Operating System = Windows XP
A couple of days ago I was doing some stuff online at 7:45pm, preoccupied and in somewhat of a rush. I got a popup menu that a trojan had been found, I assumed it was from my McAfee Security Centre (as this has happened several times before) but I didn't really look at it that closely, and selected okay (I think). I then started to receive a bunch of popups about Spyware, and Awola spyware removal program. I kept closing them because I was in a rush, didn't really look that closely, thought it was just ads and may very well have clicked something I shouldn't have. I did see the Awola Program box come up at one point and I thought I attempted to close it, but I may have clicked on something inadvertently.
Upon rebooting later, I realized that the computer was probably infected. I cannot click or open any application, by double-clicking an icon or program name I always receive the same error message (tailored to whatever application I attempted to open). A black empty box appears, along with a window above it which reads like this:
16-bit MS-DOS Subsystem
C:\Documents and Settings\All Users\Desktop\Winamp.Ink
The NTVDM CPU has encountered an illegal instruction.
CS:054d IP: 013d OP: f0 85 38 90 3a Choose 'Close' to terminate the application.
The above error message appears when attempting to open Winamp. If it's a different program the C: line is different, related to the program in question. Everything else is the same. There are 20 or 30 of these boxes when the computer is first turned on, as nothing will open properly.
I checked the McAfee logs, and there's a long list of "Real-time virus protection was enabled". However, there are 4 different entries that occurred at the exact time this all began.
7:45, 7:45, 7:50, 7:53: SystemGuards have allowed a one-time change to your computer. All 4 are Rule Type: Registry
7:45 Process: C:\WINDOWS\SYSTEM32\~.exe\longnumbersequence\Software\Microsoft\Windows\Currentversion\Run\AutoloadC:\Documentsandsettings\myusername\cftmon.exe
7:45 similar to above, ending in C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe
7:50 Temp file info and Microsoft Windows Adapter, ending in jbhoz.exe
7:53 This one refers to the addition of the Awola antispyware program (awola6.exe) to the registry.
I am now able to access most programs (like going online, or opening Winamp) by right-clicking the icon, and selecting "Run as", and then 'current user'. This has been reassuring and useful so that I can use the computer, but obviously this is not an acceptable way to go forward, and Awola and its assorted idiocy needs to be fully removed from my computer, if humanly possible.
(1) I did some searching online for Awola-related assistance, and found one set of instructions (from Symantec) about turning off system restore, running a full virusscan, and heading into the registry (START>RUN) to type 'regedit' in order to remove the Awola listing from the retistry editor. However, after enterintg regedit I receive the same error message listed above.
(2) I found another board suggesting that HijackThis was a useful program for this type of thing, and I managed to download and install it. However, I cannot run it. Double-clicking the icon or selecting it from the All Programs list results in the error message listed above. Right-clicking and selecting "Run as" brings up this error message:
Run-time error '481':
(3) I found an alternate instruction on this site, suggesting the downloading of SmitFraudFix and saving it to the desktop, rebooting the computer in safemode, and then double-clicking the SF icon. I tried this, but double-clicking the icon results in the same error message listed above even in safe mode. I then tried to right-click for "Run as" and I can't remember exactly what happened, but either the "Run As" option was not there, or it resulted in an error message when selected.
Awola is listed under "All Programs", but selecting "Uninstall Awola anti spyware 6.0" just results in the error message listed above. I tried to find an Awola file folder in My Computer to delete, but was unable to locate it.
I am very hopeful that there will be a relatively painless solution to this problem. It may be as simple as removing the awola entry from the registry, and running Hijackthis and / or Smitfraud, but I cannot get any of these apps to work. Please Help!!!
Edited by strawberryfields, 25 April 2008 - 03:07 PM.