TechSpot

What are awola, winferno, & spydawn?

By marygg
Feb 21, 2008
  1. Computer has the above and errorsafe, mirar, spanblockerutility. Are these malware?
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    pretends to be a anti-spyware application but instead provides exaggerated or fake results of Spyware found on your computer. In order to clean the found items you must purchase the full commercial version of the software. These false results are actually used as a scare tactic to have you purchase their software. It goes without saying that you should not purchase this software.

    Run Smitfraudfix
    • Download Smitfraudfix by S!ri from HERE
    • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infected files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt


    Download\install 'SuperAntiSpyware Home Edition Free Version' from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.

      It's possible that the program will ask you to reboot in order to delete some files.

      Obtain the SuperAntiSpyware log as follows:
      Click on 'Preferences'.
      Click on the 'Statistics/Logs' tab.
      Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
      It will then open in your default text editor,such as Notepad.
      Attach the notepad file here on your next reply

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
      ***Under no circumstances should you add any items to the HJT ignore list. Under no circumstances should you change the directory that highjackthis downloads to. Under no circumstances should you Fix anything without specific instruction to do so. Under no circumstances should you click any buttons other that specified in the directions including AnalyzeThis!***


    Please post the logs as attachments by using the paperclip ICON above your next reply
     
  3. marygg

    marygg TS Booster Topic Starter Posts: 121

    The three logs are attached. Thanks for your help.
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    *Remove this post please (duplicate)
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    you may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout from one of these sites:
    http://forums.subratam.org/index.php?act=Attach&type=post&id=43811
    http://swandog46.geekstogo.com/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

    • R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://sorgate.com/gatevc.php?pn=srch0p1total7s2
      O2 - BHO: DeskalertsBHO - {E61B9B49-2001-4b8a-97EB-F1128224DCE3} - C:\Program Files\DeskAlerts\deskbar.dll
      O4 - HKCU\..\Run: [wzif] C:\PROGRA~1\COMMON~1\wzif\wzifm.exe
      O4 - HKCU\..\Run: [Else More] C:\DOCUME~1\MARIOA~2\APPLIC~1\TOOLFI~1\BurnBitsBib.exe
      O4 - HKCU\..\Run: [Awola] "C:\Documents and Settings\Mario Amezcua_2\Application Data\Awola\Awola.exe" /MIN
      O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm231YYUS
      O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
      O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
      O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.166 85.255.112.151
      O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.131 85.255.112.112
      O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.131 85.255.112.112
      O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.131 85.255.112.112
      O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
      O20 - Winlogon Notify: pwewoaob - pwewoaob.dll (file missing)
      O21 - SSODL: E404Helper - {a08a6db8-9fcf-4d98-993e-1535f43955dd} - e404d.dll (file missing)

    Click Fix Checked. Close HijackThis, and click OK to proceed.

    At the end of the fix, you may need to restart your computer again.

    Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.
     
  6. marygg

    marygg TS Booster Topic Starter Posts: 121

    The HijackThis and FixWareout are attached.
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Print out or at least write down the folders and files listed below

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Use Windows Explorer to navigate to and delete the following files:
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E

    Folders:

    • C:\Program Files\DeskAlerts\<-This folder only
      C:\Program Files\COMMONFiles\wzif<-This folder only
      C:\Documents and Settings\Mario Amezcua_2\Application Data\TOOLFI~1<-This folder only
      C:\Documents and Settings\Mario Amezcua_2\Application Data\Awola<-This folder only
      C:\Program Files\RcvSystem<-This folder only

    After deleting the above Go to Start, click Search, click All files and folders, and then click More advanced options. Click the check boxes to Search system folders and Search hidden files and folders.

    In the search box for All or part of the file name please type
    Awola.exe and delete all instances
    Spydawn and delete all instances
    BurnBitsBib.exe and delete all instances
    wzifm.exe and delete all instances
    deskbar.dll and delete all instances

    Reboot the computer into Normal Mode
    -------------------------------------------------------------------------------------------------------
    And just to be sure we got everything

    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • Type "1" (and Enter) to start the fix.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt


    In your next reply
    Hijackthis log
    Combofix log
     
  8. marygg

    marygg TS Booster Topic Starter Posts: 121

    HighJackThis and ComboFix logs are attached.
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You are doing great. There was a lot of infections on there. Still some left.

    Please download VundoFix.exe to your desktop.

    * Double-click VundoFix.exe to run it.
    * When VundoFix re-opens, click the Scan for Vundo button.
    * Once it's done scanning, click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will reboot your computer, click OK.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
    Scan for Vundo button." when VundoFix appears at reboot.
    -------------------------------------------------------------------------------------------------------
    Re-scan with Hijackthis and attach log
     
  10. marygg

    marygg TS Booster Topic Starter Posts: 121

    Here is the new hijack this.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, that got a few more off there.

    Please Reboot into Safe Mode by tapping F8 before windows loads, select safe mode, and press enter

    Go to start -> control panel -> add/remove programs

    Remove/Uninstall the following if there:
    My Web Search
    ErrorSafe Free
    Windows Plus


    *In your next reply let me know which of these were there.
    ---------------------------------------------------------------------------------------------------------
    While still in Safe Mode, Do a scan with Hijackthis and put a check next to the following if there:

    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\7.bin\m3SrchMn.exe" /m=2 /w
    O4 - HKLM\..\Run: [was_check] C:\Program Files\ErrorSafe Free\PASmon.exe
    O4 - HKLM\..\Run: [UERScw] C:\Program Files\ErrorSafe Free\UERScw.exe -c
    O4 - HKLM\..\Run: [hosyc] C:\Program Files\Windows Plus\hosyc77798.exe
    O4 - HKLM\..\Run: [843936ad] rundll32.exe "C:\WINDOWS\system32\qinfrptm.dll",b


    Select Fix checked

    Close Hijackthis for now.

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.


    Use Windows Explorer to navigate to and delete the following files:
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E

    Files:
    C:\C:\WINDOWS\system32\qinfrptm.dll <-This file only

    Folders:
    C:\Program Files\Windows Plus <-This folder only
    C:\PROGRAM Files\MYWEBSearch <- This folder only
    C:\Program Files\ErrorSafe Free<-This folder only

    Reboot the computer into Normal Mode Run a scan with Hijackthis and save a log to attach here.
     
  12. marygg

    marygg TS Booster Topic Starter Posts: 121

    My Web Search - ERROR LOADING C:\PROGRA~1\MYWEBS~1\bar\7.bin\mwsbar.dll
    No ErrorSafe
    No WindowsPlus

    Of the last four only Windows Plus was there to delete.

    HijackThis scan attached.
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Go to Start, click Search, click All files and folders, and then click More advanced options. Click the check boxes to Search system folders and Search hidden files and folders.

    In the search box for All or part of the file name please type mwsbar
    If any instances are shown Delete them.
    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    If you have no other problems your logs look clean:

    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 4
    • The 4th option down is the one you want
    • After the download locate and double click the installer jre-6u4-windows-i586-p-iftw.exe
    • Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions except Java 6 Update 4

    You can go to Start -> Run -> type in Combofix /u
    -This will unintstall combofix
    -rehides hidden and system files
    -Remove vundofix backups and combofix quarentine
    -Creates a new fresh restore point.

    You can remove Hijackthis from add/remove programs
    You can delete smitfraudfix and fixwareout from the desktop

    I didn't see spybot S & D in your log. I recommend you get it and follow these instructions

    Spybot Search and Destroy
    • Download and install the latest version of Spybot - Search & Destroy (currently 1.5.2) (If you already have this version please open it, update, immunize, and Check for problems under search and destroy)
    • When you have downloaded the program, double click on the downloaded file to start the installation. Follow the default selections, agreeing to the user agreements, and pressing the Next button until you get to the Select Additional Tasks screen.
    • Make sure that the last entry ("Use system settings protection (Tea Timer)") IS checked.
    • Press the Next button and then the Install button to start the installation process
    • Check Run Spybot S&D press Finish. Spybot - S&D will now start
    • The first screen asks if you want to backup your registry in order to be able to restore from it in the future. This can cause no harm, so it is a worthwhile task to do. You should click on the Create registry backup button
    • Click on the Search for updates button. If updates are available then select the Download all available updates button
    • When the updates are installed click on the Next button
    • You should now click on the Immunize this system button. When it finishes click on Next button
    • Then click on the button labeled Start using this program to begin using Spybot - Search & Destroy
    • For help with any problems please see this guide Spybot tutorial
    ------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Now, if you would like to speed up how fast your computer boots up. Follow below

    Through spybot S&D. Go to Mode and select advanced. then expand tools in the left pane, then double click system startup uncheck items that don't need to be started everytime you turn on your computer. If you don't know what something is you can post here or google for it. Don't uncheck anything in green.
     
  14. marygg

    marygg TS Booster Topic Starter Posts: 121

    Blind Dragon: Thanks for your help. Computer is fixed.
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You are very welcome marygg.

    If you have any more problems please post in this thread

    Regards ;)

    BD


    The instructions given in this thread were for the use of marygg only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...