Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Awola 6.0 And Could Really Use Some Help Removing It


  • This topic is locked This topic is locked
30 replies to this topic

#1 strawberryfields

strawberryfields

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 25 April 2008 - 01:42 PM

Hi there, I believe my computer was recently infected by the Awola Virus / Trojan, and I could really use some assistance. I thank you in advance for any suggestions and help, they are appreciated. I'll put up a detailed description here of what's happened so far, and can certainly provide any additional information that may be required. My computer knowledge is okay, but very limited in terms of spyware and troubleshooting complex problems like this one.

Operating System = Windows XP

A couple of days ago I was doing some stuff online at 7:45pm, preoccupied and in somewhat of a rush. I got a popup menu that a trojan had been found, I assumed it was from my McAfee Security Centre (as this has happened several times before) but I didn't really look at it that closely, and selected okay (I think). I then started to receive a bunch of popups about Spyware, and Awola spyware removal program. I kept closing them because I was in a rush, didn't really look that closely, thought it was just ads and may very well have clicked something I shouldn't have. I did see the Awola Program box come up at one point and I thought I attempted to close it, but I may have clicked on something inadvertently.

Upon rebooting later, I realized that the computer was probably infected. I cannot click or open any application, by double-clicking an icon or program name I always receive the same error message (tailored to whatever application I attempted to open). A black empty box appears, along with a window above it which reads like this:

16-bit MS-DOS Subsystem

C:\Documents and Settings\All Users\Desktop\Winamp.Ink
The NTVDM CPU has encountered an illegal instruction.
CS:054d IP: 013d OP: f0 85 38 90 3a Choose 'Close' to terminate the application.
<CLOSE> <IGNORE>

The above error message appears when attempting to open Winamp. If it's a different program the C: line is different, related to the program in question. Everything else is the same. There are 20 or 30 of these boxes when the computer is first turned on, as nothing will open properly.

I checked the McAfee logs, and there's a long list of "Real-time virus protection was enabled". However, there are 4 different entries that occurred at the exact time this all began.

7:45, 7:45, 7:50, 7:53: SystemGuards have allowed a one-time change to your computer. All 4 are Rule Type: Registry

7:45 Process: C:\WINDOWS\SYSTEM32\~.exe\longnumbersequence\Software\Microsoft\Windows\Currentversion\Run\AutoloadC:\Documentsandsettings\myusername\cftmon.exe

7:45 similar to above, ending in C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe

7:50 Temp file info and Microsoft Windows Adapter, ending in jbhoz.exe

7:53 This one refers to the addition of the Awola antispyware program (awola6.exe) to the registry.

I am now able to access most programs (like going online, or opening Winamp) by right-clicking the icon, and selecting "Run as", and then 'current user'. This has been reassuring and useful so that I can use the computer, but obviously this is not an acceptable way to go forward, and Awola and its assorted idiocy needs to be fully removed from my computer, if humanly possible.

Attempted Troubleshooting:

(1) I did some searching online for Awola-related assistance, and found one set of instructions (from Symantec) about turning off system restore, running a full virusscan, and heading into the registry (START>RUN) to type 'regedit' in order to remove the Awola listing from the retistry editor. However, after enterintg regedit I receive the same error message listed above.

(2) I found another board suggesting that HijackThis was a useful program for this type of thing, and I managed to download and install it. However, I cannot run it. Double-clicking the icon or selecting it from the All Programs list results in the error message listed above. Right-clicking and selecting "Run as" brings up this error message:

Run-time error '481':
Invalid Picture

(3) I found an alternate instruction on this site, suggesting the downloading of SmitFraudFix and saving it to the desktop, rebooting the computer in safemode, and then double-clicking the SF icon. I tried this, but double-clicking the icon results in the same error message listed above even in safe mode. I then tried to right-click for "Run as" and I can't remember exactly what happened, but either the "Run As" option was not there, or it resulted in an error message when selected.

Awola is listed under "All Programs", but selecting "Uninstall Awola anti spyware 6.0" just results in the error message listed above. I tried to find an Awola file folder in My Computer to delete, but was unable to locate it.

I am very hopeful that there will be a relatively painless solution to this problem. It may be as simple as removing the awola entry from the registry, and running Hijackthis and / or Smitfraud, but I cannot get any of these apps to work. Please Help!!!

Edited by strawberryfields, 25 April 2008 - 03:07 PM.


BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 25 April 2008 - 04:20 PM

if you have not already done so you could try the superantispyware program?
http://www.superantispyware.com/superantis...efreevspro.html
download it from

http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

run the installation program and start the program from the desktop icon; fully update the definitions , reboot the computer into safe mode if it will let you , then run superantispyware from the desktop icon on a full computer scan
when the scan is complete, reboot your computer into normal mode, and come back and post the log report you should find by opening the program and go to preferences/statistics.logs

left mouse click on the most recent entry, click on 'view log' and copy and paste that report into here for examination so folks can see what help you may need :thumbsup:

#3 strawberryfields

strawberryfields
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 25 April 2008 - 06:19 PM

Hi.

I did DL that program (Superantispyware), and have the same problem as I've had with everything else. I can't select or double-click it, as I get the same error message as everything else:

16-bit MS-DOS Subsystem

C:\WINDOWS\system32\drivers\spools.exe
The NTVDM CPU has encountered an illegal instruction.
CS:054d IP: 013d OP: f0 85 38 90 3a Choose 'Close' to terminate the application.
<CLOSE> <IGNORE>

And if I right-click the application and select "Run As", I get this error message:

"Corrupt installation detected".

I really hope someone can help, as this is getting more and more frustrating.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:46 AM

Posted 25 April 2008 - 08:09 PM

If you can't run an executable from safe mode or normal mode, can you try last know good from the advanced safe mode
screen?

http://support.microsoft.com/kb/q304449/
Chewy

No. Try not. Do... or do not. There is no try.

#5 strawberryfields

strawberryfields
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 26 April 2008 - 11:19 AM

Sorry, I'm not quite sure what you mean in that last post, or what the link is suggesting. Would you mind clarifying that for me?

Your link is about a System Restore, is it suggesting to do a system restore to a specific date (ie. restore to the day before I was infected or something?) That would be great, I just hope it's relatively simple as I am not very good with this type of stuff, and the info provided through the link is confusing.

As mentioned, I cannot open any program by double-clicking the desktop icon or selecting it from the program files list. I assume this is because there is an awola program affecting the registry and start-up menu. I can however open most programs by right-clicking the icon, and selecting "Run As". I didn't know this option existed before all this, it has enabled me to use the computer but I am starting to get more and more frustrated by this. I just want this to be resolved so that things can get back to normal, and I am very concerned about passwords and everything else as well.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:46 AM

Posted 26 April 2008 - 11:40 AM

I was making 2 suggestions to see if you could get back some functionality that you have lost

if you can get superantispyware to install and go into safe mode and run it?
Chewy

No. Try not. Do... or do not. There is no try.

#7 strawberryfields

strawberryfields
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 26 April 2008 - 06:40 PM

No, none of the spyware programs I've d/l'ed will work, including superspyware. After right-clicking and selecting "run as", the "RUN" window for the program comes up for all, but it won't install it. The error message for superspyware was: "Corrupt installation detected". I tried SmitFraudFix again in Safe Mode and the error message was this: "A device attached to the system is not functioning".

I am guessing that Awola may be corrupting the downloads, or blocking the installations.

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:46 AM

Posted 26 April 2008 - 07:20 PM

and what happened with last know good configuration from safe mode boot?

and using system restore from a safe mode boot?
Chewy

No. Try not. Do... or do not. There is no try.

#9 strawberryfields

strawberryfields
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 27 April 2008 - 10:09 AM

Forgive my lack of knowledge on the subject, but I am not familiar with the "system restore" functionality. Can I restore the system to the day before I contracted this virus? If so, how would I go about doing that?

I would also require some help with your suggestion regarding "last know good configuration from safe mode boot", I'm not entirely sure what that entails or how to go about it. Can you provide step-by-step instructions for these ideas?

Thanks again for your help, I wish I had more knowledge on the subject but am concerned about screwing things up.

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:46 AM

Posted 27 April 2008 - 10:43 AM

first try booting into safe mode and choose "last known good configuration" at the screen where you choose normal or safe

if that doesn't work(it probably won't) then follow the directions in the link fom microsoft to run system restore and choose a restore point before the infection

if these do not get you up to a point where you can run some scans or run HJT, then I would post in that forum anyway

It's been my limited experience that when one of these newer more dangerous malwares get thru McAfee Security Centre
that the damage to the operating system is almost unrepairable unless you can run windows as a repair disk

Some others may not agree with me, but seeing it with your eyes is another story

Edited by DaChew, 27 April 2008 - 10:48 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#11 strawberryfields

strawberryfields
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 27 April 2008 - 02:20 PM

I tried the "last known good configuration" option, but when it rebooted nothing had changed.

I also tried doing a system restore, but it won't let me do it without administrator access. Now I don't know if this has to do with Awola or my lack of knowledge, but I don't see any way to get into administrator status. I am the only one who has ever used this computer, so I assumed my main id has this access, but apparently it doesn't. If I click "Log Off" and then "Switch User", there is only one option, my main username.

How can I get into the "administrator" account? I have seen it listed in the past, so it's probably been removed by Awola, but I'm not sure. How can I do this?

You also mentioned posting on an another forum, do you mean a Microsoft or HJT forum?

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:46 AM

Posted 27 April 2008 - 03:45 PM

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

following the directions here

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

which you can't do

might be able to run a windows repair disk if you had a generic windows disk
Chewy

No. Try not. Do... or do not. There is no try.

#13 strawberryfields

strawberryfields
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 27 April 2008 - 04:29 PM

Hi there. Have posted this issue in the "Am I Infected" board, and was referred here. I believe my computer was recently infected by the Awola Virus / Trojan, and I could really use some help before I go completely insane. I can't do much of anything, but there must be a way to fix this. Please help!

Operating System = Windows XP

Last Thursday at 7:45pm, I got a popup stating that a trojan had been found, I assumed it was from my McAfee Security Centre (as this has happened several times before) but I didn't really look at it that closely, and selected okay (I think). I then started to receive a bunch of popups about Spyware and Awola. I kept closing them but may very well have clicked something I shouldn't have. I did see the Awola Program box come up at one point.

Upon rebooting later, I realized that the computer was probably infected. I cannot open any application or program file normally, when I double-click any icon or program name I always receive the same error message. A black empty box appears, along with a window above it which reads like this:

ERROR MESSAGE:

16-bit MS-DOS Subsystem

C:\Documents and Settings\All Users\Desktop\Winamp.Ink
The NTVDM CPU has encountered an illegal instruction.
CS:054d IP: 013d OP: f0 85 38 90 3a Choose 'Close' to terminate the application.
<CLOSE> <IGNORE>


The above error message appeared when attempting to open Winamp, if it's a different program then the C: line is different, related to the program in question. The rest of the error message is the same. Approx. 20 of these boxes appear when the computer is first turned on, as nothing will open properly even during startup.

I checked my McAfee logs, and there are 4 different entries that occurred at the exact time this all began.

Thursday, 7:45pm, 7:45pm, 7:50pm, 7:53pm: SystemGuards have allowed a one-time change to your computer. All 4 are Rule Type: Registry

7:45 Process: C:\WINDOWS\SYSTEM32\~.exe\longnumbersequence\Software\Microsoft\Windows\Currentversion\Run\AutoloadC:\Documentsandsettings\myusername\cftmon.exe

7:45 similar to above, ending in C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe

7:50 Temp file info and Microsoft Windows Adapter, ending in jbhoz.exe

7:53 This one refers to the addition of the Awola antispyware program (awola6.exe) to the registry.

I can post these exact messages if required.

I am able to access some programs (like going online, or opening Winamp) by right-clicking the icon, and selecting "Run as", and then 'current user'. So I can use the computer to some extent, but obviously this is not an acceptable way to go forward, and Awola and its assorted idiocy needs to be fully removed from my computer, if humanly possible.

Attempted Troubleshooting:

(1) I did some searching online for Awola-related assistance, and found one set of instructions (from Symantec) about turning off system restore, running a full virusscan, and heading into the registry (START>RUN) to type 'regedit' in order to remove the Awola listing from the retistry editor. However, after enterintg regedit I receive the same error message listed above (16-bit MS-DOS Subsystem), so I cannot use the command prompt field.

(2) I found another board suggesting that HijackThis was a useful program for this type of thing, and I managed to download and install it. However, I cannot run it. Double-clicking the icon or selecting it from the All Programs list results in the 16-bit MS-DOS Subsystem error message listed above. Right-clicking and selecting "Run as" brings up this error message:

Run-time error '481':
Invalid Picture

(3) I found an alternate instruction on this site, suggesting the downloading of SmitFraudFix and saving it to the desktop, rebooting the computer in safemode, and then double-clicking the SF icon. I tried this, but double-clicking the icon results in the 16-bit MS-DOS Subsystem error message listed above even in safe mode. I then tried to right-click for "Run as" and encountered this error message: "A device attached to the system is not functioning".

(4) I dl'ed Superantispyware, but have the same problem as I've had with everything else. I can't select or double-click it, as I get the same error message as everything else:

16-bit MS-DOS Subsystem

C:\WINDOWS\system32\drivers\spools.exe
The NTVDM CPU has encountered an illegal instruction.
CS:054d IP: 013d OP: f0 85 38 90 3a Choose 'Close' to terminate the application.
<CLOSE> <IGNORE>

And if I right-click the application and select "Run As", I get this error message:

"Corrupt installation detected".

(5) I tried the "last known good configuration" option, but when it rebooted nothing had changed.

I also tried doing a system restore, but it won't let me do it without administrator access in regular mode, and I cannot issue a command prompt in Safe Mode. Now I don't know if this has to do with Awola or my lack of knowledge, but I don't see any way to get into administrator status. I am the only one who has ever used this computer, so I assumed my main id has this access, but apparently it doesn't. If I click "Log Off" and then "Switch User", there is only one option, my main username, so I'm not sure how to regain administrator access.

CONCLUSION:

I cannot double click on any application to run an install or open a program. I always get the "16-bit MS-DOS Subsystem" error message. Same thing happens when I try to issue a command prompt. I have downloaded several anti-virus programs, but since I cannot run an EXE file, I cannot install or run them. When beginning the D/L process, I have tried both "Run" and "Save As", and through the 2nd option managed to get it to my computer, but the "Run as" function does not work with these programs.

I have read several online fixes for Awola, but none of them refer to the fact that I can't double-click on anything, or that the "16-bit MS-DOS Subsystem" error message comes up any time I try to follow their suggestions. Is this a new development for this virus, and is there a way around it? Is there something I can do different to get Hijackthis to work properly?

Can anyone offer a suggestion for me, either to remove Awola or at the very least get one of these anti-virus program to RUN? I thank you in advance for any assistance.

Mod Edit:Topics merged for continuity ~TMacK

Edited by TMacK, 27 April 2008 - 04:36 PM.


#14 strawberryfields

strawberryfields
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 27 April 2008 - 04:38 PM

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

following the directions here

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

which you can't do

might be able to run a windows repair disk if you had a generic windows disk


I tried posting a new detailed thread on the board that you listed in the quoted post (which is what I think you asked me to do), but it was immediately moved and added to this thread by a mod.

Did I misunderstand what you were suggesting?

Edited by strawberryfields, 27 April 2008 - 04:41 PM.


#15 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:10:46 PM

Posted 27 April 2008 - 04:38 PM

Above topic moved from HijackThis Logs and Malware Removal and merged with existing thread.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users