Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have the "skfjkhcdecsh.com" virus


  • Please log in to reply
11 replies to this topic

#1 procharlie

procharlie

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 25 March 2009 - 01:50 PM

Help! I have an eMachines laptop with Windows XP. A while ago I started getting the "Warning! You have a security problem" bubble, and also the Explorer window that wanted to take me to the skfjkhcdecsh.com site, and the apparent scanning of my computer with results showing a bunch of viruses detected, etc, that are all apparently associated with a particular virus I had picked up. I did some searching about viruses and found others have the same problem, and a suggestion to run a virus removal program, which I did, but it didn't solve the problem. (I can't get into my laptop now - see below - so I'm not sure which program I ran but I think it was the malwarebites). Up to this time it was more a nuisance than anything else.
Then I apparently made a big mistake: when I powered up again later I got a notice about an available update to Java and decided to download it. But after that, when I restarted, my computer now will not let me log in. As soon as I log on, it says uploading my settings, but then immediately says "logging off", and I can get no further. I tries logging on as a guest but same result. Then I tried powering up in safe mode, and got to the login screen, and tried to log in as administrator, but again same result, as soon as I logged in it logged me off. So now I can't even get back to running Windows to try to clean it up.

Any help is appreciated.
Charlie

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 PM

Posted 25 March 2009 - 05:46 PM

Insert the Windows XP CD into the CD drive, and then restart the computer. Click to select any options that are required to start the computer from the CD drive if you are prompted. When the "Welcome to Setup" screen appears, press R to start the Recovery Console. If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

Type: chkdsk /r

It's important to have a space before the "/".

To exit the Recovery Console and restart the computer, type exit at the command prompt, and then press ENTER.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Willy0045

Willy0045

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:09:43 AM

Posted 26 March 2009 - 06:02 PM

I have the same problem with skfjkhcdcsh.com linked to spywareprotectiontool.com, virus remover2009, advancesoftwaretool.com and the red blob with the white X in the taskbar which pops up with the message "you have a security problem."
The Norton forum site has come up with the following info today:- The rogue 'antivirus' installer is now detected as VirusRemover 2008, a misleading application (aka scareware). Rapid release definitions were published less than an hour ago ( 09:45:05 PDT). However they are not applicable to 2009 product line.

If you install this software your personal details will be taken with potentially dangerous results. The trojan horse warnings are bogus to get you to buy the software but my AVG antivirus package classifies it as "Rogue Spyware Scanner". Please let me know if your reboot with the Windows CD works as I tried to restore to a previous back up point and the calendar buttons are not accessible and I can't even go back to Feb to restore. I presume the malware has disabled my restore function. I am running XP pro SP3.

#4 Willy0045

Willy0045

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham UK
  • Local time:09:43 AM

Posted 26 March 2009 - 07:19 PM

I now find I have 2 trojan horses in "C:\WINDOWS\system32\userinit.exe";"Trojan horse Agent2.AZU". I can't delete this file because it is a system file.
Avira antivirus doesn't find it and neither does Malwarebytes' Anti-Malware. AVG continues to block the promo pop ups but the problem continues!

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 PM

Posted 26 March 2009 - 07:21 PM

I now find I have 2 trojan horses in "C:\WINDOWS\system32\userinit.exe";"Trojan horse Agent2.AZU". I can't delete this file because it is a system file.
Avira antivirus doesn't find it and neither does Malwarebytes' Anti-Malware. AVG continues to block the promo pop ups but the problem continues!

Uninstalling and then reinstalling SP3 should solve the userinit.exe problem.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 procharlie

procharlie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 20 April 2009 - 06:59 PM

I am finally back from a trip and still trying to get me laptop going. I tried to boot from a CD, but the only CD I have is a Reinstallation CD for Windows XP Pro, which I used. I started from the CD, went through a recovery process (it apparently took me back to the original installation point) When I tried to reboot after going through the recovery process, when I got to Windows Setup it asked where I wanted to set up from and it only gave me the choice of using the C: drive, which I did. I didn't do a reinstallation because it told me I could lose everything I have on the hard drive, which I didn't want to do just yet.
All this didn't help; I still get logged out as soon as I log in, so no better than before. I'm getting discouraged. :thumbsup:

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 PM

Posted 20 April 2009 - 07:07 PM

We will have to create a small 'fix CD' to solve this problem.
Please download RC.ISO and save it somewhere you can find it.
Also download MagicISO and install it.

Start MagicISO. You should see a window informing you about the full version of MagicISO.
In the bottom right select Try It! and the program will open.
Click on File and then on Open and navigate to the RC.ISO file you downloaded. Select it, and click Open.

First, we'll need to add a clean version of userinit.exe to the current RC.ISO
  • In the upper right pane, double click on the i386 folder.
  • Right click in the upper right pane and select Add Files...
  • Navigate to C:\Windows\System32 and select userinit.exe
  • Then click Open to add userinit.exe to the CD image.
  • Click File and select Save As...
  • Name the file RCplus and save it somewhere you can find it.
Next, we'll need to burn the newly created image to a disk that we can use to fix the problem.
  • Put a blank CD-R disk in your CD burner and close the tray. If an AutoPlay window opens, close it.
  • Click on Tools and select Burn CD/DVD with ISO.... A window will appear.
  • Click on the little folder to the right of CD/DVD Image File then navigate to the newly created RCplus.iso Image file and click Open.
  • In the CD/DVD Writing Speed drop-down menu choose the 8X setting.
  • Under Format make sure that Mode 1 is selected.
  • And finally, click on the Burn it! button to burn RCplus.iso to disk.
Once the disk is burned, put it in the machine you want to fix and restart it.
Boot to the CD just as you would with a Windows XP disk.
At the Welcome to Setup screen, press R to enter the Recovery Console.
Choose the installation to be repaired by number (usually 1) and press Enter.
When you are asked for the Administrator password, enter the password or leave it blank (default) and press Enter.

At the C:\Windows> prompt, type the following commands pressing Enter after each one. Note: Watch the spaces.

D:
cd i386
copy userinit.exe c:\windows\system32
exit

After putting in the third command, you should receive the message 1 file copied which will indicate that the operation succeeded.
Now take out the CD and reboot your computer to normal mode. Try to log in and it should let you back in.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 procharlie

procharlie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 20 April 2009 - 08:32 PM

I got as far as making the RCplus.iso file but it looks like the userinit.exe file is not in the System32 folder, but instead it is in the i386 folder, same level as the System32 folder. Is that correct, or should the userinit.exe file be in the System32 folder? There are apparently only 2 files in System32 folder NTDLL.DLL AND SMSS.EXE.

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 PM

Posted 20 April 2009 - 08:34 PM

I believe that they mean the System32 folder on the computer you are currently using.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 procharlie

procharlie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 20 April 2009 - 09:33 PM

I don't know how to get the infected computer to boot from the RCplus.iso CD. Do I press a button during startup to get it to ask me if I want to boot from the CD?

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 PM

Posted 20 April 2009 - 09:47 PM

When you first turn on the computer and the BIOS screen shows up is there a notice saying something like :Press any key to boot from a CD"? You need to watch the screen closely because sometimes these types of messages on flash up for a short time.

Otherwise you might want to check the boot order in the BIOS.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 procharlie

procharlie
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 21 April 2009 - 02:05 PM

I wasn't able to see any message like that; tried to hit a couple keys during startup but no luck. I have to go out of town for a while for family emergency, will try to work on this while I am gone, but will get back with you ASAP, just don't know when that will be.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users