Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected! Do'h


  • Please log in to reply
9 replies to this topic

#1 u01sfa3

u01sfa3

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 12 April 2008 - 11:31 AM

Hey guys, this is my first post on this and.. any forum! Im sad to say its because today i got infected.
I hope you can help me out or point me in the right direction.

I seem to have picked up the following problems:
my desktop has changed to red with a message stating "your privacy is in danger! please download privacy protection software now".
The task manager has been disabled by the "administrator".

I am receiving error messages from xpantivirus and worm.win32.netbooster.
There are pop-ups coming from trustedantivirus.com and advancedcleaner.com.

Its all a bit of a mess really!

What do I need to do to fix it? I've never had a virus before...

Thanks in advance :thumbsup:
Stuart

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 12 April 2008 - 10:22 PM

Hello and welcome to Bleeping computer.
Please start with the instructions from our tutorial. Tell us how the PC is running after.

How to remove XPAntiVirus (Removal Instructions)
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 u01sfa3

u01sfa3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 14 April 2008 - 09:58 AM

Hello,

Thanks for the reply.
I followed the instructions for the remove xpantivirus but it didn't seem to be on my system.. I followed the instructions anyway though.
I then completed a full system scan using panda online. I got the following results:

Summary of your last scan:
4/14/2008 6:27:35 AM Results: 18 viruses or spyware detected.
Suspicious items: 3 suspicious files detected and sent.
Vulnerabilities: 1 vulnerability detected.

I couldn't find an option to delete the suspicious and infected files though. Do i need to buy the full version?

i am now receiving an pop-up from norton saying i have a "downloader" virus in \localsettings\content.ie5\XP3QjE14\main[1].htm
I get pop-ups from trustedantivirus.com and advancedcleaner.com
there are new icons on my desktop called error cleaner, privacy protector and spyware and malware protection!

What a mouthful.

I hope to hear from you,
Thanks!
Stuart

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 14 April 2008 - 01:55 PM

Ok use the these instructions now and let's see.
How to remove Privacy Protector or PrivacyProtector (Removal Instructions)

NEXT:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 u01sfa3

u01sfa3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 15 April 2008 - 01:52 PM

Hey,

I followed the instructions to remove privacy protector - it seemed to do a good job!
The results i got from smitfraudfix are:
SmitFraudFix v2.314

Scan done at 23:07:14.89, 14/04/2008
Run from C:\Documents and Settings\Stu\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
C:\WINDOWS\temlxopqgdk.dll deleted.
C:\WINDOWS\mgsvflkw.dll deleted.
C:\WINDOWS\qdnkewfa.dll deleted.


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\privacy_danger\ Deleted
C:\DOCUME~1\Stu\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\Stu\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\Stu\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\Stu\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\Stu\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\Stu\FAVORI~1\Spyware?Malware Protection.url Deleted

IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{83D987D9-D675-4374-B7F4-23662EA366C5}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B76848A1-5C81-4B60-B1ED-181FEB07C59D}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{83D987D9-D675-4374-B7F4-23662EA366C5}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B76848A1-5C81-4B60-B1ED-181FEB07C59D}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{83D987D9-D675-4374-B7F4-23662EA366C5}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B76848A1-5C81-4B60-B1ED-181FEB07C59D}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

I then did the Activescan from pandaonline:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-04-15 19:08:58
PROTECTIONS: 2
MALWARE: 28
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Norton Antivirus 2004 10.00 No No
Windows Defender 1.1.3408.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00101555 Application/KillApp.B HackTools No 0 Yes No C:\hp\bin\KillIt.exe
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@atdmt[1].txt
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Stu\Desktop\SmitfraudFix\Process.exe
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@tradedoubler[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@mediaplex[2].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@www.myaffiliateprogram[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[.com.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@ad.yieldmanager[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@apmebf[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@serving-sys[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@bs.serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[.bs.serving-sys.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@888[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@adtech[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@server.iad.liveperson[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@advertising[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@statse.webtrendslive[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@zedo[1].txt
00172483 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@int.sitestat[1].txt
00172484 Cookie/Cassava TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@int.sitestat[2].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@adviva[2].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Application Data\Mozilla\Firefox\Profiles\amp48tdh.default\cookies.txt[.adviva.net/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@ads.addynamix[2].txt
00517584 Application/SuperFast HackTools No 0 Yes No C:\Documents and Settings\Stu\Desktop\SmitfraudFix\restart.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Stu\Desktop\SmitfraudFix\Reboot.exe
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@advancedcleaner[2].txt
02887531 Cookie/UltimateCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@ucleaner[2].txt
02887532 Cookie/XPAntivirusPro TrackingCookie No 0 Yes No C:\Documents and Settings\Stu\Cookies\stu@www.safenavweb[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location E
;===================================================================================================================================================================================
Yes C:\WINDOWS\SYSTEM32\HUDERMHC.EXE E
Yes C:\WINDOWS\SYSTEM32\YAYVTNDU.DLL E
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description E
;===================================================================================================================================================================================
120815 HIGH MS06-022 E
;===================================================================================================================================================================================



Finally the MBAM log:

Malwarebytes' Anti-Malware 1.11
Database version: 633

Scan type: Quick Scan
Objects scanned: 34840
Time elapsed: 10 minute(s), 0 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 16
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
C:\WINDOWS\system32\hudermhc.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Application Data\xobizodw\tsbclejq.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\yayvTNDU.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\geBqOeCT.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\sjfhlhfw.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{02715e47-5a8e-495b-8f63-0d30470b8e72} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02715e47-5a8e-495b-8f63-0d30470b8e72} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayvtndu (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{683d5b09-85c8-4a8d-85cc-368677392d38} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{683d5b09-85c8-4a8d-85cc-368677392d38} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vnbptxlf.bvot (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vnbptxlf.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{02715e47-5a8e-495b-8f63-0d30470b8e72} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aqwdugsp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\6krlAaUBgU (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebqoect -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\yayvTNDU.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awtqpqnM.dll_old (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Mnqpqtwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Mnqpqtwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBqOeCT.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\TCeOqBeg.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\TCeOqBeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sjfhlhfw.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wfhlhfjs.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hudermhc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\xobizodw\tsbclejq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iwvejcbx.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jewxasfa.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uudrwbaa.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stu\Local Settings\Temp\Temporary Directory 2 for Boilsoft_AVI_to_VCD_SVCD_DVD_converter_3.61[1].zip\run.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.

When i start up my computer i now get the error message from RUNDLL:
Error Loading c:\WINDOWS\system32\sjfhlhfw.dll
The speciied module could not be found.

Thanks again for your help!:thumbsup:

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 15 April 2008 - 09:29 PM

You were pretty heavily infected. Other than the Rundll thing how is it running now?

RUNDLL:Error Loading c:\WINDOWS\system32\sjfhlhfw.dll

These are a common aftereffect of malware removal. Basically the PC is still trying to start the application. that applicatios was the malware. The cleaning has broken the path. It cannot run and windows is reporting the program cannot runIt doesn't know that it was malware .
Do this and it should be cleared up.(Is that<< a proper sentence??) :thumbsup:

Download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click HERE if you're not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns..

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 u01sfa3

u01sfa3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 17 April 2008 - 04:19 PM

Hey,

Thanks for your help. I think its running pretty smoothly now. I managed to get rid of the startup thing and learned a few things on the way.
I ran Malwarebytes and found one more but cleaned it so it should be gone right?

Malwarebytes' Anti-Malware 1.11
Database version: 633

Scan type: Full Scan (C:\|)
Objects scanned: 147800
Time elapsed: 1 hour(s), 15 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02715e47-5a8e-495b-8f63-0d30470b8e72} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Other than that i just gotta say a huge thanks you!!
Im gonna have to be more careful in the future by the looks of it... :thumbsup:

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 17 April 2008 - 05:57 PM

You're welcome, you've done well. You should be good, but there's still a step or two left. We done so well I just want you to do another scan and get a log and I think you'll be real good to go. This one will take about an hour.

Download Attribune's ATF Cleanerand then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mo
de.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the pr
ogram.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 u01sfa3

u01sfa3
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 06 May 2008 - 12:45 PM

Hey, a pretty late reply but its good news!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/20/2008 at 02:51 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1434

Scan type : Complete Scan
Total Scan Time : 01:02:09

Memory items scanned : 182
Memory threats detected : 0
Registry items scanned : 7298
Registry threats detected : 0
File items scanned : 35581
File threats detected : 0

Its all just running a bit slow now, the internet particularly. Are there any of these programs you would recommend i do not run at startup?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:06 AM

Posted 06 May 2008 - 07:35 PM

Are there any of these programs you would recommend i do not run at startup?

If you are referring to the tools we've used,then Yes they can ALL be removed from start up as they are not Actively running. SmitfraudFix ,should be uninstalled as if you ever need it again you will need a new version. SUPER and MBAM will neeed to be updated each time you want to run them.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users