Malware

[Rob T]

I've been getting a strange message on two of my computers each time they're
restarted (WXP Pro SP3). In the title bar of the message is the word
"Sandboxie". The body reads, "This program will not run in sandboxie.
Please close sandboxie first.

I don't have sandboxie installed, nor can I find any trace of it in my
computers. I contacted Ronen Tzur, the developer of sandboxie, and he sent
me a link to his blog page that shows several other users with that same
message, and they indicate that it's a piece of malware. I downloaded the
latest Windows Malicious Software Removal tool, ran the Full Scan and came up
empty. Does anyone have any ideas on what this is and how to get rid of it?

 

[Shenan Stanley]

I've been getting a strange message on two of my computers each
time they're restarted (WXP Pro SP3). In the title bar of the
message is the word "Sandboxie". The body reads, "This program
will not run in sandboxie. Please close sandboxie first.

I don't have sandboxie installed, nor can I find any trace of it in
my computers. I contacted Ronen Tzur, the developer of sandboxie,
and he sent me a link to his blog page that shows several other
users with that same message, and they indicate that it's a piece
of malware. I downloaded the latest Windows Malicious Software
Removal tool, ran the Full Scan and came up empty. Does anyone
have any ideas on what this is and how to get rid of it?

Download and install and run MalwareBytes.

 

[David H. Lipman]

From: "Rob T" <[email protected]>

| I've been getting a strange message on two of my computers each time they're
| restarted (WXP Pro SP3). In the title bar of the message is the word
| "Sandboxie". The body reads, "This program will not run in sandboxie.
| Please close sandboxie first.

| I don't have sandboxie installed, nor can I find any trace of it in my
| computers. I contacted Ronen Tzur, the developer of sandboxie, and he sent
| me a link to his blog page that shows several other users with that same
| message, and they indicate that it's a piece of malware. I downloaded the
| latest Windows Malicious Software Removal tool, ran the Full Scan and came up
| empty. Does anyone have any ideas on what this is and how to get rid of it?
| --
| Rob Taylor

The MRT is a limited target list antoi malware on demand scanner.

You need a broad spectrum anti malwrae scanner.

Start with MBAM as Shenan Stanley advised and see what that does for you.

 

[nass]

I've been getting a strange message on two of my computers each time they're
restarted (WXP Pro SP3). In the title bar of the message is the word
"Sandboxie". The body reads, "This program will not run in sandboxie.
Please close sandboxie first.

I don't have sandboxie installed, nor can I find any trace of it in my
computers. I contacted Ronen Tzur, the developer of sandboxie, and he sent
me a link to his blog page that shows several other users with that same
message, and they indicate that it's a piece of malware. I downloaded the
latest Windows Malicious Software Removal tool, ran the Full Scan and came up
empty. Does anyone have any ideas on what this is and how to get rid of it?

Did you look in the Add/Remove Programs for any third-party Apps that looks
unfamiliar and uninstall it?


Go through these Cleaning steps:
1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button called
[ Clear History ..] click on it to clear your History caches, then click on
[Delete Files..] to delete Internet Files created over the time, click on [
Delete Cookies...] to delete your cookies left by visiting websites.

Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
= Then try to Disable the Add-Ons on your Browser somehow installed on your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there Disable
the Non/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
later and see which is the culprit .
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (off-line scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html

HTH,
nass

 

[Rob T]

Yup. Several times, and very very carefully
--
Rob Taylor

I've been getting a strange message on two of my computers each time they're
restarted (WXP Pro SP3). In the title bar of the message is the word
"Sandboxie". The body reads, "This program will not run in sandboxie.
Please close sandboxie first.

I don't have sandboxie installed, nor can I find any trace of it in my
computers. I contacted Ronen Tzur, the developer of sandboxie, and he sent
me a link to his blog page that shows several other users with that same
message, and they indicate that it's a piece of malware. I downloaded the
latest Windows Malicious Software Removal tool, ran the Full Scan and came up
empty. Does anyone have any ideas on what this is and how to get rid of it?

Did you look in the Add/Remove Programs for any third-party Apps that looks
unfamiliar and uninstall it?


Go through these Cleaning steps:
1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button called
[ Clear History ..] click on it to clear your History caches, then click on
[Delete Files..] to delete Internet Files created over the time, click on [
Delete Cookies...] to delete your cookies left by visiting websites.

Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
= Then try to Disable the Add-Ons on your Browser somehow installed on your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there Disable
the Non/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
later and see which is the culprit .
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (off-line scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html

HTH,
nass

 

[Rob T]

Thanks. I'm trying it as we speak.

 

[PA Bear [MS MVP]]

There is a very good chance that you are seeing the affects of a hijackware
infection.

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan!

2. WinXP ONLY!! => Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup, http://aumha.net/viewforum.php?f=30
or other appropriate forums.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[Jose]

Download and install and run MalwareBytes.

You're a good man,Mr. Stanley.

 

[Rob T]

Thank you for that list of things to do. No, they're not too far above my
capability. I've been working with computers (building, fixing &
programming) for 50 years, but I do have to admit that today the technology
is moving so fast, that there's a whole world of things I don't
know/understang. The things on your list, however, I do understand. Some of
them I'd already performed before posting my question. I've also used two
other anti-malware programs - malware bytes and MalwareGuard - both of which
found a number of issues and cleaned them, but the problem persists. The
ONLY thing that visibly happens is that incipid message everytime the
computer starts up (didn't happen in safe mode though), But who knows what
else lurks in the computer becaus of it?

 

[Rob T]

OK; I finished running the Microsoft Live One Care scan/clean in safe mode,
and when I rebooted, the sandboxie message was gone. A new one, however, now
displays when the machine restarts. It has the word "RUNDLL" in the title
bar, and the body of the message reads, "Error loading
C:\Windows\System32\raehjxxv.dll. The specified module could not be found".
Any ideas about this one?

 

[Shenan Stanley]

OK; I finished running the Microsoft Live One Care scan/clean in
safe mode, and when I rebooted, the sandboxie message was gone. A
new one, however, now displays when the machine restarts. It has
the word "RUNDLL" in the title bar, and the body of the message
reads, "Error loading C:\Windows\System32\raehjxxv.dll. The
specified module could not be found". Any ideas about this one?

Leftover crud

 

[David H. Lipman]

From: "Rob T" <[email protected]>

| OK; I finished running the Microsoft Live One Care scan/clean in safe mode,
| and when I rebooted, the sandboxie message was gone. A new one, however, now
| displays when the machine restarts. It has the word "RUNDLL" in the title
| bar, and the body of the message reads, "Error loading
| C:\Windows\System32\raehjxxv.dll. The specified module could not be found".
| Any ideas about this one?
| --
| Rob Taylor


The malware represented by the file; raehjxxv.dll was removed but NOT the loading point.

Use MSCONFIG.EXE and the Startup tab.

Look for the line that loads the above DLL and disable it.

 

[PA Bear [MS MVP]]

The error points to a "leftover" from a Vundo infection. See #3 in my first
reply.

 

[Elmo]

OK; I finished running the Microsoft Live One Care scan/clean in safe mode,
and when I rebooted, the sandboxie message was gone. A new one, however, now
displays when the machine restarts. It has the word "RUNDLL" in the title
bar, and the body of the message reads, "Error loading
C:\Windows\System32\raehjxxv.dll. The specified module could not be found".
Any ideas about this one?

Click Start, Run, type REGEDIT, click OK. Press the Home key, press F3,
type raehjxxv.dll into the search pane. Click "Find Next", and when
located, delete the reference to the file. Press F3 to continue the search.

You can click File, Export, and save the entry to the Desktop. If you
remove it and there's a problem, double-click the .reg file you exported
to the Desktop and it'll be added to the registry again. You can create
a restore point before editing the registry too.

You could click Start, Run, type MSCONFIG, click OK, click the StartUp
tab, and deselect the item(s). When you restart the computer, you will
be warned that you're running in the Diagnostic mode; click to not alert
you again, and OK out. You won't see the message again. But I think
it's best to just remove the references from the registry.

 

[Jose]

OK; I finished running the Microsoft Live One Care scan/clean in safe mode,
and when I rebooted, the sandboxie message was gone.  A new one, however, now
displays when the machine restarts.  It has the word "RUNDLL" in the title
bar, and the body of the message reads, "Error loading
C:\Windows\System32\raehjxxv.dll.  The specified module could not be found".  
Any ideas about this one?

I would be curious to know if you tried Malwarebytes as suggested
earlier.

MBAM seems to have quite a good success rate in dealing with your
symptoms and situations based on their user forums. It is often the
only tool that even finds and then fixes some or all of your exact
problems in one pass.

If you did and it was not fixed, that would be most interesting.

If you did not, then you may have lost considerable productivity.

 

[Rob T]

Well guess what! The "RUNDLL" error message went away by itself, but now
something keeps turning of my Automatic Updates, and then locks up the
Security Center or system properties when I try to turn it back on.
Sometimes it goes on after I finally get the thing unlocked, but sometime
later, it goes off again. Looks like I either picked up something during
cleaning, or while the cleaning was going on (I had to turn off ZoneAlarm in
order to run the cleaners). So now I'm doing the whold enchalada again.
I'll report back when it's all finished (One Care takes 3 - 4 hours).

 

[David H. Lipman]

From: "Rob T" <[email protected]>

| Well guess what! The "RUNDLL" error message went away by itself, but now
| something keeps turning of my Automatic Updates, and then locks up the
| Security Center or system properties when I try to turn it back on.
| Sometimes it goes on after I finally get the thing unlocked, but sometime
| later, it goes off again. Looks like I either picked up something during
| cleaning, or while the cleaning was going on (I had to turn off ZoneAlarm in
| order to run the cleaners). So now I'm doing the whold enchalada again.
| I'll report back when it's all finished (One Care takes 3 - 4 hours).
| --
| Rob Taylor




Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Then post the contents of the HJT log in your post with a full explanation of your problem
and what you have done to date in one of the below expert forums...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13