Thread: AWOLA scareware help needed, Log posted inside.
View Single Post
Old 01-12-2008, 10:36 PM   #1 (permalink)
Treesquid
Registered User
 
Join Date: Jan 2008
Posts: 23
OS: xp


AWOLA scareware help needed, Log posted inside.
Hello, new to the forum, think this is great learning for a novice like me and appreciate the help if I could get it here.

I have the AWOLA virus/scarewware on my system. My virus scan picks it up as Generic FakeAlert.b

A warning is posted on my right hand lower toolbar that says "Windows has detected syware infection. It is recommended to use a special antispyware to prevent data loss etc.."

I went through the 5 steps posted here and created this log, I hope I didn't screw this up.

Deckard's System Scanner v20071014.68
Run by Jeff on 2008-01-12 22:18:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
70: 2008-01-13 05:18:26 UTC - RP1052 - Deckard's System Scanner Restore Point
69: 2008-01-12 03:19:33 UTC - RP1051 - Removed QuickTime
68: 2008-01-12 03:08:02 UTC - RP1050 - Software Distribution Service 3.0
67: 2008-01-12 02:51:28 UTC - RP1049 - Spybot-S&D Spyware removal
66: 2008-01-11 03:57:49 UTC - RP1048 - Spybot-S&D Spyware removal


-- First Restore Point --
1: 2007-10-16 05:41:31 UTC - RP983 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-12 22:24:37
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\vsstat.exe
C:\Program Files\Network Associates\VirusScan\vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\avconsol.exe
C:\Program Files\Network Associates\VirusScan\webscanx.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\SYSTEM32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Documents and Settings\Jeff\Application Data\vwfje.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Documents and Settings\Jeff\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINDOWS\system32\lexpps.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Jeff\Application Data\vwfje.exe
O4 - HKCU\..\Run: [Awola] "C:\Documents and Settings\Jeff\Application Data\Awola\Awola.exe" /MIN
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} () - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex...n/nsmp2inf.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} () - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.2.76.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1134097529950
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} () - http://a19.g.akamai.net/7/19/7125/40...ra/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D18B7EC3-EECA-11D3-8E71-0000E82C6C0D} () - http://www.slotchbar.com/ist/softwar...ist_remove.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Filter: text/html - - (no file)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\SYSTEM32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe


--
End of file - 8765 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R0 NaiFsRec - c:\windows\system32\drivers\naifsrec.sys
R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\windows\system32\drivers\prosync1.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft(R) ASPI Shell>
R3 NaiFiltr - c:\program files\common files\network associates\mcshield\naifiltr.sys

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 idrmkl - c:\docume~1\jeff\locals~1\temp\idrmkl.sys (file missing)
S3 L8042Kbd (Logitech SetPoint Keyboard Driver) - c:\windows\system32\drivers\l8042kbd.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AvSynMgr (AVSync Manager) - "c:\program files\network associates\virusscan\avsynmgr.exe"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-06 15:47:51 434 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job
2003-10-31 22:19:05 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2007-12-12 and 2008-01-12 -----------------------------

2008-01-12 22:10:23 0 d-------- C:\Program Files\SpywareBlaster
2008-01-12 22:02:01 489472 --a------ C:\Documents and Settings\Jeff\installer.exe
2008-01-12 20:36:09 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-12 20:04:32 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-12 19:03:01 0 d-------- C:\Documents and Settings\Jaime\Application Data\vlc
2008-01-11 20:08:07 0 d-------- C:\WINDOWS\LastGood
2008-01-10 21:09:36 0 d-------- C:\Documents and Settings\Jaime\Application Data\Turbine
2008-01-10 20:15:23 0 --ahs---- C:\Documents and Settings\Jeff\Application Data\.dat
2008-01-10 19:57:16 0 --ahs---- C:\Documents and Settings\Jeff\Application Data\b925c42d2f83614002b967fae897fec8f7494e05.dat
2008-01-10 19:54:05 0 d-------- C:\Documents and Settings\Jeff\Application Data\Awola
2008-01-10 19:16:19 0 d--h----- C:\WINDOWS\PIF
2008-01-10 18:19:32 6656 --a------ C:\Documents and Settings\Jeff\Application Data\vwfje.exe
2008-01-10 18:19:29 6656 --a------ C:\QQMg.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-12 20:55:07 0 d-------- C:\Program Files\Messenger
2008-01-12 20:48:57 0 d-------- C:\Program Files\Common Files\ReGet Shared
2008-01-12 19:56:55 0 d-------- C:\Program Files\Lavasoft
2008-01-12 19:56:53 0 d-------- C:\Documents and Settings\Jeff\Application Data\Lavasoft
2008-01-12 19:56:04 34457 --a------ C:\logfile
2008-01-12 19:51:00 0 d-------- C:\Documents and Settings\Jeff\Application Data\Adobe
2008-01-11 20:20:24 0 d-------- C:\Program Files\QuickTime
2008-01-11 20:15:21 0 d-------- C:\Program Files\EA SPORTS
2008-01-10 19:40:31 0 d-------- C:\Program Files\LucasArts
2008-01-10 19:40:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-10 19:38:06 0 d-a------ C:\Program Files\Common Files
2008-01-10 19:34:50 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-10 19:34:35 0 d-------- C:\Program Files\DivX
2008-01-10 19:33:53 0 d-------- C:\Program Files\mozilla.org
2008-01-10 18:56:53 0 d-------- C:\Program Files\Wings Over Europe
2007-12-29 15:30:11 0 d-------- C:\Program Files\StarWarsGalaxies
2007-12-18 16:11:13 0 d-------- C:\Documents and Settings\Jeff\Application Data\AdobeUM
2007-12-10 11:07:37 1281 --a------ C:\WINDOWS\checkip.dat
2007-12-10 11:00:52 0 d-------- C:\Program Files\MSXML 4.0
2007-12-09 14:29:12 0 d-------- C:\Program Files\Kodak
2007-12-09 14:28:01 0 d-------- C:\Program Files\Common Files\Kodak
2007-11-16 21:23:25 0 d-------- C:\Documents and Settings\Jeff\Application Data\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [08/13/2003 08:27 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/21/2003 08:34 PM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [09/19/2003 02:46 PM]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [11/23/2002 02:15 AM]
"Logitech Utility"="Logi_MwX.Exe" [11/08/2002 02:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/15/2004 11:42 AM]
"nwiz"="nwiz.exe" [07/15/2004 11:42 AM C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [07/15/2004 11:42 AM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [04/26/2004 07:06 AM C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [11/09/2006 03:07 PM]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" []
"LexPPS.exe"="C:\WINDOWS\system32\lexpps.exe" [03/26/2003 07:16 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"LDM"="\Program\BackWeb-8876480.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Microsoft Windows Adapter 5.1.3214"="C:\Documents and Settings\Jeff\Application Data\vwfje.exe" [01/10/2008 06:19 PM]
"Awola"="C:\Documents and Settings\Jeff\Application Data\Awola\Awola.exe" []

C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 7:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 7:00:00 AM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [6/21/2007 10:56:14 PM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [10/31/2003 10:45:32 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [11/8/2005 7:24:22 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - NBVTPSPLGJPT
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK



-- End of Deckard's System Scanner: finished at 2008-01-12 22:26:06 ------------
Attached Files
File Type: txt extra.txt (17.9 KB, 2 views)
File Type: txt Activescan.txt (47.8 KB, 2 views)
Last edited by Treesquid; 01-12-2008 at 10:38 PM.
Treesquid is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here