0

Well this popup has been happening for a few days it reads:
"The application or DLL C:\WINDOWS\system32\jozebohu.dll is not a valid Windows image. Please check this against your installation diskette."

There was more but Norton took care of it (I think). It was a fake Windows program that told us to buy an antivirus from them and obviously wanted our credit card numbers.

Now I cannot run any other programs besides internet and Norton. I try to open it and it tells me to choose how to open it, and I cant find anything that will actually open it.
It says something about it not being able to be opened because it has been damaged or something.

So I can't run MalwareBytes or anything like that. I'm not sure what to do.

Umm main problem at the moment is I can't open anything but internet because it says something like: choose how to open this file: give me a bunch of options such as internet explorere and adobe, and nothing will actually open it, it says its damaged for everything.

2
Contributors
4
Replies
7
Views
7 Years
Discussion Span
Last Post by jholland1964
0

Ok so I figured out how to run Malwarebytes Antimalware. I had to browse and go to that specific program. So it's scanning now and I will post results if needed.

0

By all means definitely post the MBA-M log. Be sure to have it Remove all found and Reboot.
Post back here with the log. I will watch for it.

0

Malwarebytes' Anti-Malware 1.44
Database version: 3767
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/20/2010 1:02:58 PM
mbam-log-2010-02-20 (13-02-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 271105
Time elapsed: 1 hour(s), 58 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ba40a2-74f0-42bd-f434-00b15a2c8953} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\my web search bar search scope monitor (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch email plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch email plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jozebohu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seburehi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senisefe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\ncuiiog.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\cohppuec.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\mswintmp.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


Everything seems to be working fine now. I think that did the trick. I will keep running scans all week to ensure nothing else occurs :).

0

Based on items noted in the MBA-M scan you should do the following:
First, uninstall the My Web Search option from Add/Remove Programs

1) Click on Start, Settings, Control Panel

2) Double click on Add/Remove Programs

3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it. You may also want to uninstall any of the following items associated with FunWebProducts.

* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way

4) Reboot your Computer

There is a very good chance that what was found by MBA-M may not be all of it. Please also do the ESET Online scanner, you will have to turn off your av program and also run the scan from Internet Explorer and have it remove all that is found.
Reboot. Then run HiJackThis and post both logs here.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.