 2 text files will open - main.txt and extra.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt back in this thread (do not attach it).
Please attach extra.txt to your post.


To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt

Click Upload.

What DSS will do:
create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if y... Read more

1 more replies
Relevance 45.51%

While surfing the web, Norton came up and said that C:\Windows\dlm.exe was infected with a Trojan virus. It could neither repair nor quarantine the file, and I was not sure if I should hastily delete it or not. I stumbled upon this site and saw others with similar cases. So, I downloaded Hijack This and ran a scan. Here's the log below. Thanks to anyone willing to help!
Logfile of HijackThis v1.97.7
Scan saved at 6:14:04 PM, on 12/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lexbces.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\LEXPPS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\PROGRA~1\Proc Ford Software\Wave road regs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Progr... Read more

Answer:Infected File, Can't Quarantine - Log File Included

Have a look at this thread http://forums.techguy.org/showthread.php?threadid=215474&90068ef66b0d48b4d35365630275933b
 

1 more replies
Relevance 45.1%

I'm running windows xp sp2. adaware, spybot and virus scans haven't helped. I deleted MSAgentXP, but there is another trojan downloader that I couldn't fix. when I start up I get a "data excecution prevention" message that says windows has closed this program: and the program is windows explorer. I can still stay on for a while before it reboots itself, but I'm not sure what to do now. hijackthis log:Logfile of HijackThis v1.99.1Scan saved at 9:34:38 PM, on 11/1/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre1.5.0_04\bin\jusched.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Valve\Steam\Steam.exeC:\WINDOWS\system32\esent97.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\wpd_ci.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\syste... Read more

Answer:Virus, Hijackthis Log Included, Neither Adaware, Spybot Nor Virus Scans Have Fixed It

Hi and Welcome to bleeping computer!! My name is David Please do both of the following before we start if possible!:1) Please print off these intructions - they will be needed later when internet access is not available.2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.There is a bit to do on the log - i can almost guaruntee ewido will remove something - it's also a good free tool to keep in your arsenal! Please download ewido security suite it is a free version of the program.Install ewido security suiteWhen installing, under "Additional Options" uncheck.Install background guardInstall scan via context menuLaunch ewido, there should be an icon on your desktop, double-click it.The program will now open to the main screen.When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update.Then click on Start Update.The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful") If you are having problems with the updater, you can use this link to manually update ewido.ewido manual updatesOnce the updates are installed do the following:Click on scannerClick on Complete System Scan and the scan wil... Read more

3 more replies
Relevance 45.1%

Any help is appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 10:05:06 AM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Documents and Settings\Compaq_Owner\Desktop\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\temp1.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Fil... Read more

Answer:Virus scan recommendations? Potential Virus!? Hi-Jack Log included

Download the Trial version of Superantispyware Pro (SAS):
http://www.superantispyware.com/superantispyware.html?rid=3132
Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the ... Read more

3 more replies
Relevance 45.1%

my computer has gotten some sort of virus my screen goes all black except the start bar on the bottom ( i cans till open programs from there) and a thing called system check keeps poping up saying i have a million errors and asking to scan my computer and buy the full version but it wont go away no matter what i do, unless i run in safe mode like im doing now. ive scaned with avg and malwarebytes and it still wont go away ( there not finding any thing ) and like 30-40 or so boxes keep poping up saying different system 32 files are corrupted but i can click those off.and when the computer first starts up it says somethings wrong with the ati catalyst drivers here is my hijackthis log


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:56:49 PM, on 1/27/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\matt\Downloads\HijackThis.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Li... Read more

Answer:bad virus acts like a virus scanner wont go away (hijack log included) help please!!

15 more replies
Relevance 44.69%
Question: Awola Bug?

There's a little bubble on the right side of my screen, near the clock, that keeps popping up (and won't go away, which is very annoying), saying "Your computer is infected!" Unknowingly, I clicked it and it presented me with "Awola Anti-Spyware 6.0" or something to that effect. I Googled Awola and found out that it was a rogue anti-spyware program, or something. So, I checked out Add/Remove Programs, and it wasn't in there. So I went through the Start menu to Uninstall Awola, and it said it was removed successfully, but the bubble will still not go away.

I am completely computer-stupid and have no idea what to do. Any help?
 

More replies
Relevance 44.69%
Question: Awola

Well I got the AWola bug and it's a killer. Dang "Your Computer is infected!" pops up every 5 seconds after closing it and that is the good news. I can't go anywhere without being redirected. I am not even sure how I have made it to this site. Anyway I have done a HIJACK THIS log and I am posting it if anyone knows what to do I am all EARS.Thanks!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:58:00 PM, on 12/28/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchosts.exeC:\WINDOWS\UmVlc2UgQnJpZGdlcw\command.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Network Monitor\netmon.exeC:\Program Files\PC Tools AntiVirus\PCTAVSvc.exeC:\WINDOWS\system32\lpcywinp.exeC:\WINDOWS�... Read more

Answer:Awola

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download ComboFix and save it to your desktop.Double click combofix.exe and follow the prompts.When it's done running it will produce a log for you. Please post that log in your next reply.Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

3 more replies
Relevance 44.69%

I'm infected with Awola.

I don't know if that's what it's called exactly, and there could be more to my problem than that; but there are other threads on this very problem. As far as I could tell, netiquette on MajorGeeks says I should make my own thread rather than invade someone else's.

If I'm wrong, I'm very sorry for having made a redundant thread.

Symptoms:

- A yellow triangle with a black exclamation point in it sitting in my task bar. It spawns a large, intrusive word bubble telling me I'm infected with spyware and that Windows will download the Awola anti-spyware program if I click the bubble.

- My system will freeze for several seconds at a seemingly random frequency. It always unfreezes, and anything I've done during the 'frozen' period (words I've typed, things I've clicked on, etc.) eventually happens after things come unfrozen.

What I was doing when I first noticed the infection:

- I'd been gone for two days, and my computer had been left on. When I came back I noticed my internet browser was open, and the word bubble was staring at me. I don't believe anyone touched my computer while I was gone.

Hopefully I've attached everything properly.

I did an AVG scan, but the log reads:





"[1/21/2008 15:03:15 PM] synchronize database and filecache"Click to expand...

I followed the directions in the "read me first and do these thi... Read more

Answer:Awola, maybe others.

Welcome to Major Geeks!

Is your copy of Spywar Doctor a paid version or free trial? If free, uninstall it now.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 3
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\system32\s1940.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\system32\s1940.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\RICHARD\Application Data\pzruv.exe
O4 - HKCU\..\Run: [Awola] "C:\Documents and Settings\RICHARD\Application Data\Awola\Awola.exe" /MIN
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WIND... Read more

4 more replies
Relevance 44.69%
Question: AWOLA

Just picked up Awola on my computer.Please help, how do I get rid of it??
 

Answer:AWOLA

have you tried any of the google search links?
http://www.google.com/search?aq=t&oq=awola+re&hl=en&safe=active&q=atwola+removal&btnG=Search

i havent had specific experience with this one.
 

1 more replies
Relevance 44.69%

I searched previous threads about this pesky malware, but I think my problem might be a little different...
So my computer automatically shut down, and then after rebooting I noticed a popup (from the taskbar only) telling me that my computer is infected and that I should download "special antispyware"...

I haven't clicked it, and don't plan on it, BUT I'm wondering if my computer is already infected ( I ran spybot and AVG and both found no infections.) and if not how do I stop that pop up from well popping up.

Thanks
 

Answer:Not sure if I have awola yet...

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


If something does not run, write down the info to explain to us later but keep on going.
Do not assume that because one step does not work that they all will not.
READ & RUN ME FIRST. Malware Removal Guide

Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can try running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.


Plus a guide on HOW TO: Attach Items To Your Post
 

1 more replies
Relevance 44.69%
Question: Awola

Hi,

I've tried to clean Awola off of my system by piecing together what to do from the treads in this forum, and it appears to have removed the pop-ups. Can you guys take a look at my HJThis log and let me know if I missed anything? Also, please let me know if I should post anything else to be reviewed.

Thanks very much
 

Answer:Awola

Your HJT log is clean...although we recommend that the exe be renamed to analyse.

Are you still having problems? If you are:

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide
 

1 more replies
Relevance 44.69%
Question: Awola

thanks for your advice boopme.

i had so much trouble getting rid of awola and i finally did it thanks to your suggestions.
thanks alot!

Answer:Awola

You're welcome and welcome to BC. I split your post away into it's wn topic as that one is still working and you are further along. Always mke your own topic it is the better method and keeps things from being confused. As in The stpe for you to do is not the step for them,thanks. I would recommend you do this step now. Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is:Go to Start > Programs > Accessories > System Tools and click "System Restore".Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.Then use Disk Cleanup to remove all but the most recently created Restore Point.Then go to Start > Run and type: CleanmgrClick "OK".Click the "More Options" Tab.Click "Clean Up" in the System Restore section to remove all ... Read more

3 more replies
Relevance 44.28%
Question: Awola.... sigh

I'm embarrassed that I got "suckered" into this spyware, but I clicked too quickly after seeing the security alert (bogus, of course). I've searched and read everything, and can't believe I'm unable to get rid of it!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:36 AM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\acs.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
c:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\TDS\tdssvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
... Read more

Answer:Awola.... sigh

Stupid spyware! Ran SDFIX and COMBOFIX with fingers crossed

Anyways....the Awola popup from the tray is still there!!


SDFix: Version 1.129

Run by LocalAdmin on Tue 01/22/2008 at 10:54 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found






Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 23:00:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" ... Read more

4 more replies
Relevance 44.28%
Question: Awola Removal

dealt with AWOLA removal today. here are the following steps used to remove it:

0. DISABLE System Restore.

1. download, install and update Malwarebytes AntiMalware removal tool.
http://www.malwarebytes.org/

2. reboot your system into Safe Mode with networking.

3. verify that you have the latest update of Malwarebytes by performing the update again.

4. perform a FULL SCAN with Malwarebytes and, after the scan is complete, remove all items in the list.

5. perform a search on your computer for the following:
*awola*.*
this will search for ANY file in your system with the word 'awola' anywhere within its name, regardless of the file extension. DELETE any 'awola' files.

6. open the registry (ie. regedit) and do a search for 'awola' and remove any items you find.

7. perform another scan with Malwarebytes to be certain your system is clean.

8. restart your system.

if anyone has comments, please share them.
 

More replies
Relevance 44.28%
Question: Awola infection!

My computer is infected with Awola anti spyware. I searched Google for some solutions for this aggrevating problem. This website caught my eye. I hope that I can be helped for my problem. As of right now my computer crashes on normal mode within 5 min's of startup. The only way I can use the computer is on safe mode.
Once I entered the website I was reading a forum for Awola removal and downloaded the file SDfix (this was from a link on the thread. I decided that is would be best if I discontinue any attemp at correcting the problem myself because I am not extremely knowledgable. Thanks for any help I can get.

Answer:Awola infection!

why doesnt anyone want to help me with my issue?

1 more replies
Relevance 44.28%
Question: Awola Removal!!!!

I got infected with Awola and cant get it off. Thanks for you help.

Incident Status Location

Spyware:Application/Awola Not disinfected c:\documents and settings\kris\application data\awola\awola.exe
Spyware:Application/Awola Not disinfected C:\Documents and Settings\Kris\load.exe
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Kris\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe ... Read more

Answer:Awola Removal!!!!

Any suggestions on how to get rid of this. Plzzz my computer is crashing and i need help bad. Thanks

10 more replies
Relevance 44.28%
Question: awola help needed

my sweet husband contracted awola and I am left to figure out how to get rid of it... any help is much appreciated - here is the HijackThis Log I just ran



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:50 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09... Read more

Answer:awola help needed

I have now also completed ComboFix but the popup "Your computer is infected!" is still there... log listed below but not sure if I did it correctly. It is also affecting other programs and now I cannot print. Please help before I divorce my husband or at least throw the computer at him!!!




WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

19 more replies
Relevance 44.28%

Awola is driving me crazy!! And just about the time I get started on another paper, I get a pop-up. I can't tell you how many times I have had to re-connect to this site just to finish this thread.
I wasn't able to perform a Windows Update because the Windows Genuine Advantage Validation Tool wouldn't install. (KB892130).
Here is the log;

Deckard's System Scanner v20071014.68
Run by gc on 2008-01-18 13:44:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-01-18 19:44:32 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as gc.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:41 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C... Read more

Answer:Awola & numerous pop-ups

Download SDFix from here and save it to your desktop.


Please then reboot your computer in Safe Mode by doing the following :
Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.


=========================================


Download Combofix from any of the links below, and save it to your desktop. For information regarding this d... Read more

3 more replies
Relevance 44.28%
Question: Awola hijack

My sister's computer has been hijacked, any help will be much appreciated. Here's the HJT log:
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - ... Read more

More replies
Relevance 44.28%

Howdy!

My computer seems to have been infected with this malware Awola. It is driving me bonkers. I cannot seem to rid my computer of this program. I've tried my antispyware programs and uninstalling and basic registry deletions, but it keeps regenerating.

Any help would be tremendously appreciated.

Thanks,
Andrew
 

More replies
Relevance 44.28%
Question: Awola Removal!!!!

I have Awola virus on my computer and i cannot get it off. i have deleted the registry values and everything. I ran spybot s&d and ad-aware. Please help in any way you can. Thanks.

Answer:Awola Removal!!!!

help plzzzz, i can barely use my computer with it this bad. thanks

2 more replies
Relevance 44.28%
Question: awola removal

My brother-in-law has managed to install awola and now I have to get rid of it. Any ideas? He lives 60miles away and is techno-phobic.

Answer:awola removal

click here

10 more replies
Relevance 44.28%
Question: Awola Malware

My computer has been infected with Awola. I am normally pretty good with computers but this has caused me to waste the last 6 hours on trying to removed it with no luck. From what I have read this is pretty common but extremly hard to remove. I really need help before me and my computer play fisty cuffs.Here is the log named main.txt:Deckard's System Scanner v20071014.68Run by Barry on 2008-04-22 22:52:31Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------System Restore is disabled; attempting to re-enable...success.-- Last 1 Restore Point(s) --1: 2008-04-23 02:52:32 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Barry.exe) -----------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:57:25 PM, on 4/22/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\WIDCOMM\Bluetooth Software\... Read more

Answer:Awola Malware

Hello BarryCareyWelcome to BleepingComputer ========================If you are still in need of assistance please post a new Hijackthis log.

1 more replies
Relevance 44.28%
Question: Awola Invastion

Good Day Doctors, I'm helping another friend with their system. It looks like they got caught in one of those sites that pull you in and the next thing you know the software is on your system. I trying to uninstall a program called AWOLA. It states that it is an ANTI -SYPWARE and the system has been infected. I tried to uninstall it but no luck. It seems you have to buy the program to have the option available to uninstall it.

Has anyone heard of this program and how can I get it off my friend's system?
Thx in advance
Steve
 

More replies
Relevance 44.28%

Hi can anyone assist me? I am trying to repair my cousin's computer which appears to have Awola installed on it.

I also unable to get the computer to detect any wireless signals even after manually entering the settings for my network. In addition, the user also installed SystemTech Spyware Cleaner. Is this is a good program to use? Am I better off using Windows Defender?

Below is a log file


Deckard's System Scanner v20071014.68
Run by RASHIDA XXXX on 2008-05-03 20:53:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as RASHIDA ROACH.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:15 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wirele... Read more

Answer:Please help Awola 6 on laptop

I am sorry to bump this thread. I was wondering if there was something that I left out or should have done before posting this thread.

I did complete steps 1-4. I was unable to connect to the internet to do an online scan.

I apologize if I incorrectly posted. Sorry for bumping this thread.

4 more replies
Relevance 43.87%

Hi, yesterday I starte getting some really annoying Awola anti-spywear popups on my PC. I used the information in some of the threads on this forum, and thought that I had it beat, but today, I'm having the same problem. Here's the HijackThis log. Any help is much appreciated. This is a really annoying issue.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:55 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\aspimgr.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\bak\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunes... Read more

Answer:Solved: Awola Malware

16 more replies
Relevance 43.87%

hello guys/gals:



here with my computer again. it now has a phony anti-virus software on it "awola" the computer has been taken over, no task manager, no wallpaper, random shut downs, constant "warning" pop ups, i cant do anything anymore......


please help thanks


here are the logs:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 18:02:31.03 on Mon 04/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.500 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\awolaantispy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\iTunes\iTune... Read more

Answer:AWOLA has infected my system

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please explain why this computer has no antivirus program installed and running. This is an open invitation for infection.

It can take as little as eight seconds to infect an unprotected computer.

Please keep this computer offline except when downloading tools and posting in the forum until we get one installed. Let me know your intentions for an antivirus program.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs ... Read more

2 more replies
Relevance 43.87%

Hello TechGuy users,
I am a new user to TechGuy after my friend had an encounter with... AWOLA.
They said they were getting pop-ups even if not on the internet and their whole Compaq Windows XP Laptop is slowing down. I told them to get Spybot Search & Destroy and update to the newest version and they did. They scanned their whole computer and they destroyed some AWOLA software, but it is still there.

What should they do?
Thanks,
Michael
 

Answer:AWOLA Spyware... AAAHHHHH!

More info:
I told my friend to do System Restore they said it didnt work, then also tried to uninstall it manually but they want them to pay for it...

 

1 more replies
Relevance 43.87%

gettin tons of pop ups, mainly says "internet speed monitor" or "outerinfo" on em, also awola self downloaed dis now automatically coming on and what not, and of course comp running slow as heck. Thanks for help, im computer stupid, haha.Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\VentSrv\ventrilo_svc.exeC:\Program Files\VentSrv\ventrilo_srv.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\Rundll32.exeC:\Program Files\Java\jr... Read more

Answer:Pop Ups, Awola, Sloooow Comp, Help!

already fixed it, didnt know how to just delete the topic, thanks.

2 more replies
Relevance 43.87%

Hi there, I believe my computer was recently infected by the Awola Virus / Trojan, and I could really use some assistance. I thank you in advance for any suggestions and help, they are appreciated. I'll put up a detailed description here of what's happened so far, and can certainly provide any additional information that may be required. My computer knowledge is okay, but very limited in terms of spyware and troubleshooting complex problems like this one.

Operating System = Windows XP

A couple of days ago I was doing some stuff online at 7:45pm, preoccupied and in somewhat of a rush. I got a popup menu that a trojan had been found, I assumed it was from my McAfee Security Centre (as this has happened several times before) but I didn't really look at it that closely, and selected okay (I think). I then started to receive a bunch of popups about Spyware, and Awola spyware removal program. I kept closing them because I was in a rush, didn't really look that closely, thought it was just ads and may very well have clicked something I shouldn't have. I did see the Awola Program box come up at one point and I thought I attempted to close it, but I may have clicked on something inadvertently.

Upon rebooting later, I realized that the computer was probably infected. I cannot click or open any application, by double-clicking an icon or program name I always receive the same error message (tailored to whatever application I attempted to open). A black empty box a... Read more

Answer:Infected By Awola 6.0 And Could Really Use Some Help Removing It

if you have not already done so you could try the superantispyware program?http://www.superantispyware.com/superantis...efreevspro.htmldownload it fromhttp://www.superantispyware.com/downloadfi...ANTISPYWAREFREErun the installation program and start the program from the desktop icon; fully update the definitions , reboot the computer into safe mode if it will let you , then run superantispyware from the desktop icon on a full computer scan when the scan is complete, reboot your computer into normal mode, and come back and post the log report you should find by opening the program and go to preferences/statistics.logsleft mouse click on the most recent entry, click on 'view log' and copy and paste that report into here for examination so folks can see what help you may need

30 more replies
Relevance 43.87%

I keep getting pop-ups and a little notification at the bottom right of my screen saying: "Your computer is infected! Windows has detected spyware infection. It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware."

I clicked it and found that it was installing a program "Awola," which I later found to be some sort of spyware or something. I uninstalled and did some Ad Aware scans (both in normal and safe modes), but I keep getting this notification CONSTANTLY. It's really annoying. Can anyone help?

Thanks!!
 

Answer:Awola program--How do I remove it?

14 more replies
Relevance 43.87%

My Bosses computer got hit with AWOLA before finding your site I tried to fix it. We run McaFee antivirus. His firewall was down, which has been fixed.

His computer runs XP Pro, he can do what he needs to do however, he still is getting the message poping up. Your computer is infected.

Yes, I deleted files and some registry stuff already. I ran spybot and found a few more files. On the last run of spybot there are not offending files showing. Is there any way of ridding that annoying message?

Thanks,
 

Answer:AWOLA- Continued Pop Up Message

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide
 

3 more replies
Relevance 43.87%

Had a recent problem with malware. The main culprits seemed to be Awola, Security Toolbar, Kukkakreck taking over my home page with numerous pop-ups and slow performance. Followed your nine step program and am greatly appreciative for the concise advice. Most of my problems seemed to be solved but I will post the log and hope for the best. Thank you in advance.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:24:34 PM, on 12/14/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\VsTskMgr.exeC:\Program Files\Sygate\SEA\smc.exeC:\WI... Read more

Answer:Awola, Kukkakreck, Etc. And Other Villains

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Thom TMy name is Richie and i'll be helping you to fix your problems.Please disable Spybot S&D?s protection,or it will interfere.You can enable it after you're clean.Open Spybot and click on 'Mode' and check 'Advanced Mode'.Click on 'Tools' in bottom left hand corner.Click on the 'System Startup' icon.Uncheck 'Teatimer' box and/or uncheck 'Resident'.Click the 'Allow Change' box.Then, check next to the computer clock to see if the icon for Spybot is still there.If it is, right click it and choose 'exit Spybot-S&D Resident'.Restart the computer.If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:http://www.russelltexas.com/malware/teatimer.htmViewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546You are well advised to remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:ViewpointViewpoint ManagerViewpoint Media PlayerYour version of Sun Java is out of date.Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older versions of Sun Java,and then update.1. Download the latest versio... Read more

15 more replies
Relevance 43.87%

I have run the XP cleaning procedure with combofix, spybot, AVG and MG tools as suggeste by this great site, but I still have a nasty Awola bug on my computer. I will try to attach the logs, but AVG stated that it did not create one.

Please help, and thanks in advance!
 

Answer:awola still giving me fits

Welcome to Major Geeks!

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
Spybot - Search & Destroy 1.3 <-- this has not been used for more than 2 years.
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Then install the proper version of Spybot as given in the READ ME. MAKE SURE to uncheck the option for using Teatimer.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [Microsft Windows Adapter 5.1.3013] C:\Documents and Settings\Home\Application Data\zpbfwsb.exe
O4 - HKLM\..\Policies\Explorer\Run: [ngm] C:\WINDOWS\System32\ngm.exe
O4 - HKCU\..\Policies\Explorer\Run: [nhhp] C:\WINDOWS\System32\nhhp.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O20 - Winlogon Notify: khfdbxx - khfdbxx.dll (file missing)
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is ... Read more

9 more replies
Relevance 43.87%

My machine has been infected with AntivirusXP 08 and Awola. Have cleaned out alot but now am left with random non-fatal BSOD's that I think are a trademark of these infections. Kaspersky scan of the critical areas is clean so there is no log to attach.I am including to two logs from the DSS scan.Deckard's System Scanner v20071014.68Run by Samantha on 2008-07-19 14:35:13Computer is in Normal Mode.--------------------------------------------------------------------------------Total Physical Memory: 480 MiB (512 MiB recommended).-- HijackThis (run as Samantha.exe) --------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:35:42 PM, on 7/19/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exeC:\Program Files... Read more

Answer:Antivirusxp 08 And Awola Infection

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...]Please uninstall Viewpoint Media Player from your computer..Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.------------------------Please download the OTMoveIt2 by OldTimer.Save it to your desktop.Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
C:\Documents and Settings\Samantha\Application Data\internaldb6334.dat
C:\Documents and Settings\Samantha\Application Data\internaldb41.dat
C:\Documents and Settings\Sam\Application Data\shc3ubj0enb9
C:\WINDOWS\system32\blphc5ubj0enb9.scr
C:\Program Files\Viewpoint
EmptyTemp
puri... Read more

2 more replies
Relevance 43.87%

Hi there I REALLY need help okay so first i got infected with awola its a flashy trojan virus that disguises itself as a antivirus spyware and i thought i removed it and then today i turn on my computer and i have 2 drives C and D and my D drive would not load like its would just show my background with no icons or side bars on it. Please if you know how to help would you please i would be forever grateful thank you
 

More replies
Relevance 43.87%

Hi, my mother recently infected her PC with AWOLA, and ever since, everything has been running much worse. I've tried to use previous posts / fixes, but to no avail. I've included the DSS report below. Thank you so much.

Deckard's System Scanner v20071014.68
Run by sconstan on 2008-02-01 14:59:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-01 14:59:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Progress\OpenEdge\bin\admsrvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft SQL ... Read more

Answer:Older PC Infected with AWOLA, Please Help

Bump. Thanks again.

8 more replies
Relevance 43.87%

Logfile of HijackThis v1.99.1
Scan saved at 5:35:13 PM, on 2/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Analog Devices\SoundMAX\Smtray.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\D-Link\AirPlus G\AirGCFG.exe
D:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
D:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOL... Read more

Answer:DrWatson spyware/Virus HJT virus included

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
======================

Download Superantispyware

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot... Read more

3 more replies
Relevance 43.87%

I have recently gotten rid of a virus on my computer, however the "type" of virus it was intrigued me and I was hoping a virus expert on here could give me some more info about it. The virus redirects the browser.

Here is the part of the HJT log that displays it:

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 64.86.16.97 google.ae
O1 - Hosts: 64.86.16.97 google.as
O1 - Hosts: 64.86.16.97 google.at
O1 - Hosts: 64.86.16.97 google.az
O1 - Hosts: 64.86.16.97 google.ba
O1 - Hosts: 64.86.16.97 google.be
O1 - Hosts: 64.86.16.97 google.bg
O1 - Hosts: 64.86.16.97 google.bs
O1 - Hosts: 64.86.16.97 google.ca
O1 - Hosts: 64.86.16.97 google.cd
O1 - Hosts: 64.86.16.97 google.com.gh
O1 - Hosts: 64.86.16.97 google.com.hk
O1 - Hosts: 64.86.16.97 google.com.jm
O1 - Hosts: 64.86.16.97 google.com.mx
O1 - Hosts: 64.86.16.97 google.com.my
O1 - Hosts: 64.86.16.97 google.com.na
O1 - Hosts: 64.86.16.97 google.com.nf
O1 - Hosts: 64.86.16.97 google.com.ng
O1 - Hosts: 64.86.16.97 google.ch
O1 - Hosts: 64.86.16.97 google.com.np
O1 - Hosts: 64.86.16.97 google.com.pr
O1 - Hosts: 64.86.16.97 google.com.qa
O1 - Hosts: 64.86.16.97 google.com.sg
O1 - Hosts: 64.86.16.97 goog... Read more

More replies
Relevance 43.46%

Have an AWOLA infection. was going to use info from this forum which suggested downloading a couple of files to help. But when I try to go to the sites, I get redirected to no page. Can't go anywhere.

Also, when doing a search now to locate and delete AWOLA files I get an error notice and Search shuts down.

Ad-Aware will run then stops about half way through.

Continuously get a little popup about infections. And there is a little yellow triangle on the startup menu bar (lower right) that, if clicked, will start Awola again.

Any suggestion, or do I just through the box away?

Thanks,

Pete

Answer:Awola - can't download fixes due to redirect

You should be able to download this tool. If not, use another machine, and a usb stick or CDR to carry it to the afflicted machine.

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\Deckard\System Scanner\extra.txt

Click Upload.

What DSS will do: create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

------------------------------------------------------------------------------------... Read more

3 more replies
Relevance 43.46%

Hi,

Earlier today I managed to get the Awola malware onto my computer. I have run Ad-Aware & Spybot S&D along with F-Prot anti-virus software. I have also ran Hijackthis! & removed the Awola line. I also ran a search of my computer files & removed all files relating to Awola. I have rebooted my computer & the annoying yellow triangle warning message continues to popup every 30 seconds. Could someone help to squash this pest?

Thanks in advance!
haroldff1082

Answer:Annoying "your Computer Is Infected!" Pop-up (awola)

Hello and welcome haroldff1082What antivirus procuct do you have installed and have you scanned with it in safe move.Please do this also Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop .. DO NOT run yet.Open SUPER from icon and install and Update itUnder Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.Now reboot into Safe Mode: How to start Windows in Safe ModeDouble-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox or Opera browser click it at the top and choose: Select AllClick the Empty Selected button.If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.NOW Scan with SUPEROpen from the desktop icon or the program Files listOn the left, make sure you check C:\Fixed Drive.Perform a Complete scan. After scan,Verify they are all checked.Click OK on the summary screen to quarantine all found items.If asked if you want to reboot, click "Yes" and reboot normally.To retrieve the removal information after reboot, launch SUPERAntispyware again.Click Preferences, then click the Statistics/Logs... Read more

3 more replies
Relevance 43.46%

Hi everyone-

I'm trying to help my younger brother get his computer functioning properly.

Within the last couple of weeks, he's acquired the AWOLA problem, the machine runs incredibly slow and also his home page starts out at something completely different even though we've changed it back many times.

I've gone through the 5 steps and this is what I have.
Thank you all for your help.




Deckard's System Scanner v20071014.68
Run by Adam on 2008-04-25 23:30:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-04-26 04:31:07 UTC - RP1005 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).
System Drive C: has 4.34 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-25 23:35:32
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe... Read more

Answer:AWOLA + Hijacked IE Home Page + others...

Hello and welcome to TSF.

Scan with HijackThis and put a checkmark against the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32/left.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=7&ar=msnhome
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O15 - Trusted Zone: about://internet (HKCU)
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} () - http://hotsearchbar.com/toolbar2/winhot32.cab

Close all browsers and windows other than HijackThis and click on "fix checked".

I am not sure if you set this as your start page yourself or not... Read more

11 more replies
Relevance 43.46%

This is definitely not an anti-spyware program. It opens a window off the toolbar disguised as a Windows security update. It warns, "Your computer is infected! Click here to protect your computer...". The balloon does not go away. It worked its way onto the computer uninvited. I've followed all the procedures listed in the Preparation Guide but to no avail. Please help. Thanks for your time and expertise. Here's the hijack log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:35:13 PM, on 8/31/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exeC:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\acs.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\M... Read more

Answer:Infected With "awola Anti-spyware 6.0"

Welcome to the BleepingComputer HijackThis Logs and Analysis forum rosevilledad My name is Richie and i'll be helping you to fix your problems.Your version of Sun Java is out of date.Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older versions of Sun Java,and then update.1. Download the latest version of Java Runtime Environment (JRE)2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.3. Click the "Download" button to the right.4. Check the box that says: "Accept License Agreement".5. The page will refresh.6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.7. Close any programs you may have running - especially your web browser.8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.10. Click the Change/Remove button.11. Repeat as many times as necessary to remove each Java versions.12. Reboot your computer once all Java components are removed.13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.Download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:... Read more

7 more replies
Relevance 43.46%

Ive had this infection for sometime. Tried a bunch of methods from computerforum but still cant finish the virus off. I constantly get CID popups and on my moms guest account she has this annoying AWOLA popup that appears to say its an anto virus program. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:31:45 PM, on 5/10/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Ulead Systems\D... Read more

Answer:Badly Infected With Cid Popups And Awola

also in my c: folder I have like 200 TMP files that look like pos1A2F.tmp what are these??

3 more replies
Relevance 43.46%

Here's my logfile. Is this the right thing to post?



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:38:27 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINXP\Explorer.EXE
C:\WINXP\StartupMonitor.exe
C:\Program Files\Antivirus\Clamwin\bin\ClamTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINXP\system32\RDSHOST.exe
C:\WINXP\system32\sessmgr.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\logonui.exe
C:\WINXP\system32\rdpclip.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINXP\system32\logon.scr
C:\Program Files\Antivirus\HijackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\Antivirus\SpyCatcher\SCAc... Read more

Answer:Awola fake anti-spyware

Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.
Please visit this webpage for download links, and instructions for running ComboFix

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

=======================================

Please download SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extra... Read more

1 more replies
Relevance 43.46%

Hey guys, I'm working on a PC for a friend, and she has the constant "Your Computer is infected!" crap going on... Here's the HJT and SmitFraud logs:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:18:29 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messen... Read more

Answer:HijackThis/SmitFraud logs - Awola!

Please see the new post below... the above scan was old...
 

2 more replies
Relevance 43.46%

A big thanks in advance.Windows XP Professional SP2I am working on a friend's PC that was hit with Awola 6. He followed removal procedures described at http://www.spyware-techie.com/awola-or-awo...-removal-guide/He brought me the computer with no signs of the Awola 6 files or registry entries mentioned in the link above yet his network adapter stops receiving packets only about a minute after the Windows desktop has booted.I used system restore to take him back to before the attack but no help. Ran Smitfraud again and no help. I weeded through the running processes and ensured that there was no proxy set up in Internet options.Since the system has no available network connection I wasn't able to run the Kaspersky online scanner.I ran DSS and here is the log: Please note that I didn't have the computer hooked up to the router at the time of the DSS scan. If it is important I can hook the computer up and make a new log.Deckard's System Scanner v20071014.68Run by Santa B on 2008-06-20 04:50:22Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------System Restore is disabled; attempting to re-enable...success.-- Last 1 Restore Point(s) --1: 2008-06-20 11:50:23 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Santa B.exe) ---------------------------------------------Logfile of Trend Micro HijackThi... Read more

Answer:Awola 6 Removed But Packets Are Not Being Received.

I'm hoping somebody can get to solving this soon.

5 more replies
Relevance 43.46%

My friends computer run very slowly. Windows 98.

Logfile of HijackThis v1.99.1
Scan saved at 7:00:00 PM, on 4/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KASPERSKY LAB\ANTIVIRAL TOOLKIT PRO\AVPCC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\KASPERSKY LAB\ANTIVIRAL TOOLKIT PRO\AVPM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PDESK.EXE
C:\PROGRAM FILES\KASPERSKY LAB\ANTIVIRAL TOOLKIT PRO\AVPCC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINCMD\WINCMD32.EXE
C:\PROGRAM FILES\HJC\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOW... Read more

Answer:Please help (Log file included)

Add remove programs – remove if present – webHancer

Print this and boot to safe mode (Start tapping F8 at the first black screen after power up)
Fix these with HJT

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe –osboot

O4 - HKLM\..\Run: [LaunchAttuneSetup] C:\WINDOWS\SYSTEM\msiexec.exe /i "D:\Corel\Graphics10\Aveo\09\01\attune.msi" /q

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Uncheck hide extensions
Now click "Apply to all folders", Click "Apply" then "OK"
Delete these folders

C:\Program Files\webHancer

START – RUN – type in %temp% OK - Edit – Select all – File – Delete
Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp
Empty the recycle bin
Boot and post a new log

Please give feedback on what worked/didn’t work and the current status of your system
 

2 more replies
Relevance 43.46%

ogfile of HijackThis v1.99.1
Scan saved at 12:48:03 AM, on 27/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\HP\KBD\KBD.EXE
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\S3tray2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\CompuServe 7.0\cstray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PhotoDeluxe BE 1.1\ezphoto\Ezphoto.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www... Read more

Answer:Need help, Log File Included

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download smitRem at http://noahdfear.geekstogo.com/click...click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.geekstogo.com/ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.geekstogo.com/adawareSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run Cl... Read more

1 more replies
Relevance 43.46%

alright guys the HJT program told me to ask somebody more qualified than I, so i came here. here's the HJT file, pls tell me what to fix.

Logfile of HijackThis v1.97.7
Scan saved at 1:27:22 AM, on 12/30/2000
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Atievxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wins\DLLHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\System32\wins\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mike Robinson\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0... Read more

Answer:hjt file included, PLS HELP

9 more replies
Relevance 43.46%

Logfile of HijackThis v1.99.1
Scan saved at 18:41:25, on 19.4.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\HJC\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mcicdb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explore... Read more

Answer:Help HJ Log file included

What is your problem?
 

1 more replies
Relevance 43.46%

something is terribly wronglog file:Logfile of HijackThis v1.99.1Scan saved at 8:47:30 PM, on 11/15/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Wireless-G USB Network Adapter\WLService.exeC:\Program Files\Wireless-G USB Network Adapter\WUSB54G.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SOUNDMAN.EXEC:\iTunes\iTunesHelper.exeC:\Program Files\Java\jre1.5.0_08\bin\jusched.exeC:\GmailNotifier\gnotify.exeC:\aim\aim.exeC:\Steam\Steam.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\PictureProject\NkbMonitor.exeC:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\iTunes\iTunes.exeC:\Last.fm\LastFM.exeC:\Documents and Settings\treyrex\Desktop\hijackthis\HijackThis.exeO2 - BHO:... Read more

Answer:Help Please (log File Included)

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download Bit Defender 8 Free EditionInstall the program and then follow the prompts to download all available updates.Select Antivirus and then click the Settings button. Click Default. Click Ok.Select Local Drives and click Scan.When the scan is complete save the log and post it back here in your next reply.

2 more replies
Relevance 43.46%

Log is attached, its on a friends computer, earlier today she went to a website and it gave her a popup, one of those fake ones that says you have viruses, she clicked off of it, and now she is getting all of these annoying pop ups and then it just plays things without pops ups like congrats you've won whatever. any help appreciated. thanks guys
 

More replies
Relevance 43.05%

Hello, new to the forum, think this is great learning for a novice like me and appreciate the help if I could get it here.

I have the AWOLA virus/scarewware on my system. My virus scan picks it up as Generic FakeAlert.b

A warning is posted on my right hand lower toolbar that says "Windows has detected syware infection. It is recommended to use a special antispyware to prevent data loss etc.."

I went through the 5 steps posted here and created this log, I hope I didn't screw this up.

Deckard's System Scanner v20071014.68
Run by Jeff on 2008-01-12 22:18:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
70: 2008-01-13 05:18:26 UTC - RP1052 - Deckard's System Scanner Restore Point
69: 2008-01-12 03:19:33 UTC - RP1051 - Removed QuickTime
68: 2008-01-12 03:08:02 UTC - RP1050 - Software Distribution Service 3.0
67: 2008-01-12 02:51:28 UTC - RP1049 - Spybot-S&D Spyware removal
66: 2008-01-11 03:57:49 UTC - RP1048 - Spybot-S&D Spyware removal


-- First Restore Point --
1: 2007-10-16 05:41:31 UTC - RP983 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Mic... Read more

Answer:AWOLA scareware help needed, Log posted inside.

Bump, any help would be appreciated. thx

- Installed Java 6.4

19 more replies
Relevance 42.64%

Help! Hijack This Log is below, desperately need my computer back!!! I suddenly have 100% CPU usage and AdAware will get rid of it for a few minutes and it just comes back - have current version of Norton Security Suite that keeps finding 1 tracking cookie that AdAware Misses - also have SpywareBlaster and SpyCatcher installed.

SpyCatcher started to flash warnings that it has stopped spyware from running whenever I open a program right about the time this all started - is this a malware program by any chance? Also the same time this started about 5 of the last regular Windows updates from Microsoft failed - this has never happened to me before and with little time spent so far haven't found a way to delete the failed installations so they will update successfully.

Also I just upgraded to AdAware 2007 (free version) from the previous edition - there were about 29 new infections found by the upgraded program that the previous one didn't find, but the previous (free) version listed the number of infections found when it ran but when it notified how many it was removing there were always 11 more than the program stated - the new version doesn't tell me how many it's deleting so I wonder if they're still there or not. That used to do it until I rebooted and then they would be back, which tells me at least those are in the registry.

I got the latest version of Hijack This and installed this morning, below is the log file:

__________________________________________
... Read more

Answer:Help! I'm Hijacked?? Log File Included

Me again - I just wanted to update, since so many posts newer than mine have gotten lots of attention while mine has gotten none, I'm about to be HOMELESS because I can't use my computer......

Regarding the 5 steps, I have been trying to complete as much as possible. Obviously the failed Windows Updates are the main concern and quite possibly my problem, and since I have my machine set to update automatically and daily I would imagine anyone else that does the same would know the exact updates I need....

Besides immunizing with IE-SPYAD because it's unclear whether the program will work, or is needed, with IE7 which I believe is past the beta stage now, the only thing I can think of that I haven't done yet regarding the 5 steps is install DSS - this is because it took over 6 hours for a SpyBot scan that I believe normally takes 5 minutes.....which did find 5 things not previously found, 3 of which seemed to have to do with disabling of Windows security such as antivirus and firewall??? And now the Panda scan has been running for over 4 hours and isn't even a third done.... As soon as I can I will download dss and submit a new scan and log file, but with the way things are going that could take days and I really need HELP!!!!!

Any suggestions anyone may have regarding the failed Win XP (SP2) updates would be really appreciated (I made sure all updates were made before installing the sp2).

Thanks a lot folks.

4 more replies
Relevance 42.64%

Wow I have a killer problem here I had a malware that was popping up IE windows and kept trying to connect to the net anytime I went to windows explorer or control panels plus the ultimant defender, I tried to use search and destroy, avg antivirus, microtrend 12, windows malware remover, and no luck\
plus IE is popping up a new set of about 25 to 30 windows every 5 min or so

Any help is very grateful

ok was fast enough to get a log from in a normal boot if I hit the enter fast enough it made the scan then had to ctrl a and ctrl c within like 2 sec to get it but got it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:58 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\lqdhoadn.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program File... Read more

Answer:trojan HIJ file included

16 more replies
Relevance 42.64%

Logfile of HijackThis v1.99.1
Scan saved at 12:14:39 AM, on 3/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\srxTitan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\USBStorage\USBDetector.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Anti Trojan Elite\TJEnder.exe
C:\Program Files\South Ri... Read more

Answer:HELP I've Been HiJacked Log File Included

Hi Steve and welcome to TSF.

Don't post your email address in a public forum like this one. There are spammers lurking here. Please watch the language also. It's edited out.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After... Read more

1 more replies
Relevance 42.64%

I've run Spybot and rebooted twice and run Ad-Aware SE Personal and rebooted twice and am still getting several pop-ups. There is also a CashBack program that is reinstalling and placing a dog icon in my systray. I've removed it twice but it keeps reinstalling. A similar issue happened once before and this forum was a big help. Any assistance this time is appreciated.

HijackThis log file is:

Logfile of HijackThis v1.97.7
Scan saved at 10:56:20 PM, on 4/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\elwvica\famif.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\eico\tuuv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files... Read more

Answer:Pop-ups - HijackThis log file included

Are you sure you're running updated versions of those programs? If not, try updating them manually, run them and then reboot, then run another HJT and post the log. I will be able to provide assistance with any logs between 5 and 6pm GMT+1
 

3 more replies
Relevance 42.64%

Logfile of HijackThis v1.99.1
Scan saved at 3:12:25 PM, on 7/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\cndw\command.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\iftuyszv.exe
C... Read more

Answer:Please Help.... (hijack This File Included)

Hi Welcome to TSG!!
Download SDFix and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix and remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool ... Read more

1 more replies
Relevance 42.64%

Hi, please help me...my home page keeps changing now instead of having google. My kids use this computer as well and i' worried they have put something nasty on it I have run Hijackthis, i dont have a clue how to proceed to get rid of it so could you be gentle Thanks for help in advance....

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:52:19, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\P... Read more

Answer:Please help, have included HiJackthis file

Can't believe how quickly this jumped off the first page...any help would be great thanks
 

1 more replies
Relevance 42.64%

I have this problem where i am getting Random Pop Ups and advertisments, I have scanned using Norton for viruses and Microsoft Antispyware, without finding anything.

As a result i am including a HiJack this report as followed: -
Logfile of HijackThis v1.99.1
Scan saved at 15:38:59, on 09/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\SRVANY.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\FEELitDM.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WIN... Read more

Answer:Random Pop Ups - HJT Log file included

Hi pc_doctor

Uninstall MessengerPlus! 3 from Add/Remove Programs.
_________________________________________________________________

Download and run the LOP Uninstaller here: http://www.thespykiller.co.uk/downloads.htm

Close all browser windows, run the remover, reboot.
Post a new log.
 

1 more replies
Relevance 42.64%

My firewall stopped SVC Host from connecting outbound. The report read that something had commanded it to connect and was closing that application.

When I cleaned out my offline files and history, all of my cookies except four were also gone. I have my machine set to where it only allows the cookies I accept, and never erase them.

I ran Spybot and get this as a threat: Win32.Agent.pz path:C:\windows\system32\wnspoem\.

Shortly after this threat appears on the screen, but before the scan is complete, the computer will shut off and will not restart until I unplug it.

The same happens when I run AVG, except I don't get an error before the system shuts down. NOD32 comes up clean.

I restored to a known good point, and at least I can boot up, where as before it would boot, shut down and reboot continiously.

All of my saved login names and passwords are also missing and have to be re-entered.

The system runs great until I try to scan.

Here is my log. All help is greatly appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 2:54:15 AM, on 5/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG An... Read more

Answer:I have been infected!! HJT file included.

I finally got SpyBot to run an entire session and removed the only thing it found. Could someone please look at my HJT and tell me if everything is OK before I start entering usernames and passwords again.

I need to pay some bills, but don't won't my information hijacked.

Thanks all. When I am sure this thing is safe I definitely will donate.
 

2 more replies
Relevance 42.64%

Hello all,This is my first time to this forum, and I'm hoping someone can check out my logfile from HiJackThis. My girlfriend was using my computer and claimed she started seeing pop-ups and getting porn ads embedded into sites like the local news channel and other normally porn-free sites. I did a scan with Malwarebytes and found a ton of items which I deleted, and also found that WinBlueSoft was in my Add/Remove Programs. I removed it from there, but I am still getting pop-ups. The infected items are being found over and over again each time I do a scan with Malwarebytes and with AdAware, even in Safe Mode. I just discovered I cannot do a defrag (I can get to the defrag screen, but I get an error message when I try to defrag C: that says "Disk Defragmenter could not start". I've got a total drive size of 144 GB and 12.2 GB remaining, but I'm not sure that would affect the defrag process. Lastly, I cannot get the DVD burner to burn using any of the most popular burning software anymore--the programs always say something to the effect that there is no DVD burning device installed. The drive itself works and plays both music CDs, game discs and movie DVDs. My recovery disc for my computer is not recognized when I reboot, although I am able to explore that disc and see the contents of it. I can't think of any other info that would be useful to you all, so I'll just attach the logfile and check back soon. Thank you for any help you can offer!Logfile of... Read more

Answer:WinBlueSoft?? Please help--HJT log file included

Hello and to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.-----------------------------------------------------------We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, ... Read more

2 more replies
Relevance 42.64%

Please advise on invalid files to remove. Thanks

Logfile of HijackThis v1.99.0
Scan saved at 4:03:32 PM, on 6/1/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadru... Read more

Answer:Please Advise, HJT file included

12 more replies