Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sfsp.cfo Error message - trojan?


  • Please log in to reply
16 replies to this topic

#1 Burtdaboy

Burtdaboy

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 26 November 2009 - 11:51 AM

Hey!

I'm new here and a friend said you guys are all great so here goes!

On startup I'm getting this error message:

'RUNDLL

Error loading sfsp.cfo

The specified module could not be found.

[OK]'

A simple google search seems to identify this as a trojan horse. I wasn't sure whether to follow the advice of this forum thread: http://www.spywareremovalblog.com/forums/s...hread.php?p=810

I understand it could just be a registry thing but...

Even though the computer is a few years old it's running very slowly, even though there are a limited about of programs installed.

I'm using XP Home Edition Version 2002, Service Pack 3

I have AVG Free 8.5 and the google search also brings up this which could be interesting: http://forums.avg.com/us-en/avg-free-forum...ow&id=42757

I also have Ad-Aware, Spybot-Search and Destroy

I hope this info helps. Thanks a lot in advance.

Burt

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:48 PM

Posted 26 November 2009 - 12:34 PM

Getting that message at startup...probably means that there is startup pointer to a missing file. If you have removed such item from your system (regardless of whether or not it was malware), it's quite possible that the pointer (which is harmless) still remains.

The way that I would check: Download/install/run the Autoruns program.

Go to the Logon tab of Autoruns...this tab will list the primary group of startup items which we should be conccerned with. Scan the list of items...if you see a candidate that likely/surely refers to the module defined as missing...disable it.

Reboot the system.

If message no longer appears, you know you disabled the correct item. You may then leave it disabled or remove it (my choice because it has no redeeming value).

If none of this helps, we'll try something else :thumbsup:.

Louis

#3 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:48 PM

Posted 26 November 2009 - 12:56 PM

Keeping in mind the possibility of a previous virus or malware infection, you should scan your hard disks and portable disks for virus or malware etc.

Without bashing AVG unnecessarily, I would recommend you to install avast! or Avira free anti-virus instead, update it and perform a full computer scan.
Also BC HJT team no longer recommends Ad-Aware or S & D for the reason that these software are not as effective now as they once were. They now recommend Malwarebyte's Anti-malware (MBAM). So you should install MBAM, update it and perform a full scan.

#4 Burtdaboy

Burtdaboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 26 November 2009 - 02:26 PM

Thanks for the quick response!

Will change to Avira Free and Malwarebyte's Anti-malware now and scan with both.

In Autoruns I found 'rundll32.exe'. I also found 'sfsp.cfo' which Image Path says, 'File not found: sfsp.cfo'.

I unticked both.

Having restarted I'm now getting this message:

'sfsp.cfo

Windows cannot find sfsp.cfo. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

[OK]'

I then right-clicked and deleted both in Autoruns and I now get the same message with 'beforegttav' at the top.

In Autoruns 'beforegttav' is there. Shall I untick/delete this too?

Thanks in advance again!

#5 hamluis

hamluis

    Moderator


  • Moderator
  • 55,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:48 PM

Posted 26 November 2009 - 02:45 PM

http://www.superantispyware.com/malwarefiles/SFSP.CFO.html

If you haven't already, I suggest trying SUPERAntiSpyware and Malwarebytes (as suggested by Romeo29) permanently.

Yes, delete that as well...it appears to be linked to the malware item mentioned.

Louis

#6 Burtdaboy

Burtdaboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 27 November 2009 - 11:46 AM

Hey all!

Thanks again for all your help.

I deleted 'beforegttav' from Autoruns and now nothing comes up at startup - yay!

I just finished scanning with SuperAntispyware and it found 2 Adware Tracking Cookes, 1 Trojan Agent/Gen and 3 Trojan Agent/Gen-Droppers.

Hopefully it'll run faster now.

One quick last question: on my other computer (Vista) I've installed Avira Free on your advice. Do I still need Kapersky Internet Security or is Avira sufficient?

Thanks again!

#7 hamluis

hamluis

    Moderator


  • Moderator
  • 55,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:48 PM

Posted 27 November 2009 - 01:01 PM

Well...it's a matter of choice.

An Internet Security program...includes both a firewall and an AV program, while Avira AntiVir Personal is an AV program only. I run Avira Free with the Sunbelt Free Firewall (formerly Kerio Free) and I think it's a pretty good combination available to those who want to run a 3d-party firewall (as opposed to the XP/Windows firewall).

Louis

#8 Burtdaboy

Burtdaboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 27 November 2009 - 03:29 PM

So this combination is good?

Avira AntiVir Personal
SUPERAntiSpyware
Sunbelt Free Firewall

#9 hamluis

hamluis

    Moderator


  • Moderator
  • 55,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:48 PM

Posted 27 November 2009 - 04:04 PM

I would/do add Malwarebytes to those programs for security...in addition to installation of all XP critical updates.

I don't have a problem with malware, using these steps, thus I assume the same steps will work for anyone.

Louis

Edited by hamluis, 27 November 2009 - 04:04 PM.


#10 Burtdaboy

Burtdaboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 27 November 2009 - 04:44 PM

Great. Thanks Louis.

I've installed Sunbelt and desabled Kapersky - I'm getting Windows Security alerts telling me It's not safe.

Should I have both Windows and Sunbelt firewalls running?

How do I get Windows security centre to recognise Sunbelt is running?

#11 hamluis

hamluis

    Moderator


  • Moderator
  • 55,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:48 PM

Posted 27 November 2009 - 05:10 PM

Installing the Sunbelt firewall...should have automatically disabled the Windows/XP firewall.

(Yesterday, I installed it on the system (I have two) where I had been running the XP firewall...it disabled the XP firewall and I received no alerts of any type).

You can check the status of the XP firewall by clicking on the Security Center icon at Control Panel. My system also detects the Sunbelt firewall and reflects this in the Control Panel/Security Center window.

Louis

#12 Burtdaboy

Burtdaboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 27 November 2009 - 06:19 PM

I just uninstalled Kapersky and Windows Security Centre recognised Sunbelt. Good good.

Thanks a lot everyone for your help.

Burt

#13 hamluis

hamluis

    Moderator


  • Moderator
  • 55,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:48 PM

Posted 27 November 2009 - 08:39 PM

Happy computing :thumbsup:.

Louis

#14 Burtdaboy

Burtdaboy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 29 November 2009 - 05:51 AM

Sorry! One last quick thing...

Windows is blocking MalwareBytes on startup. I've clicked 'Show or Remove Blocked Startup Programs' but next to Malwarebytes it says 'Permitted'

I can click 'Run Blocked Program' each time but I wondered if there's a way to unblock it permanently?

Thanks!

#15 hamluis

hamluis

    Moderator


  • Moderator
  • 55,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:08:48 PM

Posted 29 November 2009 - 09:38 AM

<<Windows is blocking MalwareBytes on startup. I've clicked 'Show or Remove Blocked Startup Programs' but next to Malwarebytes it says 'Permitted'>>

I have no idea what you are referring to...when do you get this message, where are you seeing this list of programs?

I've never known Windows XP to block any startups unless directed to do so by user or some program.

What you describe...seems to be a Vista feature, http://www.askvg.com/how-to-remove-windows...-windows-vista/

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users