Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Troubles


  • Please log in to reply
1 reply to this topic

#1 ryangle

ryangle

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 22 June 2008 - 08:02 PM

Hi there,

I recently got a trojan.vundo attack and managed to cure it such that it doesn't show up in virus or spy-ware scans, but every time I start up the computer, windows shows a message that it can't load the module "C:\Windows\system32\sSMfGawu.dll"

Nothing appears to be wrong with my computer except that everytime I start up I get that message. I ran VundoFix V7.0.6 which found sSMfGawu.dll but doesn't seem to fix it as every time I run the program it finds the dll and still gives me the message every time I start up the computer. I can't find it in the system32 file, which leads me to believe that my Antivirus software (Norton) found the dll and deleted it, but I don't know how to stop the computer from attempting to load it since my Antivirus says there are no problems.

I ran the Vundobegone program which couldn't find anything. Here was the output...

[06/23/2008, 17:16:59] - VirtumundoBeGone v1.5 ( "C:\Users\Ryan\Desktop\VirtumundoBeGone.exe" )
[06/23/2008, 17:17:02] - Detected System Information:
[06/23/2008, 17:17:02] - Windows Version: 6.0.6001, Service Pack 1
[06/23/2008, 17:17:02] - Current Username: Ryan (Admin)
[06/23/2008, 17:17:02] - Windows is in SAFE mode.
[06/23/2008, 17:17:02] - Searching for Browser Helper Objects:
[06/23/2008, 17:17:02] - BHO 1: {00C6482D-C502-44C8-8409-FCE54AD9C208} (SnagIt Toolbar Loader)
[06/23/2008, 17:17:02] - BHO 2: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[06/23/2008, 17:17:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/23/2008, 17:17:02] - No filename found. Continuing.
[06/23/2008, 17:17:02] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[06/23/2008, 17:17:02] - BHO 4: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} ()
[06/23/2008, 17:17:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/23/2008, 17:17:02] - Checking for HKLM\...\Winlogon\Notify\coIEPlg
[06/23/2008, 17:17:02] - Key not found: HKLM\...\Winlogon\Notify\coIEPlg, continuing.
[06/23/2008, 17:17:02] - BHO 5: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} (Symantec Intrusion Prevention)
[06/23/2008, 17:17:02] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/23/2008, 17:17:02] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/23/2008, 17:17:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/23/2008, 17:17:02] - No filename found. Continuing.
[06/23/2008, 17:17:02] - BHO 8: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/23/2008, 17:17:02] - BHO 9: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/23/2008, 17:17:02] - BHO 10: {AC41D38F-B56D-40AD-94E0-B493D130C959} (CmjBrowserHelperObject Object)
[06/23/2008, 17:17:02] - Finished Searching Browser Helper Objects
[06/23/2008, 17:17:02] - Finishing up...
[06/23/2008, 17:17:02] - Nothing found! Exiting...



Any ideas on how to stop my computer from searching for that dll?

Thanks,
Ryan

Edited by Orange Blossom, 22 June 2008 - 09:45 PM.
Move to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:37 AM

Posted 22 June 2008 - 10:02 PM

Hi, This is a common occurrence after killing malware like Vundo. It is probably an Orphaned registry link. Windows is trying to run the application(was malware) it can''t as the remedy has broken the path. Windows only knows it can not run something and reports that. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click HERE if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users