Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page AWOLA scareware help needed, Log posted inside.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 3 1 23
 
LinkBack Thread Tools
Old 01-12-2008, 09:36 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 23
OS: xp


AWOLA scareware help needed, Log posted inside.
Hello, new to the forum, think this is great learning for a novice like me and appreciate the help if I could get it here.

I have the AWOLA virus/scarewware on my system. My virus scan picks it up as Generic FakeAlert.b

A warning is posted on my right hand lower toolbar that says "Windows has detected syware infection. It is recommended to use a special antispyware to prevent data loss etc.."

I went through the 5 steps posted here and created this log, I hope I didn't screw this up.

Deckard's System Scanner v20071014.68
Run by Jeff on 2008-01-12 22:18:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
70: 2008-01-13 05:18:26 UTC - RP1052 - Deckard's System Scanner Restore Point
69: 2008-01-12 03:19:33 UTC - RP1051 - Removed QuickTime
68: 2008-01-12 03:08:02 UTC - RP1050 - Software Distribution Service 3.0
67: 2008-01-12 02:51:28 UTC - RP1049 - Spybot-S&D Spyware removal
66: 2008-01-11 03:57:49 UTC - RP1048 - Spybot-S&D Spyware removal


-- First Restore Point --
1: 2007-10-16 05:41:31 UTC - RP983 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-12 22:24:37
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\vsstat.exe
C:\Program Files\Network Associates\VirusScan\vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\avconsol.exe
C:\Program Files\Network Associates\VirusScan\webscanx.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\SYSTEM32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Documents and Settings\Jeff\Application Data\vwfje.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Documents and Settings\Jeff\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINDOWS\system32\lexpps.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Jeff\Application Data\vwfje.exe
O4 - HKCU\..\Run: [Awola] "C:\Documents and Settings\Jeff\Application Data\Awola\Awola.exe" /MIN
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...367/wmavax.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} () - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex...n/nsmp2inf.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} () - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.2.76.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1134097529950
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} () - http://a19.g.akamai.net/7/19/7125/40...ra/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D18B7EC3-EECA-11D3-8E71-0000E82C6C0D} () - http://www.slotchbar.com/ist/softwar...ist_remove.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Filter: text/html - - (no file)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\SYSTEM32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\SYSTEM32\nvsvc32.exe


--
End of file - 8765 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 agp440 (Intel AGP Bus Filter) - c:\windows\\systemroot\system32\drivers\agp440.sys (file missing)
R0 NaiFsRec - c:\windows\system32\drivers\naifsrec.sys
R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\windows\system32\drivers\prosync1.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft(R) ASPI Shell>
R3 NaiFiltr - c:\program files\common files\network associates\mcshield\naifiltr.sys

S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 idrmkl - c:\docume~1\jeff\locals~1\temp\idrmkl.sys (file missing)
S3 L8042Kbd (Logitech SetPoint Keyboard Driver) - c:\windows\system32\drivers\l8042kbd.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AvSynMgr (AVSync Manager) - "c:\program files\network associates\virusscan\avsynmgr.exe"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-06 15:47:51 434 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job
2003-10-31 22:19:05 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2007-12-12 and 2008-01-12 -----------------------------

2008-01-12 22:10:23 0 d-------- C:\Program Files\SpywareBlaster
2008-01-12 22:02:01 489472 --a------ C:\Documents and Settings\Jeff\installer.exe
2008-01-12 20:36:09 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-12 20:04:32 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-12 19:03:01 0 d-------- C:\Documents and Settings\Jaime\Application Data\vlc
2008-01-11 20:08:07 0 d-------- C:\WINDOWS\LastGood
2008-01-10 21:09:36 0 d-------- C:\Documents and Settings\Jaime\Application Data\Turbine
2008-01-10 20:15:23 0 --ahs---- C:\Documents and Settings\Jeff\Application Data\.dat
2008-01-10 19:57:16 0 --ahs---- C:\Documents and Settings\Jeff\Application Data\b925c42d2f83614002b967fae897fec8f7494e05.dat
2008-01-10 19:54:05 0 d-------- C:\Documents and Settings\Jeff\Application Data\Awola
2008-01-10 19:16:19 0 d--h----- C:\WINDOWS\PIF
2008-01-10 18:19:32 6656 --a------ C:\Documents and Settings\Jeff\Application Data\vwfje.exe
2008-01-10 18:19:29 6656 --a------ C:\QQMg.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-12 20:55:07 0 d-------- C:\Program Files\Messenger
2008-01-12 20:48:57 0 d-------- C:\Program Files\Common Files\ReGet Shared
2008-01-12 19:56:55 0 d-------- C:\Program Files\Lavasoft
2008-01-12 19:56:53 0 d-------- C:\Documents and Settings\Jeff\Application Data\Lavasoft
2008-01-12 19:56:04 34457 --a------ C:\logfile
2008-01-12 19:51:00 0 d-------- C:\Documents and Settings\Jeff\Application Data\Adobe
2008-01-11 20:20:24 0 d-------- C:\Program Files\QuickTime
2008-01-11 20:15:21 0 d-------- C:\Program Files\EA SPORTS
2008-01-10 19:40:31 0 d-------- C:\Program Files\LucasArts
2008-01-10 19:40:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-10 19:38:06 0 d-a------ C:\Program Files\Common Files
2008-01-10 19:34:50 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-10 19:34:35 0 d-------- C:\Program Files\DivX
2008-01-10 19:33:53 0 d-------- C:\Program Files\mozilla.org
2008-01-10 18:56:53 0 d-------- C:\Program Files\Wings Over Europe
2007-12-29 15:30:11 0 d-------- C:\Program Files\StarWarsGalaxies
2007-12-18 16:11:13 0 d-------- C:\Documents and Settings\Jeff\Application Data\AdobeUM
2007-12-10 11:07:37 1281 --a------ C:\WINDOWS\checkip.dat
2007-12-10 11:00:52 0 d-------- C:\Program Files\MSXML 4.0
2007-12-09 14:29:12 0 d-------- C:\Program Files\Kodak
2007-12-09 14:28:01 0 d-------- C:\Program Files\Common Files\Kodak
2007-11-16 21:23:25 0 d-------- C:\Documents and Settings\Jeff\Application Data\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [08/13/2003 08:27 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/21/2003 08:34 PM]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [09/19/2003 02:46 PM]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [11/23/2002 02:15 AM]
"Logitech Utility"="Logi_MwX.Exe" [11/08/2002 02:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [07/15/2004 11:42 AM]
"nwiz"="nwiz.exe" [07/15/2004 11:42 AM C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [07/15/2004 11:42 AM]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [04/26/2004 07:06 AM C:\WINDOWS\KHALMNPR.Exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [11/09/2006 03:07 PM]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" []
"LexPPS.exe"="C:\WINDOWS\system32\lexpps.exe" [03/26/2003 07:16 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"LDM"="\Program\BackWeb-8876480.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Microsoft Windows Adapter 5.1.3214"="C:\Documents and Settings\Jeff\Application Data\vwfje.exe" [01/10/2008 06:19 PM]
"Awola"="C:\Documents and Settings\Jeff\Application Data\Awola\Awola.exe" []

C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 7:00:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 7:00:00 AM]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [6/21/2007 10:56:14 PM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [10/31/2003 10:45:32 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [11/8/2005 7:24:22 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - NBVTPSPLGJPT
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK



-- End of Deckard's System Scanner: finished at 2008-01-12 22:26:06 ------------
Attached Files
File Type: txt extra.txt (17.9 KB, 2 views)
File Type: txt Activescan.txt (47.8 KB, 2 views)
Last edited by Treesquid; 01-12-2008 at 09:38 PM.
Treesquid is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 01-16-2008, 08:26 PM   #2 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 23
OS: xp


Re: AWOLA scareware help needed, Log posted inside.
Bump, any help would be appreciated. thx

- Installed Java 6.4
Treesquid is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-21-2008, 07:05 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 23
OS: xp


Re: AWOLA scareware help needed, Log posted inside.
bump, this thing has just about taken over my computer.
Treesquid is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-21-2008, 07:14 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,560
OS: 2000 Pro; XP Pro; XP Home


Re: AWOLA scareware help needed, Log posted inside.
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

If you have any questions during the process...Stop and ask them.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:06 PM   #5 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 23
OS: xp


Re: AWOLA scareware help needed, Log posted inside.
Question, installed combo fix and it runs through 38 stages and then produced this screenshot and then shut down. Do I need to reinstall or do I need to do anythig else? I tried with and without anitvirus and got the same results.
Attached Files
File Type: doc Doc2.doc (456.0 KB, 6 views)
Treesquid is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:16 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,560
OS: 2000 Pro; XP Pro; XP Home


Re: AWOLA scareware help needed, Log posted inside.
Let me look into this, and I'll get back to you as soon as I can. It may be a while.

In the meantime, is there a log located at C:\ComboFix.txt ?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:18 PM   #7 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 23
OS: xp


Re: AWOLA scareware help needed, Log posted inside.
Yes, this is the entire file
Quote:
ComboFix 08-01-23.1 - Jeff 2008-01-22 21:13:11.12 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.482 [GMT -7:00]
Running from: C:\Documents and Settings\Jeff\Desktop\ComboFix.exe
.
Treesquid is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:19 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,560
OS: 2000 Pro; XP Pro; XP Home


Re: AWOLA scareware help needed, Log posted inside.
That's at C:\ComboFix.txt

or

C:\ComboFix\ComboFix.txt
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:26 PM   #9 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 23
OS: xp


Re: AWOLA scareware help needed, Log posted inside.
yes, here is the file itself attached.

Thanks for the help so far!
Attached Files
File Type: txt ComboFix.txt (211 Bytes, 4 views)
Treesquid is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:37 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,560
OS: 2000 Pro; XP Pro; XP Home


Re: AWOLA scareware help needed, Log posted inside.
Sorry, I'm just trying to clarify to better understand what I'm seeing. This was at C:\ComboFix.txt, correct?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:43 PM   #11 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 23
OS: xp


Re: AWOLA scareware help needed, Log posted inside.
Quote:
Originally Posted by tetonbob View Post
Sorry, I'm just trying to clarify to better understand what I'm seeing. This was at C:\ComboFix.txt, correct?
no problem, yes it was at C:\ComboFix.txt

and to be clear, I typed that path into my internet explorer and I looked for that file directly through the windows explorer path. Came up the same both times.
Treesquid is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:44 PM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,560
OS: 2000 Pro; XP Pro; XP Home


Re: AWOLA scareware help needed, Log posted inside.
Thanks, it's getting late for me, and I wanted to make sure.

Can you also post a new HijackThis log, please?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:47 PM   #13 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,560
OS: 2000 Pro; XP Pro; XP Home


Re: AWOLA scareware help needed, Log posted inside.
Also, copy/paste this into your Run box, and press Enter:

C:\Qoobox\ComboFix-quarantined-files.txt

If a log opens, post that as well.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:51 PM   #14 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 23
OS: xp


Re: AWOLA scareware help needed, Log posted inside.
Quarantine first

Quote:
2007-04-28 08:58 89 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Jeff\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol.vir
2008-01-10 20:01 716800 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Jeff\Application Data\Awola\Awola001.bas.vir
2008-01-14 19:53 352 --a------ C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.dat
2008-01-20 21:32 24 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Jeff\Application Data\Awola\settings.ini.vir
2008-01-20 21:32 480768 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Jeff\Application Data\Awola\Awola.exe.vir
2008-01-21 20:04 1787 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Jeff\Start Menu\Programs\Awola\Uninstall Awola Anti-Spyware 6.0.lnk.vir
2008-01-21 20:04 845 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Jeff\Start Menu\Programs\Awola\Awola Anti-Spyware 6.0.lnk.vir
2008-01-21 20:14 3656 --a------ C:\Qoobox\Quarantine\C\ComboFix\errdbg.dat.vir
Treesquid is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 08:56 PM   #15 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 23
OS: xp


Re: AWOLA scareware help needed, Log posted inside.
Now the Hijack This Log

Deckard's System Scanner v20071014.68
Run by Jeff on 2008-01-22 21:53:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Jeff.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:54, on 2008-01-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jeff\Application Data\vwfje.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jeff\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jeff.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Jeff\Application Data\vwfje.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex...n/nsmp2inf.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.2.76.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1134097529950
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...ra/Coupons.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D18B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.slotchbar.com/ist/softwar...ist_remove.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7644 bytes

-- Files created between 2007-12-22 and 2008-01-22 -----------------------------

2008-01-22 21:53:41 0 d-------- C:\Program Files\Trend Micro
2008-01-22 20:24:53 0 d-------- C:\cmdcons
2008-01-22 19:23:15 0 --ahs---- C:\Documents and Settings\Jeff\Application Data\0025c42d2f.dat
2008-01-20 21:32:19 480768 --a------ C:\Documents and Settings\Jeff\installer.exe <Not Verified; winxp; winxp awola>
2008-01-12 22:10:23 0 d-------- C:\Program Files\SpywareBlaster
2008-01-12 20:36:09 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-12 20:04:32 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-12 19:03:01 0 d-------- C:\Documents and Settings\Jaime\Application Data\vlc
2008-01-10 21:09:36 0 d-------- C:\Documents and Settings\Jaime\Application Data\Turbine
2008-01-10 20:15:23 0 --ahs---- C:\Documents and Settings\Jeff\Application Data\.dat
2008-01-10 19:16:19 0 d--h----- C:\WINDOWS\PIF
2008-01-10 18:19:32 6656 --a------ C:\Documents and Settings\Jeff\Application Data\vwfje.exe
2008-01-10 18:19:29 6656 --a------ C:\QQMg.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-22 20:38:13 52158 --a------ C:\logfile
2008-01-20 21:44:54 0 d-------- C:\Program Files\StarWarsGalaxies
2008-01-16 17:08:07 5580 --a------ C:\pass.dat
2008-01-14 20:16:58 0 d-------- C:\Program Files\Java
2008-01-12 20:55:07 0 d-------- C:\Program Files\Messenger
2008-01-12 20:48:57 0 d-------- C:\Program Files\Common Files\ReGet Shared
2008-01-12 19:56:55 0 d-------- C:\Program Files\Lavasoft
2008-01-12 19:56:53 0 d-------- C:\Documents and Settings\Jeff\Application Data\Lavasoft
2008-01-12 19:51:00 0 d-------- C:\Documents and Settings\Jeff\Application Data\Adobe
2008-01-11 20:20:24 0 d-------- C:\Program Files\QuickTime
2008-01-11 20:15:21 0 d-------- C:\Program Files\EA SPORTS
2008-01-10 19:40:31 0 d-------- C:\Program Files\LucasArts
2008-01-10 19:40:22 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-10 19:38:06 0 d-a------ C:\Program Files\Common Files
2008-01-10 19:34:50 0 d-------- C:\Program Files\Common Files\Adobe
2008-01-10 19:34:35 0 d-------- C:\Program Files\DivX
2008-01-10 19:33:53 0 d-------- C:\Program Files\mozilla.org
2008-01-10 18:56:53 0 d-------- C:\Program Files\Wings Over Europe
2007-12-18 16:11:13 0 d-------- C:\Documents and Settings\Jeff\Application Data\AdobeUM
2007-12-10 11:07:37 1281 --a------ C:\WINDOWS\checkip.dat
2007-12-10 11:00:52 0 d-------- C:\Program Files\MSXML 4.0
2007-12-09 14:29:12 0 d-------- C:\Program Files\Kodak
2007-12-09 14:28:01 0 d-------- C:\Program Files\Common Files\Kodak


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 C:\WINDOWS\BCMSMMSG.exe]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 08:27]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-21 20:34]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-09-19 14:46]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-11-23 02:15]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 02:50 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 11:42]
"nwiz"="nwiz.exe" [2004-07-15 11:42 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-15 11:42]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-04-26 07:06 C:\WINDOWS\KHALMNPR.Exe]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"LDM"="\Program\BackWeb-8876480.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Microsoft Windows Adapter 5.1.3214"="C:\Documents and Settings\Jeff\Application Data\vwfje.exe" [2008-01-10 18:19]

C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 07:00:00]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 22:56:14]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2003-10-31 22:45:32]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2005-11-08 19:24:22]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-01-22 21:54:47 ------------
Last edited by tetonbob; 01-22-2008 at 08:59 PM.
Treesquid is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 09:01 PM   #16 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,560
OS: 2000 Pro; XP Pro; XP Home


Re: AWOLA scareware help needed, Log posted inside.
Please go to: VirusTotal
  • On the page you'll find a "Browse" button.
  • Next to the browse button you'll see a box to enter text.
  • Please copy/paste the following in BOLD:

    C:\QQMg.exe

  • Then click the "Send File " button just below.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 09:27 PM   #17 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 23
OS: xp


Re: AWOLA scareware help needed, Log posted inside.
File QQMg.exe_ received on 01.23.2008 06:16:07 (CET)
Current status: finished

Result: 5/32 (15.62%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.1.23.10 2008.01.22 -
AntiVir 7.6.0.48 2008.01.22 -
Authentium 4.93.8 2008.01.22 -
Avast 4.7.1098.0 2008.01.22 -
AVG 7.5.0.516 2008.01.22 -
BitDefender 7.2 2008.01.23 -
CAT-QuickHeal 9.00 2008.01.22 -
ClamAV 0.91.2 2008.01.22 -
DrWeb 4.44.0.09170 2008.01.22 -
eSafe 7.0.15.0 2008.01.16 suspicious Trojan/Worm
eTrust-Vet 31.3.5477 2008.01.22 -
Ewido 4.0 2008.01.22 -
FileAdvisor 1 2008.01.23 -
Fortinet 3.14.0.0 2008.01.23 -
F-Prot 4.4.2.54 2008.01.23 -
F-Secure 6.70.13260.0 2008.01.23 -
Ikarus T3.1.1.20 2008.01.23 -
Kaspersky 7.0.0.125 2008.01.23 -
McAfee 5213 2008.01.22 -
Microsoft 1.3109 2008.01.22 TrojanDownloader:Win32/Renos.gen!A
NOD32v2 2815 2008.01.22 probably unknown NewHeur_PE virus
Norman 5.80.02 2008.01.22 -
Panda 9.0.0.4 2008.01.22 Suspicious file
Prevx1 V2 2008.01.23 Heuristic: Suspicious File With Code Injection Technology
Rising 20.28.12.00 2008.01.22 -
Sophos 4.24.0 2008.01.23 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.23 -
TheHacker 6.2.9.195 2008.01.23 -
VBA32 3.12.2.5 2008.01.21 -
VirusBuster 4.3.26:9 2008.01.22 -
Webwasher-Gateway 6.6.2 2008.01.22 -
Additional information
File size: 6656 bytes
MD5: 8503989a75d26b9f3c773a18ae887a61
SHA1: d6b2209fe853f9e6ed86772ecf1ae5c3bc5d1d45
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info: http://info.prevx.com/aboutprogramte...C18D00D2DF228D


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
Treesquid is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 09:34 PM   #18 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,560
OS: 2000 Pro; XP Pro; XP Home


Re: AWOLA scareware help needed, Log posted inside.
Thanks.

Please bear with me while I contact the tool author. If you could collect and upload samples of these files, it will help us help others.



Please download the Suspicious File Packer http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.


Paste the following list of bad files into the Suspicious File Packer window:
C:\Documents and Settings\Jeff\installer.exe
C:\Documents and Settings\Jeff\Application Data\vwfje.exe
C:\QQMg.exe
Allow SFP to pack the files by clicking Continue.
This will generate a CAB archive on your desktop named requested-files[Date/Time].cab.
Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4 and include a link to this topic in the message.
You can then delete the requested-files.cab file from your desktop, once you have uploaded it to the above recipient.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 09:45 PM   #19 (permalink)
Registered User
 
Join Date: Jan 2008
Posts: 23
OS: xp


Re: AWOLA scareware help needed, Log posted inside.
thank you , I am lost I need to read this through with out my 6 week old screaming in my ears. I will post later

Jeff
Treesquid is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 01-22-2008, 11:47 PM   #20 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 32,560
OS: 2000 Pro; XP Pro; XP Home


Re: AWOLA scareware help needed, Log posted inside.
Hi Jeff -

ComboFix is frequently updated.

Please delete your existing version, and get the latest version from one of the links below.

---------------------------------------------------------------------------------------------
  1. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disconnect from the internet....pull the plug!
  3. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  4. Double click on combofix.exe & follow the prompts. Type 1, then press Enter to start the fix.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
  8. Re-establish an internet connection.
  9. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 
Page 1 of 3 1 23

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 01:14 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84