Computer Support Forum

Awola Removal!!!!

Question: Awola Removal!!!!

I have Awola virus on my computer and i cannot get it off. i have deleted the registry values and everything. I ran spybot s&d and ad-aware. Please help in any way you can. Thanks.

Relevance 100%
Preferred Solution: Awola Removal!!!!

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Awola Removal!!!!

help plzzzz, i can barely use my computer with it this bad. thanks

2 more replies
Relevance 66.01%
Question: Awola Removal!!!!

I got infected with Awola and cant get it off. Thanks for you help.

Incident Status Location

Spyware:Application/Awola Not disinfected c:\documents and settings\kris\application data\awola\awola.exe
Spyware:Application/Awola Not disinfected C:\Documents and Settings\Kris\load.exe
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Kris\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe ... Read more

Answer:Awola Removal!!!!

Any suggestions on how to get rid of this. Plzzz my computer is crashing and i need help bad. Thanks

10 more replies
Relevance 66.01%
Question: Awola Removal

dealt with AWOLA removal today. here are the following steps used to remove it:

0. DISABLE System Restore.

1. download, install and update Malwarebytes AntiMalware removal tool.
http://www.malwarebytes.org/

2. reboot your system into Safe Mode with networking.

3. verify that you have the latest update of Malwarebytes by performing the update again.

4. perform a FULL SCAN with Malwarebytes and, after the scan is complete, remove all items in the list.

5. perform a search on your computer for the following:
*awola*.*
this will search for ANY file in your system with the word 'awola' anywhere within its name, regardless of the file extension. DELETE any 'awola' files.

6. open the registry (ie. regedit) and do a search for 'awola' and remove any items you find.

7. perform another scan with Malwarebytes to be certain your system is clean.

8. restart your system.

if anyone has comments, please share them.
 

More replies
Relevance 66.01%
Question: awola removal

My brother-in-law has managed to install awola and now I have to get rid of it. Any ideas? He lives 60miles away and is techno-phobic.

Answer:awola removal

click here

10 more replies
Relevance 65.19%

After reviewing the forums I have found that I have a common issue as others do. I have the same Windows balloon pop-up and when clicked it will install the fake AWOLA anti-spyware. I have already followed the steps required to generate logs and I am posting them now. Could someone please provide me with any additional help to remove this malware from my system and thank you in advance.
 

Answer:AWOLA virus removal help

Welcome to Major Geeks!

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Do you use MusicMatch Jukebox?

You need to go back and follow the instructions in step 1 of the READ ME for MSconfig. You must not use MSconfig to control any startups or services. Select Normal Startup mode and remain in that state.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 12
Java 2 Runtime Environment, SE v1.4.2
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_4\bin\jusched.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O17 - HKLM\System\CS2\... Read more

3 more replies
Relevance 63.14%

I am attempting to clean my in-laws computer but I have been unable to remove AWOLA spyware from their system. I have downloaded Ad-Aware and also followed the steps that you suggested and I am still seeing the yellow box pop-up and AWOLA will uninstall and then re-install itself. I have been unable to locate the original file only shortcuts. Also, I have not been able to do any Windows Updates on their system. PLEASE HELP!

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-16 17:15:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 383 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:55 PM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Owner\Applicati... Read more

Answer:AWOLA Removal and Your computer is infected! Popup continuous

Hi, welcome to TSF!

If you still need assistance, please post a fresh main.txt log

1 more replies
Relevance 44.69%
Question: AWOLA

Just picked up Awola on my computer.Please help, how do I get rid of it??
 

Answer:AWOLA

have you tried any of the google search links?
http://www.google.com/search?aq=t&oq=awola+re&hl=en&safe=active&q=atwola+removal&btnG=Search

i havent had specific experience with this one.
 

1 more replies
Relevance 44.69%
Question: Awola

thanks for your advice boopme.

i had so much trouble getting rid of awola and i finally did it thanks to your suggestions.
thanks alot!

Answer:Awola

You're welcome and welcome to BC. I split your post away into it's wn topic as that one is still working and you are further along. Always mke your own topic it is the better method and keeps things from being confused. As in The stpe for you to do is not the step for them,thanks. I would recommend you do this step now. Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. The easiest and safest way to do this is:Go to Start > Programs > Accessories > System Tools and click "System Restore".Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.Then use Disk Cleanup to remove all but the most recently created Restore Point.Then go to Start > Run and type: CleanmgrClick "OK".Click the "More Options" Tab.Click "Clean Up" in the System Restore section to remove all ... Read more

3 more replies
Relevance 44.69%
Question: Awola

Well I got the AWola bug and it's a killer. Dang "Your Computer is infected!" pops up every 5 seconds after closing it and that is the good news. I can't go anywhere without being redirected. I am not even sure how I have made it to this site. Anyway I have done a HIJACK THIS log and I am posting it if anyone knows what to do I am all EARS.Thanks!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:58:00 PM, on 12/28/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchosts.exeC:\WINDOWS\UmVlc2UgQnJpZGdlcw\command.exeC:\WINDOWS\system32\drivers\KodakCCS.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Network Monitor\netmon.exeC:\Program Files\PC Tools AntiVirus\PCTAVSvc.exeC:\WINDOWS\system32\lpcywinp.exeC:\WINDOWS�... Read more

Answer:Awola

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download ComboFix and save it to your desktop.Double click combofix.exe and follow the prompts.When it's done running it will produce a log for you. Please post that log in your next reply.Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

3 more replies
Relevance 44.69%
Question: Awola

Hi,

I've tried to clean Awola off of my system by piecing together what to do from the treads in this forum, and it appears to have removed the pop-ups. Can you guys take a look at my HJThis log and let me know if I missed anything? Also, please let me know if I should post anything else to be reviewed.

Thanks very much
 

Answer:Awola

Your HJT log is clean...although we recommend that the exe be renamed to analyse.

Are you still having problems? If you are:

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide
 

1 more replies
Relevance 44.69%

I searched previous threads about this pesky malware, but I think my problem might be a little different...
So my computer automatically shut down, and then after rebooting I noticed a popup (from the taskbar only) telling me that my computer is infected and that I should download "special antispyware"...

I haven't clicked it, and don't plan on it, BUT I'm wondering if my computer is already infected ( I ran spybot and AVG and both found no infections.) and if not how do I stop that pop up from well popping up.

Thanks
 

Answer:Not sure if I have awola yet...

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


If something does not run, write down the info to explain to us later but keep on going.
Do not assume that because one step does not work that they all will not.
READ & RUN ME FIRST. Malware Removal Guide

Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can try running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.


Plus a guide on HOW TO: Attach Items To Your Post
 

1 more replies
Relevance 44.69%

I'm infected with Awola.

I don't know if that's what it's called exactly, and there could be more to my problem than that; but there are other threads on this very problem. As far as I could tell, netiquette on MajorGeeks says I should make my own thread rather than invade someone else's.

If I'm wrong, I'm very sorry for having made a redundant thread.

Symptoms:

- A yellow triangle with a black exclamation point in it sitting in my task bar. It spawns a large, intrusive word bubble telling me I'm infected with spyware and that Windows will download the Awola anti-spyware program if I click the bubble.

- My system will freeze for several seconds at a seemingly random frequency. It always unfreezes, and anything I've done during the 'frozen' period (words I've typed, things I've clicked on, etc.) eventually happens after things come unfrozen.

What I was doing when I first noticed the infection:

- I'd been gone for two days, and my computer had been left on. When I came back I noticed my internet browser was open, and the word bubble was staring at me. I don't believe anyone touched my computer while I was gone.

Hopefully I've attached everything properly.

I did an AVG scan, but the log reads:





"[1/21/2008 15:03:15 PM] synchronize database and filecache"Click to expand...

I followed the directions in the "read me first and do these thi... Read more

Answer:Awola, maybe others.

Welcome to Major Geeks!

Is your copy of Spywar Doctor a paid version or free trial? If free, uninstall it now.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 3
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\system32\s1940.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\system32\s1940.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\RICHARD\Application Data\pzruv.exe
O4 - HKCU\..\Run: [Awola] "C:\Documents and Settings\RICHARD\Application Data\Awola\Awola.exe" /MIN
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WIND... Read more

4 more replies
Relevance 44.69%
Question: Awola Bug?

There's a little bubble on the right side of my screen, near the clock, that keeps popping up (and won't go away, which is very annoying), saying "Your computer is infected!" Unknowingly, I clicked it and it presented me with "Awola Anti-Spyware 6.0" or something to that effect. I Googled Awola and found out that it was a rogue anti-spyware program, or something. So, I checked out Add/Remove Programs, and it wasn't in there. So I went through the Start menu to Uninstall Awola, and it said it was removed successfully, but the bubble will still not go away.

I am completely computer-stupid and have no idea what to do. Any help?
 

More replies
Relevance 44.28%
Question: Awola Malware

My computer has been infected with Awola. I am normally pretty good with computers but this has caused me to waste the last 6 hours on trying to removed it with no luck. From what I have read this is pretty common but extremly hard to remove. I really need help before me and my computer play fisty cuffs.Here is the log named main.txt:Deckard's System Scanner v20071014.68Run by Barry on 2008-04-22 22:52:31Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------System Restore is disabled; attempting to re-enable...success.-- Last 1 Restore Point(s) --1: 2008-04-23 02:52:32 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Barry.exe) -----------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:57:25 PM, on 4/22/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\WIDCOMM\Bluetooth Software\... Read more

Answer:Awola Malware

Hello BarryCareyWelcome to BleepingComputer ========================If you are still in need of assistance please post a new Hijackthis log.

1 more replies
Relevance 44.28%
Question: awola virus

I am running windows xp and believe I caught the awola virus probably bundled with a lot of other things.
Ok, all I really want to do is copy my files to my external hard drive so I can reformat my computer. But, the virus has taken away my administrator status. It has disabled copying files to my external hard drive or dragging and dropping files. I cannot install Norton antivirus. The error message is "Setup was unable to update the MSI system component. If this problem continues please contact Microsoft at www.microsoft.com". I try to open my network connections, and they won't open.

Is my best bet just paying for the phishing scheme and going along with awola? Will it give me back these capabilities after I have paid, so I can reformat my computer?

Please help. I am desperate.

Answer:awola virus

Oh, I am also considering buying XoftSpySE. I downloaded the program of the internet, and it did locate many corrupt files. However, I am worried if I purchase it, I will not be able to install it fully and use it as I wasnt able to install Nortan Antivirus from disk. Is this a legitimate fear, or did this program already install, and when I purchase the license key, it will simply remove the corrupt files?

I hope I explained this well. Please reply.

19 more replies
Relevance 44.28%

Howdy!

My computer seems to have been infected with this malware Awola. It is driving me bonkers. I cannot seem to rid my computer of this program. I've tried my antispyware programs and uninstalling and basic registry deletions, but it keeps regenerating.

Any help would be tremendously appreciated.

Thanks,
Andrew
 

More replies
Relevance 44.28%
Question: Awola infection!

My computer is infected with Awola anti spyware. I searched Google for some solutions for this aggrevating problem. This website caught my eye. I hope that I can be helped for my problem. As of right now my computer crashes on normal mode within 5 min's of startup. The only way I can use the computer is on safe mode.
Once I entered the website I was reading a forum for Awola removal and downloaded the file SDfix (this was from a link on the thread. I decided that is would be best if I discontinue any attemp at correcting the problem myself because I am not extremely knowledgable. Thanks for any help I can get.

Answer:Awola infection!

why doesnt anyone want to help me with my issue?

1 more replies
Relevance 44.28%
Question: Awola hijack

My sister's computer has been hijacked, any help will be much appreciated. Here's the HJT log:
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - ... Read more

More replies
Relevance 44.28%
Question: Awola Invastion

Good Day Doctors, I'm helping another friend with their system. It looks like they got caught in one of those sites that pull you in and the next thing you know the software is on your system. I trying to uninstall a program called AWOLA. It states that it is an ANTI -SYPWARE and the system has been infected. I tried to uninstall it but no luck. It seems you have to buy the program to have the option available to uninstall it.

Has anyone heard of this program and how can I get it off my friend's system?
Thx in advance
Steve
 

More replies
Relevance 44.28%
Question: Awola virus

How do I get rid of the awola virus?

Answer:Awola virus

Hi and welcome to TSF.

Please start here and follow the instructions.

http://www.techsupportforum.com/secu...sting-log.html

If you cannot complete any of the Steps, simply move on to the next one - remember to let the Analyst know about this when you post your logs.

Do not post your logs back in this thread - follow the guidance in the above link!

Please note that the Security Forum is always busy, so I would ask for your patience while waiting for a reply.

1 more replies
Relevance 44.28%
Question: awola help needed

my sweet husband contracted awola and I am left to figure out how to get rid of it... any help is much appreciated - here is the HijackThis Log I just ran



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:50 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09... Read more

Answer:awola help needed

I have now also completed ComboFix but the popup "Your computer is infected!" is still there... log listed below but not sure if I did it correctly. It is also affecting other programs and now I cannot print. Please help before I divorce my husband or at least throw the computer at him!!!




WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

19 more replies
Relevance 44.28%

Awola is driving me crazy!! And just about the time I get started on another paper, I get a pop-up. I can't tell you how many times I have had to re-connect to this site just to finish this thread.
I wasn't able to perform a Windows Update because the Windows Genuine Advantage Validation Tool wouldn't install. (KB892130).
Here is the log;

Deckard's System Scanner v20071014.68
Run by gc on 2008-01-18 13:44:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-01-18 19:44:32 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as gc.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:41 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C... Read more

Answer:Awola & numerous pop-ups

Download SDFix from here and save it to your desktop.


Please then reboot your computer in Safe Mode by doing the following :
Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.


=========================================


Download Combofix from any of the links below, and save it to your desktop. For information regarding this d... Read more

3 more replies
Relevance 44.28%

Hi can anyone assist me? I am trying to repair my cousin's computer which appears to have Awola installed on it.

I also unable to get the computer to detect any wireless signals even after manually entering the settings for my network. In addition, the user also installed SystemTech Spyware Cleaner. Is this is a good program to use? Am I better off using Windows Defender?

Below is a log file


Deckard's System Scanner v20071014.68
Run by RASHIDA XXXX on 2008-05-03 20:53:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as RASHIDA ROACH.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:15 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wirele... Read more

Answer:Please help Awola 6 on laptop

I am sorry to bump this thread. I was wondering if there was something that I left out or should have done before posting this thread.

I did complete steps 1-4. I was unable to connect to the internet to do an online scan.

I apologize if I incorrectly posted. Sorry for bumping this thread.

4 more replies
Relevance 44.28%
Question: Awola.... sigh

I'm embarrassed that I got "suckered" into this spyware, but I clicked too quickly after seeing the security alert (bogus, of course). I've searched and read everything, and can't believe I'm unable to get rid of it!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:36 AM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\acs.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
c:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\TDS\tdssvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
... Read more

Answer:Awola.... sigh

Stupid spyware! Ran SDFIX and COMBOFIX with fingers crossed

Anyways....the Awola popup from the tray is still there!!


SDFix: Version 1.129

Run by LocalAdmin on Tue 01/22/2008 at 10:54 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found






Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 23:00:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" ... Read more

4 more replies
Relevance 43.87%

Hi, yesterday I starte getting some really annoying Awola anti-spywear popups on my PC. I used the information in some of the threads on this forum, and thought that I had it beat, but today, I'm having the same problem. Here's the HijackThis log. Any help is much appreciated. This is a really annoying issue.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:55 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\aspimgr.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\bak\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunes... Read more

Answer:Solved: Awola Malware

16 more replies
Relevance 43.87%

Had a recent problem with malware. The main culprits seemed to be Awola, Security Toolbar, Kukkakreck taking over my home page with numerous pop-ups and slow performance. Followed your nine step program and am greatly appreciative for the concise advice. Most of my problems seemed to be solved but I will post the log and hope for the best. Thank you in advance.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:24:34 PM, on 12/14/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\Network Associates\VirusScan\VsTskMgr.exeC:\Program Files\Sygate\SEA\smc.exeC:\WI... Read more

Answer:Awola, Kukkakreck, Etc. And Other Villains

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Thom TMy name is Richie and i'll be helping you to fix your problems.Please disable Spybot S&D?s protection,or it will interfere.You can enable it after you're clean.Open Spybot and click on 'Mode' and check 'Advanced Mode'.Click on 'Tools' in bottom left hand corner.Click on the 'System Startup' icon.Uncheck 'Teatimer' box and/or uncheck 'Resident'.Click the 'Allow Change' box.Then, check next to the computer clock to see if the icon for Spybot is still there.If it is, right click it and choose 'exit Spybot-S&D Resident'.Restart the computer.If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:http://www.russelltexas.com/malware/teatimer.htmViewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546You are well advised to remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:ViewpointViewpoint ManagerViewpoint Media PlayerYour version of Sun Java is out of date.Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older versions of Sun Java,and then update.1. Download the latest versio... Read more

15 more replies
Relevance 43.87%

I keep getting pop-ups and a little notification at the bottom right of my screen saying: "Your computer is infected! Windows has detected spyware infection. It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware."

I clicked it and found that it was installing a program "Awola," which I later found to be some sort of spyware or something. I uninstalled and did some Ad Aware scans (both in normal and safe modes), but I keep getting this notification CONSTANTLY. It's really annoying. Can anyone help?

Thanks!!
 

Answer:Awola program--How do I remove it?

14 more replies
Relevance 43.87%

I have a simular issue to other but I dont see a common fix - HELP!

I've ran all the programs you recommended. Here are the logs.

This virus puts a yellow bang in my tray and states i've been infected. After closing the message a few times it launches Awola.

I belive it hit me 2 weeks ago.
 

Answer:Awola virus has infected my pc

More files attached.
 

10 more replies
Relevance 43.87%

gettin tons of pop ups, mainly says "internet speed monitor" or "outerinfo" on em, also awola self downloaed dis now automatically coming on and what not, and of course comp running slow as heck. Thanks for help, im computer stupid, haha.Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\VentSrv\ventrilo_svc.exeC:\Program Files\VentSrv\ventrilo_srv.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\Rundll32.exeC:\Program Files\Java\jr... Read more

Answer:Pop Ups, Awola, Sloooow Comp, Help!

already fixed it, didnt know how to just delete the topic, thanks.

2 more replies
Relevance 43.87%

I have run the XP cleaning procedure with combofix, spybot, AVG and MG tools as suggeste by this great site, but I still have a nasty Awola bug on my computer. I will try to attach the logs, but AVG stated that it did not create one.

Please help, and thanks in advance!
 

Answer:awola still giving me fits

Welcome to Major Geeks!

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
Spybot - Search & Destroy 1.3 <-- this has not been used for more than 2 years.
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Then install the proper version of Spybot as given in the READ ME. MAKE SURE to uncheck the option for using Teatimer.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [Microsft Windows Adapter 5.1.3013] C:\Documents and Settings\Home\Application Data\zpbfwsb.exe
O4 - HKLM\..\Policies\Explorer\Run: [ngm] C:\WINDOWS\System32\ngm.exe
O4 - HKCU\..\Policies\Explorer\Run: [nhhp] C:\WINDOWS\System32\nhhp.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab
O20 - Winlogon Notify: khfdbxx - khfdbxx.dll (file missing)
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is ... Read more

9 more replies
Relevance 43.87%

Hi there, I believe my computer was recently infected by the Awola Virus / Trojan, and I could really use some assistance. I thank you in advance for any suggestions and help, they are appreciated. I'll put up a detailed description here of what's happened so far, and can certainly provide any additional information that may be required. My computer knowledge is okay, but very limited in terms of spyware and troubleshooting complex problems like this one.

Operating System = Windows XP

A couple of days ago I was doing some stuff online at 7:45pm, preoccupied and in somewhat of a rush. I got a popup menu that a trojan had been found, I assumed it was from my McAfee Security Centre (as this has happened several times before) but I didn't really look at it that closely, and selected okay (I think). I then started to receive a bunch of popups about Spyware, and Awola spyware removal program. I kept closing them because I was in a rush, didn't really look that closely, thought it was just ads and may very well have clicked something I shouldn't have. I did see the Awola Program box come up at one point and I thought I attempted to close it, but I may have clicked on something inadvertently.

Upon rebooting later, I realized that the computer was probably infected. I cannot click or open any application, by double-clicking an icon or program name I always receive the same error message (tailored to whatever application I attempted to open). A black empty box a... Read more

Answer:Infected By Awola 6.0 And Could Really Use Some Help Removing It

if you have not already done so you could try the superantispyware program?http://www.superantispyware.com/superantis...efreevspro.htmldownload it fromhttp://www.superantispyware.com/downloadfi...ANTISPYWAREFREErun the installation program and start the program from the desktop icon; fully update the definitions , reboot the computer into safe mode if it will let you , then run superantispyware from the desktop icon on a full computer scan when the scan is complete, reboot your computer into normal mode, and come back and post the log report you should find by opening the program and go to preferences/statistics.logsleft mouse click on the most recent entry, click on 'view log' and copy and paste that report into here for examination so folks can see what help you may need

30 more replies
Relevance 43.87%

I have read that some others have gotten help on the Awola virus, can someone help guide me through removing this malware?

More replies
Relevance 43.87%

Hello TechGuy users,
I am a new user to TechGuy after my friend had an encounter with... AWOLA.
They said they were getting pop-ups even if not on the internet and their whole Compaq Windows XP Laptop is slowing down. I told them to get Spybot Search & Destroy and update to the newest version and they did. They scanned their whole computer and they destroyed some AWOLA software, but it is still there.

What should they do?
Thanks,
Michael
 

Answer:AWOLA Spyware... AAAHHHHH!

More info:
I told my friend to do System Restore they said it didnt work, then also tried to uninstall it manually but they want them to pay for it...

 

1 more replies
Relevance 43.87%

hello guys/gals:



here with my computer again. it now has a phony anti-virus software on it "awola" the computer has been taken over, no task manager, no wallpaper, random shut downs, constant "warning" pop ups, i cant do anything anymore......


please help thanks


here are the logs:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 18:02:31.03 on Mon 04/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.500 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\awolaantispy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\iTunes\iTune... Read more

Answer:AWOLA has infected my system

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please explain why this computer has no antivirus program installed and running. This is an open invitation for infection.

It can take as little as eight seconds to infect an unprotected computer.

Please keep this computer offline except when downloading tools and posting in the forum until we get one installed. Let me know your intentions for an antivirus program.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs ... Read more

2 more replies
Relevance 43.87%

Hi there I REALLY need help okay so first i got infected with awola its a flashy trojan virus that disguises itself as a antivirus spyware and i thought i removed it and then today i turn on my computer and i have 2 drives C and D and my D drive would not load like its would just show my background with no icons or side bars on it. Please if you know how to help would you please i would be forever grateful thank you
 

More replies
Relevance 43.87%

Hi, my mother recently infected her PC with AWOLA, and ever since, everything has been running much worse. I've tried to use previous posts / fixes, but to no avail. I've included the DSS report below. Thank you so much.

Deckard's System Scanner v20071014.68
Run by sconstan on 2008-02-01 14:59:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-01 14:59:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\scardsvr.exe
C:\Progress\OpenEdge\bin\admsrvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft SQL ... Read more

Answer:Older PC Infected with AWOLA, Please Help

Bump. Thanks again.

8 more replies
Relevance 43.87%

My Bosses computer got hit with AWOLA before finding your site I tried to fix it. We run McaFee antivirus. His firewall was down, which has been fixed.

His computer runs XP Pro, he can do what he needs to do however, he still is getting the message poping up. Your computer is infected.

Yes, I deleted files and some registry stuff already. I ran spybot and found a few more files. On the last run of spybot there are not offending files showing. Is there any way of ridding that annoying message?

Thanks,
 

Answer:AWOLA- Continued Pop Up Message

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide
 

3 more replies
Relevance 43.87%

My machine has been infected with AntivirusXP 08 and Awola. Have cleaned out alot but now am left with random non-fatal BSOD's that I think are a trademark of these infections. Kaspersky scan of the critical areas is clean so there is no log to attach.I am including to two logs from the DSS scan.Deckard's System Scanner v20071014.68Run by Samantha on 2008-07-19 14:35:13Computer is in Normal Mode.--------------------------------------------------------------------------------Total Physical Memory: 480 MiB (512 MiB recommended).-- HijackThis (run as Samantha.exe) --------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:35:42 PM, on 7/19/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exeC:\Program Files... Read more

Answer:Antivirusxp 08 And Awola Infection

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...]Please uninstall Viewpoint Media Player from your computer..Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.------------------------Please download the OTMoveIt2 by OldTimer.Save it to your desktop.Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[kill explorer]
C:\Documents and Settings\Samantha\Application Data\internaldb6334.dat
C:\Documents and Settings\Samantha\Application Data\internaldb41.dat
C:\Documents and Settings\Sam\Application Data\shc3ubj0enb9
C:\WINDOWS\system32\blphc5ubj0enb9.scr
C:\Program Files\Viewpoint
EmptyTemp
puri... Read more

2 more replies
Relevance 43.46%

Have an AWOLA infection. was going to use info from this forum which suggested downloading a couple of files to help. But when I try to go to the sites, I get redirected to no page. Can't go anywhere.

Also, when doing a search now to locate and delete AWOLA files I get an error notice and Search shuts down.

Ad-Aware will run then stops about half way through.

Continuously get a little popup about infections. And there is a little yellow triangle on the startup menu bar (lower right) that, if clicked, will start Awola again.

Any suggestion, or do I just through the box away?

Thanks,

Pete

Answer:Awola - can't download fixes due to redirect

You should be able to download this tool. If not, use another machine, and a usb stick or CDR to carry it to the afflicted machine.

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\Deckard\System Scanner\extra.txt

Click Upload.

What DSS will do: create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

------------------------------------------------------------------------------------... Read more

3 more replies
Relevance 43.46%

Hi everyone-

I'm trying to help my younger brother get his computer functioning properly.

Within the last couple of weeks, he's acquired the AWOLA problem, the machine runs incredibly slow and also his home page starts out at something completely different even though we've changed it back many times.

I've gone through the 5 steps and this is what I have.
Thank you all for your help.




Deckard's System Scanner v20071014.68
Run by Adam on 2008-04-25 23:30:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-04-26 04:31:07 UTC - RP1005 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).
System Drive C: has 4.34 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-25 23:35:32
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe... Read more

Answer:AWOLA + Hijacked IE Home Page + others...

Hello and welcome to TSF.

Scan with HijackThis and put a checkmark against the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32/left.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=7&ar=msnhome
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O15 - Trusted Zone: about://internet (HKCU)
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} () - http://hotsearchbar.com/toolbar2/winhot32.cab

Close all browsers and windows other than HijackThis and click on "fix checked".

I am not sure if you set this as your start page yourself or not... Read more

11 more replies
Relevance 43.46%

This is definitely not an anti-spyware program. It opens a window off the toolbar disguised as a Windows security update. It warns, "Your computer is infected! Click here to protect your computer...". The balloon does not go away. It worked its way onto the computer uninvited. I've followed all the procedures listed in the Preparation Guide but to no avail. Please help. Thanks for your time and expertise. Here's the hijack log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:35:13 PM, on 8/31/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exeC:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\acs.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\M... Read more

Answer:Infected With "awola Anti-spyware 6.0"

Welcome to the BleepingComputer HijackThis Logs and Analysis forum rosevilledad My name is Richie and i'll be helping you to fix your problems.Your version of Sun Java is out of date.Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older versions of Sun Java,and then update.1. Download the latest version of Java Runtime Environment (JRE)2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.3. Click the "Download" button to the right.4. Check the box that says: "Accept License Agreement".5. The page will refresh.6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.7. Close any programs you may have running - especially your web browser.8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.10. Click the Change/Remove button.11. Repeat as many times as necessary to remove each Java versions.12. Reboot your computer once all Java components are removed.13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.Download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:... Read more

7 more replies
Relevance 43.46%

Here's my logfile. Is this the right thing to post?



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:38:27 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINXP\Explorer.EXE
C:\WINXP\StartupMonitor.exe
C:\Program Files\Antivirus\Clamwin\bin\ClamTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINXP\system32\RDSHOST.exe
C:\WINXP\system32\sessmgr.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\logonui.exe
C:\WINXP\system32\rdpclip.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINXP\system32\logon.scr
C:\Program Files\Antivirus\HijackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\Antivirus\SpyCatcher\SCAc... Read more

Answer:Awola fake anti-spyware

Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.
Please visit this webpage for download links, and instructions for running ComboFix

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

=======================================

Please download SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extra... Read more

1 more replies
Relevance 43.46%

Hey guys, I'm working on a PC for a friend, and she has the constant "Your Computer is infected!" crap going on... Here's the HJT and SmitFraud logs:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:18:29 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messen... Read more

Answer:HijackThis/SmitFraud logs - Awola!

Please see the new post below... the above scan was old...
 

2 more replies
Relevance 43.46%

Hi,

Earlier today I managed to get the Awola malware onto my computer. I have run Ad-Aware & Spybot S&D along with F-Prot anti-virus software. I have also ran Hijackthis! & removed the Awola line. I also ran a search of my computer files & removed all files relating to Awola. I have rebooted my computer & the annoying yellow triangle warning message continues to popup every 30 seconds. Could someone help to squash this pest?

Thanks in advance!
haroldff1082

Answer:Annoying "your Computer Is Infected!" Pop-up (awola)

Hello and welcome haroldff1082What antivirus procuct do you have installed and have you scanned with it in safe move.Please do this also Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop .. DO NOT run yet.Open SUPER from icon and install and Update itUnder Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.Now reboot into Safe Mode: How to start Windows in Safe ModeDouble-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox or Opera browser click it at the top and choose: Select AllClick the Empty Selected button.If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.NOW Scan with SUPEROpen from the desktop icon or the program Files listOn the left, make sure you check C:\Fixed Drive.Perform a Complete scan. After scan,Verify they are all checked.Click OK on the summary screen to quarantine all found items.If asked if you want to reboot, click "Yes" and reboot normally.To retrieve the removal information after reboot, launch SUPERAntispyware again.Click Preferences, then click the Statistics/Logs... Read more

3 more replies
Relevance 43.46%

This morning I had a little yellow triangle with a black exclamation mark appear in my toolbar . Upon doing some investigation and updating Spybot S&D and running it in the safe mode as well as searching files and deleting them from my program files , control panel and other locations , after re-booting , the yellow triangle continues to reappear as well as I can hear my pop-up blocker blocking tons of attempts . I need help getting rid of this cursed thing .I have included my HJT log which I just ran about 5 minutes ago .Thanks in advance for help . I look forward to hearing from anyone who can assist .

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:01 AM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\ATT Internet Tools\blslo... Read more

Answer:AWOLA VIRUS - HJT log file included

Hello biddle1,

Infection is showing here, so assuming you have not made too made changes since posting this log let's work from what shows here for now.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download ComboFix.exe from here to your desktop

Then disconnect from net access. Once you have done that, click the downloaded ComboFix.exe file to run the repair.
When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.

ComboFix will also change the drive autoplay settings there as it's own added security measure. When we have completed all repairs here we will return the default Windows settings.
A caution - do not touch you... Read more

3 more replies
Relevance 43.46%

A big thanks in advance.Windows XP Professional SP2I am working on a friend's PC that was hit with Awola 6. He followed removal procedures described at http://www.spyware-techie.com/awola-or-awo...-removal-guide/He brought me the computer with no signs of the Awola 6 files or registry entries mentioned in the link above yet his network adapter stops receiving packets only about a minute after the Windows desktop has booted.I used system restore to take him back to before the attack but no help. Ran Smitfraud again and no help. I weeded through the running processes and ensured that there was no proxy set up in Internet options.Since the system has no available network connection I wasn't able to run the Kaspersky online scanner.I ran DSS and here is the log: Please note that I didn't have the computer hooked up to the router at the time of the DSS scan. If it is important I can hook the computer up and make a new log.Deckard's System Scanner v20071014.68Run by Santa B on 2008-06-20 04:50:22Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------System Restore is disabled; attempting to re-enable...success.-- Last 1 Restore Point(s) --1: 2008-06-20 11:50:23 UTC - RP1 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as Santa B.exe) ---------------------------------------------Logfile of Trend Micro HijackThi... Read more

Answer:Awola 6 Removed But Packets Are Not Being Received.

I'm hoping somebody can get to solving this soon.

5 more replies
Relevance 43.46%

Ive had this infection for sometime. Tried a bunch of methods from computerforum but still cant finish the virus off. I constantly get CID popups and on my moms guest account she has this annoying AWOLA popup that appears to say its an anto virus program. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:31:45 PM, on 5/10/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Ulead Systems\D... Read more

Answer:Badly Infected With Cid Popups And Awola

also in my c: folder I have like 200 TMP files that look like pos1A2F.tmp what are these??

3 more replies
Relevance 43.46%

Hi there. I believe I contracted a virus / trojan through Awola 6.0 a few weeks back. I started a thread in the 'Am I Infected' section, here's the link for that full thread: http://www.bleepingcomputer.com/forums/t/143729/infected-by-awola-60-and-could-really-use-some-help-removing-it/Long story short, I believe this virus was contracted on Wednesday, April 23 around 745pm. My operating system is Windows XP. Whenever I double-click on any .exe file I get an all-black window, and a little window above it with an error message similar to this: "16-bit MS-DOS SubsystemC:\Documents and Settings\All Users\Desktop\Winamp.InkThe NTVDM CPU has encountered an illegal instruction.CS:054d IP: 013d OP: f0 85 38 90 3a Choose 'Close' to terminate the application." I can right-click certain programs and select "Run As" to use them, but can't double-click on anything. I also think this virus has taken over Administrator duties, changed my registry and is preventing me from properly installing programs. It was also preventing me from running anti-virus scans, but I believe we have found a way around this, and I was finally able to process a scan with DSS (and Hijack This). I also did a scan using the Kaspersky scanner. I will copy and paste all logs below. Thanks in advance for all your help. HIJACK THIS MAIN.TXTDeckard's System Scanner v20071014.68Run by Mania on 2008-05-19 22:51:49Computer is in Normal Mode.---------------------------------------------------------------------------------- ... Read more

Answer:Infected With Awola 6.0 Virus / Trojan

HelloApologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.Thanks and again sorry for the delay.Please download Deckard's System Scanner (DSS) and save to your Desktop.alternate download siteDSS will do the following:Create a new System Restore point in Windows XP and Vista.Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.Check some important areas of your system and produce a report for an analyst to review.Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.You must be logged onto an account with administrator privileges when using.Close all applications and windows.Double-click on dss.exe to run it and follow the prompts.If your anti-virus or firewall complains, please allow this script to run as it is not
malicious.When the scan is complete, two text files will open in Notepad:main.txt <- this one will be maximizedextra.txt <- this one will be minimizedIf not, they both can be found in the C:\Deckard\System Scanner folder.Please copy (Ctrl+C) and paste (Ctrl+V) the c... Read more

18 more replies
Relevance 43.05%

Hello, new to the forum, think this is great learning for a novice like me and appreciate the help if I could get it here.

I have the AWOLA virus/scarewware on my system. My virus scan picks it up as Generic FakeAlert.b

A warning is posted on my right hand lower toolbar that says "Windows has detected syware infection. It is recommended to use a special antispyware to prevent data loss etc.."

I went through the 5 steps posted here and created this log, I hope I didn't screw this up.

Deckard's System Scanner v20071014.68
Run by Jeff on 2008-01-12 22:18:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
70: 2008-01-13 05:18:26 UTC - RP1052 - Deckard's System Scanner Restore Point
69: 2008-01-12 03:19:33 UTC - RP1051 - Removed QuickTime
68: 2008-01-12 03:08:02 UTC - RP1050 - Software Distribution Service 3.0
67: 2008-01-12 02:51:28 UTC - RP1049 - Spybot-S&D Spyware removal
66: 2008-01-11 03:57:49 UTC - RP1048 - Spybot-S&D Spyware removal


-- First Restore Point --
1: 2007-10-16 05:41:31 UTC - RP983 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Mic... Read more

Answer:AWOLA scareware help needed, Log posted inside.

Bump, any help would be appreciated. thx

- Installed Java 6.4

19 more replies
Relevance 41.82%

I'm not exactly sure at what time it happened or what I was doing, but the "Awola Anti-spyware 6.0" program is installed on my computer and won't uninstall. A pop-up box is constantly at the bottom right-hand corner of the taskbar saying Your computer is infected! , recomending that I use the tool to prevent data loss.

Also - on another note - I'm unable to use any open-source internet browers (ie. Firefox, Opera, Bonjour...). When I attempt to use Firefox (for example) I'm given the message "Firefox can't establish a connection to the server at www.google.com." It won't open any site. I'm given a similar message when I try to any other browser other than IE. The browser suggests that if my computer or network is protected by a firewall or proxy, to make sure make sure that Firefox is permitted to access the Web. I don't think this is the problem - but I really can't be sure. I never did anything to change these settings - nor would I know where to go to do such a thing. I'm not sure if these two things are related as the internet problem happened a good 2 months after the Awola problem started.

I really appreciate any help. From viewing other members' responses, your help seems very effective.

Thanks!

Deckard's System Scanner v20071014.68
Run by Frankie on 2008-02-22 23:17:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore -------------------------... Read more

Answer:Awola Virus :( .... May also be messing with my open-source internet browsers

One more thing I forgot to mention! --- On step 4 of what to do before posting a log - Updating the Operating System - I was unable to update Is there anything I can to do fix this?

Thanks so much!

13 more replies
Relevance 37.72%

Hello All,I placed this in the wrong forum last week, I home someone can help me.I seem to have a few problems on my PC, no Pop-ups but something has Hi-jacked both my active-desktop and IE 6. IE 6 is un-useable. I also have Awola Anti-spyware message in near the clock. Another that came up today which says it is Window's Security Center says you have been infected with Spyware.My active desktop has been hi-jacked again, it keeps bringing up a default.htm in the on my desktop. (what I have done for this is created a default.htm with a picture in it. So when the process calls up this default.htm it is something I want to look at.) Will explain more if it makes a difference.I also have a LoadLibrary Manager error???? It wants me to send an error report.Here are the steps that I have taken:1. Cleaned out Temporary internet files in IE6 and Cleared private data in Firefox.2. Ran Ad-Aware SE (Crashed several times)3. Ran Spy-Bot Search and Destroy selected all and clicked Fix and repair4. Rebooted and tried running Ad-Aware SE again and it crashed.5. Ran Spy-bot again and downloaded Ad-Aware SE and installed fresh copy.6. Rebooted and ran Ad-Aware SE selected all and quarantined.6. Reboot and ran Ad-Aware SE again. quarantined again.7. Ran Norton Anti-Virus cleaned everything.8. Ran House Call Anti-virus tried to clean.9. Attempted to run Panda and Bit defender to no avail, since IE has been hi-jacked.10. Ran McAfee AVERT Stinger. (really can't tell if it is cleaning anything sinc... Read more

Answer:Spyware That Has Taken Over My Active Desktop And Awola Anti-spyware

Hi,Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts. Before you proceed with the following steps, please do this first..Go to this page.Enter the url of this thread in the first field.Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:C:\WINDOWS\system32\GE.dllSelect it and click ok:Then click the Send File button below.Then AFTER you did before...* Start HijackThis, close all open windows leaving only ... Read more

6 more replies
Relevance 37.72%

I'm in an identical situation to another post. I'm not sure though if the response to other post was based on the reports or not. So, like the other guy:

Ran all the "READ & RUN ME FIRST" (Win XP) steps. Still have popups from yield sign in tray that say "Your computer is infected!" Also still have Awola Anti-spyware that either Spybot S&D or AVG had detected, and I thought, deleted.

Thank you so much for this forum!! Just let me know if I should simply follow what the other thread described.
 

Answer:AWOLA antispy and "Your Computer is Infected"

Hi kilgore!
I'll take a look at your logs and get back to you. This takes some time, so thanks for your patience. Please don't use your computer too much until we're sure it's clean.
abri
 

14 more replies
Relevance 36.9%

Ran all the "READ & RUN ME FIRST" (Win XP) steps. Still have popups from yield sign in tray that say "Your computer is infected!" Also still have Awola Anti-spyware that either Spybot S&D or AVG had detected, and I thought, deleted.

Attached Combofix and MGTools logs. AVG had no report to save even though I had "Automatically generate report after every scan" checked and "Only if threats are found" unchecked. The only thing AVG found was 9 cookies.

Thanks.
 

Answer:"Your computer is infected!" & Awola

Hi cee3!
Welcome to Major Geeks!

I'm looking at your logs.
abri
 

8 more replies
Relevance 36.9%

MS Removal Tool is a rogue software. It restricts you from accessing your desktop. You cannot start Task Manager, and you cannot open Internet Explorer or any other programs. This situation is the result of malware (a variant of Win32/Winwebsec) that is infecting your computer.
To remove the MS Removal Tool, follow the steps below: Boot your computer into Safe Mode.
Windows XP and Windows Vista:Start your computer and press and hold the F8 key.A Windows Advanced Options menu will appear. Use your arrow keys to scroll to Safe Mode and click the Enter key.Click the Start button, and then click Run.Type cmd then click OK. A black command prompt window will appear.Locate the affected directories:
Windows XP:Type cd c:\Documents and Settings\All Users\Application Data\ and press the Enter key.Type dir and press the Enter key.
Windows Vista:Type cd c:\ProgramData\ and press the Enter key.Type dir and press the Enter key.Type c:\Users\All Users\ and press the Enter key.Type dir and press the Enter key.Scroll through the list to find directories with random names that contains 18 characters. For example: cHl08200gMhHd08200 , pJg08200fBmPl08200.Type rd /s /q <random name>, and then press the Enter key. Replace <random name> with the 18 character name. Repeat this step for each random name you find.Type reg delete hkcu\software\microsoft\windows\currentversion\run once /v <random name> /f, and then press the Enter key. Replace <random name> with the 18 cha... Read more

More replies
Relevance 31.57%

Staff Advisory: This post needs to remain here until one of the malware team advise that it can be moved. This member cannot access our malware forums due to their infection. ~ Animal----------------------------------------------------------------------------------------------------------------------Hello, I got some help from some nice people in the live chat. I have made a log with your hijackprogram and am posting it at the bottom. It created two .txt files so there are two reports. I am unable to open ANY link that has the words anti-spyware anywhere on the page or in the address bar so unfortunately I cannot post this in the malware removal forum because the internet window closes every time. I am in dire need of some help! I have a subscription to spy sweeper and it is keeping things out but I was infected with Antivirus xp 2008 and possibly some viruses because the computer was un-protected for about a month while I was in the hospital..I run with Windows XP and a wireless connection. If someone could take the time to look at this for me I would be so incredibly thankful! I offer my services as a photographer/graphic artist/professional gift shopper/myspace designer/beginner web designer. You can see what I do at www.perfectionpictures.com and contact me if you need anything at all!Current Symptoms (in the order of appearance)Random Total system crash then restart then blue screen then back to windows. msvcp71.exe is missing so a program is being prevented ... Read more

Answer:Antivirus Xp 2008 Removal Help/am I Infected? Can't Open Malware Removal Forum

Hi & welcome,I would like to try a couple things before we go much further so I have a bit better picture of what is happening and can take the needed cautions.1.) click start> run> type msconfig and hit enter.click "boot.ini" tabCheckmark /bootlogClick "apply" and "close"Reboot when askedLocate and delete this file:C:\windows\ntbtlog.txt (in case your extensions don't show it looks like a notepad)RebootLocate & post:C:\windows\ntbtlog.txt2.) Click start> run> type: cmd.exe and hit enter.type the following commands exactly as you see em & hit enter after each one:cd c:\windows\system32dir userinit.exeNote the file size please & report that back to me. Leave cmd open a sec.Back at the cmd window...Type:cd dllcachedir userinit.exedir spoolsv.exeNote file sizes & report that back to me.Type exit in the CMD window & hit enter. (this closes it)3.) Can you see also if you can get this program installed please:http://download.bleepingcomputer.com/hijac.../HJTInstall.exeSave file> run it> follow prompts to install excepting defaults.Allow it to "launch" hijackthis.Click the "Do a System Scan and Save a Log File" optionSave the log file and then it should open with NotepadGo to Edit, Select All and then Edit, Paste to paste the contents of the log hereLet me know if you had any problems with the above please.I advise keeping the system offline as much as possib... Read more

3 more replies
Relevance 31.57%

I am running Windows XP Pro Version 2002 with SP3 on a Dell Inspiron E1505. I have Norton 360running for internet and firewall protection. I was experiencing the BSOD frequently and finally Windows would not boot. A Norton scann gave me the following "Tidserve Activity 2 Threat requiring manual removal detected". I downloaded the TDSSKiller from Kaspersky and removed seemed to remove the threat. I was able to get Windows up and running, but since then have had the following issues:
1. Occasional popup window with the message "C:\Windows\System\MSVIDEO.DLL is not a valid windows image. Please check this against your installation diskette"
2. Internet access is not possible. The DHCP won't function due to dependencies, specifically AFD, which has a yellow exclamation point in the Device Manager. AFD won't start. So I'm currently working via a flash drive to transfer files from the laptop to a functioning desktop.
Is my system still infected?
Thanks very much-
Richmo
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Dell at 22:46:39 on 2012-01-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.371 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *Enabled*
FW: Norton 360 *Enabled*
.
============== Running Processes =============... Read more

Answer:No internet and AFD issues after apparent removal of Tidserve Activity 2 Removal

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing... Read more

84 more replies
Relevance 31.57%

Apologies, but i'm a bit of a novice. my computer did a scan when i started it and came up with some trojans. when i tried to delete them, a malware removal programme tried to install itself so i closed the download dialog box. unfortunately, i cannot remember the name of the software that was trying to install itself. please would you review my log below and help me clean my computer?

many thanks
---------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by 0 at 19:57:35.67 on 02/01/2010
Internet Explorer: 7.0.6001.18000
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.44.1033.18.3000.1826 [GMT 0:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows&... Read more

Answer:attempted removal of trojans try to install "malware removal software

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 31.57%

The latest: Removal Tool from Symantec:

http:[email protected]html
EDIT:
PLEASE NOTE: Since Symantec did a major change on how to handle this worm from their first instructions, (and my first post) I have totally modified this post, as of 0326 EDT Sept 20, 2003, to reflect those changes. This should avoid the problem that Alison had and was most likely the reason for Symantec's change.

You have been bitten by the latest worm, [email protected], and want to know what to do and how to get rid of it.

We here at TSG want to make that process easier for you.

The following is a short(er) version of what can be found at Symantec?s site.
http:[email protected]

Please go to the above link and read and understand about the Swen worm first, then return and follow the short version.

Removal Instructions

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).

How to disable or enable System Restore in Windows ME

How to disable or enable System Restore in Windows XP

2. Modify the association for Registration Entries ( .reg files).
3. Create a repair.reg file on Desktop, double-click on repair.reg file to fix association settings for other file types.
4. Update the virus definitions.

5. Do one of the following:
a. Windows 95/98/Me: Restart the computer in Safe mode.
b. Windows NT/2000/XP: End the Trojan process.
6. ... Read more

Answer:[email protected] Worm Removal instructions + New Removal Tool

16 more replies
Relevance 31.57%

Hi Guys,
Recently I have gone through a serious virus which is not catchable by updated anti-virus symantec 14 october 2009.
When i put my pendrive, the system shows autorun.inf deleted. But the underlying virus,
autorunme.exe exists in location Drive:/RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe.

Even I delete this virus, this gets automatically generated by itself or recreates itself.
autorunme.exe is not the actual virus, but it is just a duplicate.

Then actual underlying virus which triggers autorunme.exe is SERVCE.EXE
Note SERVCE.EXE is not service.exe or services.exe. It is new named SERVCE.EXE

Manual removal autorunme.exe process:
After connecting your pendrives, when it shows the file RECYCLER in hidden state,Open your task manager and end the process SERVCE.EXE

Now delete the entries Drive:/RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe , Drive:/RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\desktop.ini and Drive:/autorun.inf.
They will not recreate now.

Then open C:/WINDOWS and find SERVCE.EXE and to be on safe side just make a local copy of file to some other place and delete SERVCE.EXE

Now even if you restart your computer, since SERVCE.EXE is not running at start up of system, the system is safe and manual removal of virus is complete.

SERVCE.EXE is the actual culprit. http://static.techguy.org/smilies/biggrin.gif
 

More replies
Relevance 31.57%

I recently started my daughters laptop to find a Windows Security window pop up prior to desktop starting up. It mentioned there is a Worm, WIN32.NETSKY that has infected my system, and that I should perform a full scan to remove the worm. I have McAfee on my computers so I contacted them for help. They concurred with the Windows suggestion. I did a complete scan of the system. 14 infections were found. McAfee quarantined them all and I deleted them. I re booted. After the Windows XP boot screen I got a standard blank screen with the shut down immediately going into process. It would restart and go through the same process again. Shutting down and restarting. I have found out through this site what the WIN32.NETSKY worm/virus is, i can imagine how it got into the computer, So how do I fix this? I might also add the computer will NOT let me enter safe mode. So at this point I can do nothing but go through an eternal reboot! Also I can't figure out weather I removed the worm or not!



Thanks in advance, Tom

Answer:[SOLVED] Computer won't start up after removal of WIN32.NETSKY removal

This is what can happen with viruses. They shred your Windows OS files.

What happens when you keep pressing F8 at start up? Can you get to the advanced options menu to do a "repair install"?

Otherwise I think you will probably have to recover your personal data off the drive, completely reinstall Windows, but cleanse that personal data with anti-virus cleaners before you migrate it back to the new installation so the machine doesn't get infected all over again.

4 more replies
Relevance 31.16%

I had trouble trying to uninstall Trend Micro Security 2010. Upon reading a forum from this site, I tried AppRemover, which successfully took the software off, however, I am unable to connect to my wireless network because the driver connections seem to be messed up(?). I have tried uninstalling and reinstalling the drivers for my wireless LAN, but this does not seem to work. I have tried troubleshooting via Microsoft's website and have used the Microsoft FixIt program, however it has failed to fix the issues. This is what the program says:Fix it Center:Use hardware and access devices connected to your computer. 5 problems need attentionHide detailsProblems found StatusThere is a problem with the driver for Microsoft ISATAP Adapter #2. The driver needs to be reinstalled. Not fixedThere is a problem with the driver for Teredo Tunneling Pseudo-Interface. The driver needs to be reinstalled. Not fixedThere is a problem with the driver for Intel® WiFi Link 1000 BGN. The driver needs to be reinstalled. Not fixedThere is a problem with the driver ISATAP Adapter #3. The driver needs to be reinstalled. Not fixed DetectedI am running Windows 7 on my ASUS notebook. I have internet connection when I'm directly connected through the cable, but I cannot get wireless connection. My other computer connects to the wireless network fine. Please help. THanks a lot in advance.*moved topic to Am I Infected as requested by narenxp. - Queen-Evie*

Answer:Difficult Antivirus removal, even more trouble post removal

Hello,Before trying to fix windows you should try the Diagnostic Tool from Trend Micro it should remove all the leftovers and maybe at the same time fix the problem you have.Download the Trend Diagnostic Toolkit and save the file to the desktop, make sure you select the tool that matches your Operating System and the 32-bit or 64-bit version.Boot the PC and enter Safe Mode (press F8 durring Boot), run the tool, click on the Uninstall tab and follow the program instructions.

15 more replies
Relevance 31.16%

Hi,I have tried many ways to get rid of some Malware that has only recently infected my PV. I hope someone can help me as this is my work PC and I need to plug back into my office network in a few days, but think this would be a bad idea at the moment.The problem first showed itself by insisting I had many viruses etc, and I should install Internet Security 2010. I have installed Malware Bytes removal tool, and installed as instructed. It found the above, said it was removed, but still it appears to exist, although the name of the infection has changed a few times, and is currently redirecting my brower to a similar page to the above malware. A popup now shows that I should install Cyber Security to remove the infections. This is obviously another malicious antivirus/malware program.I have McAfee Enterprise installed (which I can't seem to disable)I have also run SuperAntiSpywarePlus, which did the trick removing a similar problem about a year ago on a different PC. However, although this program also finds problems, and supposedly removes t5hem, the problem is still there.Please help. I have shown Hijackthis log below.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:58:42 PM, on 29/12/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16945)Boot mode: NormalRunning processes:C:\windows\system32\csrss.exeC:\windows\system32\winlogon.exeC:\windows\system32\services.exeC:\windows\... Read more

Answer:Cyber Security removal; Malware removal not working

Hi,I have tried everything I know of to remove this pesky piece of malware. It seems to keep changing names, starting out as Internet Security 2010, and redirecting me on a google search to a webpage trying to convince I was riddled with viruii and malware, and then trying to sell me thier software, which is really just a scam. I ended up here after a few days of tearing my hair out, almost beaten. I went through the tutorials, but unfortunately that was before I fired off a post in desperation. Please delete my previous post, as I have now followed the suggested path, and run the utilities to help diagnose my problems. The resulting files are attached.Please help. I hope the files uploaded can provide an insight into whats happening.Apologies for jumping right in and posting a Hijackthis log before I had read the tutorials.ntents belowDDS.txt contents pasted belowDDS (Ver_09-12-01.01) - NTFSx86 Run by Greg.Middleton at 15:30:23.26 on Tue 29/12/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.3063.2330 [GMT 9.5:30]AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}============== Running Processes ===============C:\windows\system32\svchost -k DcomLaunchC:\windows\system32\svchost -k rpcssC:\windows\Syst... Read more

3 more replies
Relevance 31.16%

Hi all, my first post in here, so hello to everyone.

Could anybody be able to tell me how to completely remove Windows malicious software removal tool as it keeps coming up every time I turn on the laptop.
I have tried all usual channels like add/remove etc but can't see it anywhere. Could someone shed some light, many thanks

Answer:[SOLVED] Removal of 'Malicious software removal tool'

Have you let the MRT finish? The MRT is an On Demand anti virus scanneer with a very limited impact on the PC or
resources. there are NO reasons to remove it.

The utility is...
%windir%\system32\MRT.exe

Command line switches...

/? or /HELP = displays the command line switches
/Q = quiet
/N = detect only
/F = force extended scan
/F:Y = force extended scan and automatically clean infected files

If you really want to remove it browse to C:\Windows\System32 and delete MRT.exe

4 more replies
Relevance 31.16%

Hey there experts =)

My son clicked something a few days ago, giving us the Win 7 security virus. I followed the directions here, and removed it with malwarebytes.
Everything was running smoothly.

Today I get home and see that my browsers (all of them, firefox, chrome) are being redirected. When they are being redirected my McAfee detects a virus and removes it, yet it continues to happen. After much reading, here and on other computer boards ... there seems to be something leftover from that virus that isn't always detected? From what I've read, there's a possibility there's a virus in the MBR ?

I do not have a Windows 7 disc, as this came pre-installed, nor do I have a recovery disc. All advice points towards running combofix, although all that advice comes saying 'DO NOT RUN combofix unless instructed to do so by a professional'

Well? You guys are the professionals so here I am. You're my last resort to getting this fixed, sans taking it into a shop which I'm REALLY trying to avoid. ;)

I do work a full time job, so my responses may not be immediate, but I will check daily or multiple times daily when I can and follow your directions ... if you can and are willing to help!

Thanks in advance!

Beachy

Answer:Help with removal of hijacker after Win7 security virus removal

Download Security Check from HERE, and save it to your Desktop. * Double-click SecurityCheck.exe * Follow the onscreen instructions inside of the black box. * A Notepad document should open automatically called checkup.txt; please post the contents of that document.=============================================================================Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory sizeClick Go and post the result.=============================================================================Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop. * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform quick scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When completed, a log will open in Notepad. * Post the log back here.Be sure to restart the computer.The ... Read more

14 more replies
Relevance 30.75%

Since the ComboFix will not run on Vista or Windows 7 64-bit, I have to look for new malware/virus removal apps... It was good while it lasted. So what tools do people use for Vista these days when the computer says: "WARNING! YOURS COMPUTER IS AN INFECTED BY HARMFUL VIRUS!!!!"

Answer:64-Bit Virus Removal & Malware Removal Tools?

64-bit Anti-Virus:List of 64-bit Anti-Virus For VistaAnti-virus protection in 64-bit environmentsFree Anti-virus:avast! Free Antivirus Avira AntiVir Personal - Free AntivirusAVG Anti-Virus Free Edition 8.5Microsoft Security EssentialsPanda Cloud AntivirusKingsoft Free Antivirus (Cloud Scan)Paid for Anti-virus:NOD32 Anti-Virus PersonalMcAfee AntiVirus PlusTrend Micro AntiVirus plus AntiSpywareNorman Antivirus & AntispywareCA Anti-Virus Plus Anti-Spyware64-bit Anti-Malware tools:Malwarebytes Anti-MalwareSUPERAntiSpywareKaspersky Virus Removal Tool - How to install and use documentationSpyware TerminatorWindows Defender (64-bit)PrevxSpybot S&DAd-AwareNorman Malware CleanerSunbelt Counterspy (free Trial)Comodo BOClean Anti-MalwareSophos Anti-rootkitSanityCheck Advanced Rootkit and Malware DetectorESET Online Antiivirus ScannerESET SysInspectorAnVir Task Manager FreeWinPatrolStart with these:How to use Malwarebytes' Anti-Malware to scan and remove malware from your computerHow to use SUPERAntiSpyware to scan and remove malware from your computer

3 more replies
Relevance 30.75%

Hello:
I 'm not playing word games here. A month or two ago, I downloaded and ran the "Kaspersky virus removal tool". It found problems the other programs were missing. I followed directions and let it remove the problems. My big mistake was in keeping the program on the desktop to try again sometime. At some point WinUtilities, or Ashampoo Winoptimizer removed the Uninstall made by Kaspersky for this tool. The virus removal tool is not listed as a program, on Revo, Advanced Removal tool, or windows. It won't click to delete, but I feel it's a program, so maybe it shouldn't. It contains 321 MB,& 4890 files. Looking in permissions(security) of this "program", I seem to be lacking "Special Permission" . I'm afraid to tinker with permissions.
I would appreciate sincere , simple, step by step, help. I tried reinstalling a new Kas.virus removal tool, and then uninstalling it. Got rid of the new one , didn't touch the problem.
Thanks.

Answer:Virus Removal Tool Program removal

Try this tool at your discretion*. The utility should pick up on any remaining traces of the program and display it on its list for removal.* The Windows Installer CleanUp Utility is provided "as is" to help resolve installation problems for programs that use Microsoft Windows Installer. If you use this utility, you may have to reinstall other programs. Caution is advised.

4 more replies
Relevance 30.75%

What is MS Removal Tool?

MS Removal Tool is a fake system security software that is considered as a Rogue. Rogues are malicious programs that hackers use to trick users by displaying false threats and problems that it claims to have detected. In reality, none of the issues are real and are only used to convince the user into buying their software and stealing their personal financial information
Am I infected?

This is a screenshots of this rogue.

Removal Instructions
(If you experience any problems completing these instructions, please start a new thread here)

1. Restart your computer. As soon as your computer turns on, tap F8 until you reach the Advance Boot Menu. Use the arrow keys and select Safe Mode with Networking .

2. Download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3
Save it to your Desktop.
Double click the RKill desktop icon.
It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
(This tools will kill the rogue's process temporarily. As a result, act quickly and move on to the next step.)

3. Download Malwarebytes' Anti-Malware to your desktop.

Rename the file to firefox.exe BEFORE downloading
Double-click firefox.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware

then click Finish.
If an update is found, it will download an... Read more

More replies
Relevance 30.75%

Hello!
In reading more of these threads I can see Im not the only one with the iexplore issue.
Glad to know it can be corrected!!!!

I have multiple pop-ups and my computer is as slow as dirt.
When I get home at 3:30 Calif time I will do the HJTInstall.exe thing and post the results.
Would the results of one that was done two days ago help? Yes I was having the issue then and another company did one and told me to email it to someone, which I did but I havent heard anything back and my computer is close to useless at this point.
Can MFDnNC or anyone else help?
Thanks!!!!
Ginny
 

Answer:malware removal/popup/iexplore removal

16 more replies
Relevance 30.75%

I am working on my Dad's computer in his office and I have a few questions BEFORE I run CCleaner. I am in the process of following the "Read and run this before posting" but I want to make sure of a few things first. When I run CCleaner am I to let it clean all the cookies as well? I know that there are a few sites that my Dad goes to on a regular basis and I am afraid that it will wipe out cookies that he needs. Could someone please advise?
 

Answer:Smitfraud-C Removal and removal steps questions

While cookies are not really problems to be concerned with, it is better to let CCleaner remove them so that the other scans don't take as long to run. In addition it can tremendously reduce the size of logs that have to be read. So yes clean cookies but you can first just tell Ccleaner which cookies to keep. It is part of the features which you should learn to use and configure.

Be careful with Spybot and SmitFraud-C. Lately I have been seeing it remove rundll32.exe which you do not want to do. Also if you truly have SmitFraud, you should run one of the special removal procedures (mentioned in the READ ME). Like one (only one) of the below:

SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

SpywareQuake & SpyFalcon Removal Procedure
 

5 more replies
Relevance 30.75%

I posted the software forum yesterday and was instructed to complete the malware removal steps and repost here. I have a new computer running Windows 8.1. When I say new, I mean I started having problems within a couple of hours after turning it on!

I have McAfee antivirus protection and downloaded and installed my MSOffice 2013 Home and Student. All seemed to be fine. The MSOffice was up and running and McAfee said I was protected. Suddenly and I don't remember what I was doing...it said Microsoft something (sounded like an antivirus or firewall something) had detected several problems and I needed to "clean my computer". Oh so ignorant of all that was going on with learning Windows 8.1 after using XP for years I told it to clean. Somewhere in there it suggested I do a system restore. All seemed OK until I realized MSOffice was no longer there. I tried to download it again and reload, but with no luck. It occurred to me it had something to do with the system restore so I tried to undo the restore. That of course didn't help. I'm also now getting messages from McAfee that I am covered and safe but that my firewall is turned off and needs to be turned on. However I can get McAfee to do nothing. I can open a screen, but nothing I do makes it do anything. I tried downloading their "Virtual Technician" before I started the process you recommended and it acted like it was downloading, but 20 minutes later it was still "spin... Read more

Answer:malware removal help - removal instructions attempted

Can you try running the tools that were not working before including Hitman, in safe mode please. Let me know how you get on.
 

16 more replies
Relevance 30.75%

I love my computer and hate to see it act like this, so i need help from you guys on how to remove this alert balloon that keeps popping up from my taskbar and keep it gone. also i keep getting many popups, a lot of which never load. i think this might have to do with some fake active x thing i installed. i downloaded hijackthis and here is the report: (i noticed 4 new processes running on task manager, too. this might have to do with it all: iesmin.exe, iesmn.exe, imsmain.exce, and imsmn.exe) PLEASE HELP ME!!! thank you!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:13 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svc... Read more

Answer:Help! Bogus System Alert Removal & Pop Up Removal

6 more replies
Relevance 30.75%

I have info stealer detected on my computer by norton. I am unable to locate based on the location listed by norton. I would like to remove it. In addition I keep getting pop-ups from Norton asking if i want to allow a program the files all start with q. For instance these to names are examples: qmhendli.exe and qmlopne.exe, the names keep changing as I continue to block them. Here is my Hijack this Log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:41:54 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SU... Read more

Answer:Info Stealer removal and removal of exe generator

Download the Trial version of Superantispyware Pro (SAS):
http://www.superantispyware.com/superantispyware.html?rid=3132
Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the ... Read more

1 more replies
Relevance 30.75%

I read and followed precisely "Vista and Win 7 Malware Removal/Cleaning Procedure"

My issue: I was informed my my isp the following: "Mail Log Parsed from Feb 15, 2013 19:47:04 to Feb 16, 2013 19:47:04 User sent approximately 141,801 messages to 136,591 unique recipients. There were 2598 bounces received in this period, 1 percent of the emails sent. "

I have AVG, running constantly. ISP changed my password to stop the mail. I ran AVG in safe mode. Still not sure trojan erradicated. ISP referred me to your site.

I performed all steps. I have attached all logs except TDSSKiller. While it ran clean, no apparent log was generated. All except RogueKiller found no issues. RogueKiller found as reflected in log.

Please advise if you believe my system is clean, or what further I should do. Since I haven't seemed to find anything, it's hard for me to be comfortable that it's clean.

Thank you emmensely!!

Mike Sieber
 

Answer:Help with malware removal--have performed removal instructions

Welcome to Major Geeks!




mike sieber said:





I performed all steps. I have attached all logs except TDSSKiller. While it ran clean, no apparent log was generated. All except RogueKiller found no issues. RogueKiller found as reflected in log.Click to expand...

Not problems. It is just junk from AVG. All of your logs are clean. Many times when something like this happens, it is not an infection. It is due to a spammer/spammers getting your email login and password and they use it from other PCs to send out their spam. There are cases of infections that can cause spamming ( like some master boot record or partition infections ) but you show no signs of these.


If you are not having any other malware problems, it is time to do our final steps:
We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to ... Read more

3 more replies
Relevance 29.52%

my pc is infected from trojan zlob which seems like an adware iam constantly getting popups and i managed to see the process icthis .xe in task manager this process doesnt get terminated that very moment in knew its a virus.i have read the thread regarding its removal on ur site but i still want the supervision of experts like you pls help
 

More replies
Relevance 29.52%

Greetings,

First of all, I apologize for the breech in protocol. I am unable to post a log because my computer is not allowing me to launch any programs except for Internet Explorer. I write this from my wife's computer because the malware has blocked your site. After it became clear that it was going to block any site that mentioned Malwarebytes, I used her computer to burn a renamed mbam.exe onto a CD and loaded it onto my computer in safe mode with networking. It blocked the program from installing.

I've also tried explaining to it that I'm not angry, just disappointed. That also failed to fix the problem. frowny face.

Do I have a Sony Vaio Paperweight, or is there a fix out there? Everything beyond Malwarebytes seems to have serious consequences if used incorrectly, and so I hope that somebody will be willing to help me.

Thanks,
DS

Ok, people, I have more info.
After convincing my computer to run Malware bytes and Registry Repair several times, I continue to have the following issues:
-My hard disk appears to have nothing in it. ("My Documents" also had this problem, but 'unhide' fixed that. Note that the space that is used on the disk has remained about the same as it did prior to the MS Removal Tool pop-ups first appearance.)
-The application that I usually use to connect to the internet has stopped working. I am currently connected through the default windows program.
-My Start Menu only has Malwarebytes, Glary's Registry Repai... Read more

Answer:Intermediate MS Removal Tool Removal

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Please take note:If you have since resolved the original problem you were having, we would appreciate you letting us know. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available.If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply'... Read more

3 more replies
Relevance 29.52%

HEY GEEKS NEED A LITTLE HELP. I HAVE A WINANTIVIRUS POP U THAT COMES UP EVERYTIME I AM ON THE NET, AFTER U X IT OUT 5 TO 6 OTHER POP-UP COME UP ABOUT A VIRUS. I AM RUNNING AVG EVERY MORNING, SYBOT SEARCH AND DESTROY, AD-WARE 6.0. HERE IS A HIJACK THIS LOG FILE TELL ME WHAT TO GET RID OF PLZ.

EDIT: Removed inline HJT log


THANKS

DOOKIE
 

Answer:winantivirus removal, malware removal

Hi and Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.


Run this first

Virtumonde aka Trojan Vundo Removal - some people also refer to this as WinFixer

Then run the below and atach the requested logs for the malware experts to look over.


Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
Make sure you check version numbers and get all updates.
Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.



When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

[*]runkeys.txt - the log from GetRunKey.bat
[*]newfiles.txt - the log from ShowNew.bat
CounterSpy - ONLY IF you were not a... Read more

1 more replies
Relevance 29.52%

My laptop does not work properly. I think virus has attacked my laptop. How to remove virus from laptop ?

Answer:Virus Removal / Spyware Removal

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.    Scan with DDSDownload DDS and save it to your desktop from here or here orhere.Disable any script blocker, and then double click dds.scr to run the tool.When done, DDS will open two (2) logsDDS.txt: save to your desktop then post its contents in your topicAttach.txt: save t... Read more

3 more replies
Relevance 29.52%

Hello Major Geeks,

I am here once again, as I can not seem to get rid of Spyware FunWeb Products.
I have ran Spybot and Adaware Ten times to no avail.
Any help greatly appreciated.
Also my son visited a web site for video game cheats and we were inundated with pop-ups and I beleive a virus or two.

I found out that my Symantec Norton Anti-Virus has expired. What is the best Anti-Virus software to purchase.
I have ran a HighJack This log entered below. All help so appreciated.
Thank you,
River

Edit by chaslang: Old version, unrequested, inline log removed
 

Answer:Spyware Removal & Virus Removal - please help

Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. Your HijackThis version is way out of date too.


Please run the steps below.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions:
- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
 

4 more replies
Relevance 29.52%

My computer, running Windows2000 with all latest patches, is infected with some sort of CWS variant. I am running SpywareGuard, Norton Antivirus2004 (useless),ZoneAlarm. I have run Adaware, Spybot Search & Destroy, CWSShredder, and HijackThis. CWSShredder now seems to run much slower than it used to a few days ago on my system. It claims to have removed CWS.Searchx and CWS.jkSearch (i don't remember exact name, but it had jk in it), but adware/trojan/browser hijacking symptoms and componets seem to keep re-appearing -- even if not connected to the internet! I am also using a HOSTS file. I also switched to Firefox Mozzilla browser from IE and installed Sun Java VM (but can't seem to find directions for deleting MS Java -- do I just delete the msjava.dll from c:/WININT/system32 ?)

Am I still infected with something? If so, how do I get rid of it for good? Last two entries look suspicious to me, but I get and error if I try to let H/T fix them. Advice would be most appreciated. Thanks in advance.

H/T error message:
-------
An unexpected error has occurred at procedure: cmdFix_Click()
Error #75 - Path/File access error (30 items in results list)

Please email me at [email protected], reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.98.0

This message has been copied to yo... Read more

Answer:Need Help with CWS variant removal/removal verification

I WISH I could help you - believe me. I got CWS_NS3 on one of my computers last week and tried EVERYTHING. Nothing worked that I tried. You might look for something on AboutBuster - one of the forums I was in indicated there was a fix there in conjunction with HJT. I don't really know - I just gave up and did a clean re-install of XP - but that is drastic. My System Restore was going thru the motions but wouldn't set restore to any point that was there. CWS kept adding "exe" files at bootup. It seems this is becoming more and more prevalent. Hope you find something that will work. I got disturbed when my System Restore quit working and gave up. Let me know if you find something to fix this - just in case I get it again. Good Luck.
 

2 more replies
Relevance 29.52%

I have just tried to install a program and encountered problems while doing so. I tried too remove it using the ADD & REMOVE opption in control panel but found that it was still there even though no trace could be seen on my hard drive.I have tried to re install the software but the program is saying that it is still there. Is this because the program is still on the ADD & REMOVE list and if so can I remove it from the list.Any Help would be greatfulCheers Graham

Answer:Removal of Program ID from ADD & REMOVAL list

Shouldn't make any difference. Something has fouled up. What program and what OS.

9 more replies
Relevance 29.52%

I'm pulling out my hair please help. Here's my HJT logfile.

Logfile of HijackThis v1.99.1
Scan saved at 7:16:48 PM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
f:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
F:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
F:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\sobrado.AOA1\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Soft... Read more

Answer:Malicious Software Removal Wizard, Spyware Removal Wizard, System Integrity Scan Wiz

Please do not start more than one thread for the same problem.

Closing duplicate.

Please continue here:

http://forums.techguy.org/security/488003-hjt-logfile.html
 

1 more replies
Relevance 28.7%

So in the past when dealing with virus removal, I generally took the hard drive out of the affected machine and placed it into an IDE or SATA dock to turn it into an external hard drive and have the virus non functional outside of its "startup and infected/affect state" rooted to the root OS of the drive it is on.I have seen online people claim to use tools like creating a Bart PE startup CD or DVD with an antivirus on that to clean the systems as well as someone else on another google hit claimed to use a Linux Live CD with an Antivirus on that to clean the drive of malware.Question I have is ... What are the best bootable tool methods of attacking the removal of the malware? I am guessing its the bootable CD or DVD method which introduces a read-only source to the equation of which the system also boots off of so that any viruses would not start up, cant infect the disc, and they can be detected dormant and removed. I tried to make a Bart PE disc once placing Norton Antivirus on it, but it doesnt function, and then if it did function, how do you update the definitions on a read-only disc.* I understand that there is the potential to infect my test station ( workstation I use for projects and data recovery and malware removal ) using my current malware/virus removal method. This is one reason why I never use my important systems to perform interaction with foreign drives to contain any infection to that of the test station which can be wiped out clean via a ghost i... Read more

More replies
Relevance 27.47%

Hey,

So I got infected with this virus/malware MS Removal Tool. Things that I noticed: it created a file nvpcpl.dll, hid all my d drive files and removed 90% of the items from the Start > All Programs menu. I ran through all the scans but still cant seem to get the programs in the All Programs menu back. Attached are my clean scans in the order recommended. Just as an fyi, C: is my primary drive, D: stores all documents/pictures/music, F: is the external hard drive. Thanks for the help.
 

Answer:Malware removal help - MS Removal

Things that I noticed: it created a file nvpcpl.dllClick to expand...

See this link About nvpcpl.dll You do not have macafee installed and I am not seeing the file in your logs. Do you still see it? If so give me the full file path. But you also have NvCpl.dll running which relates to Nvidia which IS installed.

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.


Right-click OTM.exe And select " Run as administrator " to run it.
Paste the following code under the area. Do not include the word Code.

Code:


:reg
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]

:files
C:\Documents and Settings\All Users\Application Data\oJh06504hBkGg06504

:Commands
[emptytemp]
[Reboot]

Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file prese... Read more

3 more replies
Relevance 27.47%

.I am farely new to computers and need some help.I think that i might have a virus.My computer is a dell dimension 3100, and i have mcfaee security centre installed and windows Xp.
I keep getting warnings from mcfaee saying that i have files infected my Generic downloader ad/ae, and that i have a pup??
Can some body please help as i dont seem to be able to get rid of this problem...
Many thanks in advance!!!!

 

Answer:pup removal, trojan removal..

16 more replies
Relevance 25.01%

I have run the malware removal intructions and when through each programs as they did remove some of the malware and virus. The issue that I am having is that when I open the computer under seperate user and try to run the malware removal programs via internet or through USB drive, I keep seeing a window which pops up asking me which program I want to use to open the program. I have run the computer under the adminstrator and do not seem to have problems running the

View attachment mbam-log-2011-03-28 (17-02-07).txt



View attachment combofix log.txt



View attachment SUPERAntiSpyware Scan Log - 03-28-2011 - 16-42-24.log



View attachment hijackthis.log

malware removal steps and have attached the reports from the intructions.

Even when I try to open add or remove programs under control panel- I get the following message: "C\windoesn\system32\rundll32.exe- application not found. I am thinking that It is something to do with AVG and have removed the program with the step.

Please help....

View attachment mbam-log-2011-03-28 (17-02-07).txt



View attachment combofix log.txt



View attachment SUPERAntiSpyware Scan Log - 03-28-2011 - 16-42-24.log
 

Answer:Help with malware removal- have run malware removal instructions

ssmehta007 said:



....try to run the malware removal programs via internet or through USB driveClick to expand...

Specific download and installation instructions are in our R&R ME FIRST guide :
ComboFix
Running from: l:\combifix\ComboFix.exe <--- belongs on your desktop

RootRepeal
Save it to your Desktop

SAS & MBAM
Installed to the Default Location - "C:/Program Files", as we suggest that you keep them after malware removal.

MGTools.zip
Download this file to the root folder of the drive where you have installed Windows (Typically this would be C:\ and thus you would have a C:\MGtools.exe file after downloading). ​
Please make those corrections and attach the missing RRlog.txt (from RootRepeal) and MGlogs.zip - normally it is C:\MGlogs.zip . Please tell me any problems you still have.
 

18 more replies
Relevance 25.01%

Hi,

I have a dell xps 8300. It started acting up about 1 week ago (freezing while working online, freezing while trying to boot). Today i got the Blue screen asking me to restart if this was the first time I had received a blue screen.
I restarted it was fine for 30 minutes and everything froze.
I restarted it and I received error beeps ( 4 beeps)
I looked that up on dell support and they said it was RAM problems.
I opened up the computer vacuumed a bit, took out ram cards and reinstalled them.
It had been working o.k.for about 1 hour and only froze once more.
I decided to try the malware removal guide and here are the logs
Malware bytes did not find anything
TDSSKiller did not find anything
MGtools ran but as soon as it was done the window closed. i don't know how to find the log
Your help will be greatly appreciated
 

Answer:malware removal - have followed malware removal guide

I still want to see the log from Malware Bytes please.





MGtools ran but as soon as it was done the window closed. i don't know how to find the logClick to expand...

Should be directly on C:\ if that's where you boot Windows from. If you really cannot find the log, you'll have to run MGTools.exe again in order to produce a MGlogs.zip. Thanks.
 

20 more replies
Relevance 22.14%

My computer has been infected with the spx lx trojan. I have read some of the posts with info on how to remove it, but I'm not having any luck. When I try to run the smitfraudfix.cmd I get a message that tells me I cannot run the application because the file is infected. Can anyone pleae help me get this figured out. Any help will be greatly appreciated!! Thanks again.
 

More replies
Relevance 22.14%
Question: 'CiD help' removal

Im continually getting CiD pop ups that are driving me crazy, despite having earlier removed it from my 'add/remove programs' list.
Ive run multiple virus scan programs such as AVG, Adware scan and my Norton internet security, yet nothing seems to detect that I have a problem.
I had a look at my HiJackThis log and couldnt see anything odd but my skills are kinda lacking in that department.....
Can anyone help me remove this from my computer???
Heres my HiJackThis log at present

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:47 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\VTTimer... Read more

Answer:'CiD help' removal

9 more replies
Relevance 22.14%
Question: avg removal

Hi, need help. AVG removal tool took a nosedive and left me with files related to avguix.exe that will not allow access. I am running Win7 32bit on a Dell E6510 Lattitude. I have tried system file checker (SFC), avg removal tools, ccleaner, and auslogics registry cleaner. I have run an online & microsoft security sweep and there are no viruses. I get get an exception breakpoint error pop-up from avg every time I turn the laptop on. Ccleaner shows that there are files on C drive, but can't access them to clean them out. There are no avg programs on my laptop currently. I also tried another avg install and removal. No dice, can't get at anything to remove whatever the removal tool missed. Anybody have any other ideas? or should I just start over? Still have win7 os disc.
 

More replies
Relevance 22.14%
Question: AVG removal

Just repaired xp pro and now my avg does not recognize my license number and will not run. Since I have the free ver. it makes no sense. It will not uninstall using add remove programs utility. I tried to reinstall over and it will not I tried repair modify with same result. ccleaner will not remove it with the tools uninstall either. My question is will ccleaner remove it from the registry or do I go digging in the reg.?
Thanks for any help.
Den
 

Answer:AVG removal

1. Download the latest AVG Free installation package from http://www.majorgeeks.com/download.php?det=886

2. Run the AVG Free install file
3. Choose the Uninstall option and follow the setup wizard, when you get to the part to remove user settings, select it.
4. Restart your computer then...
5. Now reinstall AVG using the setup file you got in step 1 and update it.

If you tried this already then you can remove all files and services manually.
 

4 more replies
Relevance 22.14%

I've been at this for 2 days... I really need some expert advice now

 

More replies