AWOLA antispy and "Your Computer is Infected"

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kilgore, Dec 18, 2007.

  1. kilgore

    kilgore Private E-2

    I'm in an identical situation to another post. I'm not sure though if the response to other post was based on the reports or not. So, like the other guy:

    Ran all the "READ & RUN ME FIRST" (Win XP) steps. Still have popups from yield sign in tray that say "Your computer is infected!" Also still have Awola Anti-spyware that either Spybot S&D or AVG had detected, and I thought, deleted.

    Thank you so much for this forum!! Just let me know if I should simply follow what the other thread described.
     

    Attached Files:

  2. abri

    abri MajorGeek

    Hi kilgore!
    I'll take a look at your logs and get back to you. This takes some time, so thanks for your patience. Please don't use your computer too much until we're sure it's clean.
    abri
     
  3. abri

    abri MajorGeek

    Hi kilgore!
    Please do the following:

    1) Go to add/remove programs and uninstall the below:

    - Java 2 Runtime Environment, SE v1.4.2_03

    2) Reboot after uninstalling the above.

    3) Install the current version of Sun Java from: Sun Java Runtime Environment

    4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

    5) Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • [/quote]
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Make sure you tell me how things are working now!


    6) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.


    7) Please run C:\MGTools.exe again (located under C:\ ) and attach a fresh MGlogs.zip along with the Avenger log.


    Let me know how things are running now?

    abri
     
  4. kilgore

    kilgore Private E-2

    Dearest abri,
    Thank you for helping me.

    So after running avenger, upon reboot AWOLA was up and running while avenger was enacting the file deletions. I tried to stop it but it didn't fully close until after avenger finished.

    I then ran ATF and MGTools.

    Awola is still opening upon start up and I still get the constant message from a yield sign in my tray that says "Your computer is infected!".

    I've attached the avenger log and the latest MGlogs.zip
     

    Attached Files:

  5. abri

    abri MajorGeek

    Hi Kilgore!

    1)
    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Microsft Windows Adapter 5.1.3013] C:\Documents and Settings\Jacqueline Lounsbury\Application Data\iynliz.exe
    O4 - HKCU\..\Run: [Awola] "C:\Documents and Settings\Jacqueline Lounsbury\Application Data\Awola\Awola.exe" /MIN

    Don't forget to close all browser windows before clicking on fix. After you click fix, just close hijackthis.

    2) Run Avenger again as follows:
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    3) Please run ATF Cleaner This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.


    4) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


    Let me know how things are running now?

    abri
     
    Last edited by a moderator: Dec 19, 2007
  6. kilgore

    kilgore Private E-2

    abri,
    So that seems to have gotten that nasty thing. No more annoying warnings or Awola "antispy". :cool THANK YOU!!
    Before your last reply I ended up running SpyBot and killing Awola one more time before running avenger, that's why the avenger log says it couldn't find it can't find it. I hope that doesn't mess anything up
    I assume you still want to check the logs requested in the last post so here they are.
     

    Attached Files:

  7. abri

    abri MajorGeek

    Hi kilgore!
    It's looking better. There's still one stubborn file. Please run Avenger again followed by ATF Cleaner, just like you did in post # 5 only this time I would like for you to copy and paste the following:


    Then please go back to post #3, step #3 and install the current Java version. You'll find a link there.

    When you've finished the above (Avenger, ATF-Cleaner and installing the Java) please attach a fresh MGlogs.zip again so I can see if that one last file is gone.

    If your machine is clean, I will post our final cleanup instructions for you which will include setting a clean restore point.

    abri

     
  8. kilgore

    kilgore Private E-2

    abri,
    I wasn't sure if there was going to be another reply so I downloaded firefox and avast. I think avast killed that last file. :eek:
    I just ran avanger, ATF, downloaded the new java and heres the MGlogs.zip with the avenger file:
     

    Attached Files:

  9. abri

    abri MajorGeek

    Hi Kilgore!

    1) I believe I named the file incorrectly. Please try deleting it one more time using Avenger, again, followed by ATF Cleaner. You will have to copy/paste the contents of the box into Avenger as you did before:
    2) Also, since you're using Avast now, we can get rid of a Symantec service that is still running. Please do the following:
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to SymWMI Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now Click OK until you get back to Windows.
    • Next, run HJT (analyse.exe in your MGTools folder under C:\ ) but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/paste SymWSC into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    3) Now scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    Again, make sure ALL browser windows are closed when you click FIX.

    4) When you finish the above, please attach the Avenger log and a fresh HijackThis log which you can get by running analyse.exe and having it produce a fresh log.

    Thanks!
    abri
     
  10. kilgore

    kilgore Private E-2

    Hi Abri,
    • Step one I did no problem and the avenger log is attached
    • I then was able to disable SymWMI as in the fist part of step 2
    • When I got into HijackThis and tried to set it to delete SymWSC it gave me the error "This program is system critical and cannot be deleted" I ignored this as you suggested by simply closing the error message window.
    • When I scanned with HJT the program "O23 - Service: SymWMI Service (SymWSC)" didn't appear in the list which can be seen from the HJT log. A fix was never run.

    I'm a little perplexed. How can HJT fix something that's not running? Can't I just remove Symantec with Add/Remove in the control panel?
     

    Attached Files:

  11. abri

    abri MajorGeek

    Hi kilgore,
    Symantec is not easy to get out of the computer. It's not enough to go to add/remove programs and remove their programs. There is a tool called the Norton Removal Tool (SymNRT) which they also have at their website and if the automated removal tool doesn't work, there are additional manual removal instructions. The problem with having leftover Symantec files and running services is that they interfere with other antivirus programs. You can still run the Norton Removal Tool if you are worried the service may still be there. I expect it's turned off now and therefore no longer of interest to hijackthis.

    How is your computer doing now? I will post you our final clean-up instructions. This includes removing all our tools and the resulting logs, setting a clean restore point and giving you a link to some light reading on How to protect yourself from malware. I highly recommend taking the time to read through that page, as there is some very difficult malware that's just surfaced and using good sense and good precautions is a good idea right now.

    abri
     
  12. kilgore

    kilgore Private E-2

    abri,
    I just wanted to let you kno that the computer is running fine, although it seems slower when starting up certain things, like when turning it on or starting firefox. I just figure that's because of the antivirus and antispyware stuff I'm using (avast and AVG-antispyware respectively). Is there some optimal way to configure these or is it best to just let them have thier way? It wasn't clear how to set the priority levels correctly for the automatic 'behind the scenes scanning'.
    Just today I ran into a problem -perhaps unrelated - when trying to upload some photos on myspace :eek: There was a note on the page that said I either didn't have Java Script turned on or didn't have the current Flash player the browser fails consistently when I go to this page. How can I tell if Java Script is turned on?
    Anyway, I think you've basically solved my malware problem for which I am very very grateful. I hope I will not need to use this forum much more, but I am glad to know you are here.
    THANKS!!
    -kilgore
     
  13. abri

    abri MajorGeek

    Hi kilgore,

    In Firefox, go to extra and options and click on the content tab. See that the boxes for enabling java script and java are ticked.

    Also, I think Symantec Live Update may still be active on your computer. If you would like for me to check, please go to the READ & RUN ME FIRST and scroll down to the bottom to the instructions for your operating system, click on that and find the MGTools instructions on the next page. Reinstall the MGTools and attach the new MGlogs.zip that it produces to your next post. I'll see if that might still be active.

    And ... if you did not pay for the AVG Antispyware, please uninstall it. It doesn't need to be running.

    You may need to get an updated Flash Player. They update often. Just allow it to install.

    Remember that MySpace is a risk. Know who you're downloading from.

    abri
     
  14. kilgore

    kilgore Private E-2

    abri,
    The computer was extra slow to reboot just now and for some reason firefox wouldn't open until I rebooted. Wierd.
    So hear's the log:
     

    Attached Files:

  15. abri

    abri MajorGeek

    Hi kilgore,
    If the AVG antispyware is the trial version, just uninstall it via add/remove programs.
    Also, if you have the activation key for Comodo Pro, I would like to suggest that you uninstall that as well and see if this is influencing your bootup time and your Firefox connection. I tend to recommend Zone Alarm over Comodo because it's easier to use, but hate to suggest this if you just went out and bought the pro version of Comodo.

    If you went through the cleanup procedures, you won't have hijackthis installed anymore. If you did not go through the clean-up procedures, just wait and come back to them. Either way, I would like for you to run hijackthis. If you've already uninstalled it, please go to Downloading, Installing and Running HijackThis . Once it's installed correctly (in its own folder under C:\ ), please start it and select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


    Optionally fix these if you don't need them.

    O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exeO4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

    Run CCleaner at the default setting with the windows tab as the one showing on top.

    Tell me what results you get after these changes.
    abri
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds