TechSpot

Spyware Problems

By piklemeup
Jun 26, 2006
  1. I think this is the right place to post it, so here it goes.

    I was being stupid on the internet the other day and I got some spyware and malware. I got rid of the spywarequake problem I had, but now I still still have random popups and my homepage is messed up. Right now my homepage is http://www.sysprotectionpage.com/, and I can't change it. Also, I get popups that look like real problems, but then it says I don't have efficient anti-virus software. I also got an "adult" finder that randomly pops up (my mom isn't too happy about this one).

    Just a second ago AVG antivirus popued up with this:
    While opening file: C:\WINDOWS\Temp\win1EC.tmp.exe
    Trojan horse Dialer.BZB
    I selected heal, and it says it's healed, but I can't be sure.
    Just again it happened:
    While opening file: C:\Documents and Settings\***my username***\local settings\temporary internet files\content.IE5\03WZELQD\bgates[1].exe
    Trojan horse Dialer.BZB
    And again healed, then another one:
    while opening file C:\Windows\temp\win1ED.tmp.exe
    Trojan horse dialer.BZB
    and another
    C:\Windows\temp\win1ee.tmp.exe
    trojan horse dialer.bzb

    (now its just getting annoying)

    I also have adware SE plus (I don't know if this is any good though) and it keeps coming up with 3 or 4 different pieces of spyware. one is virtumonde (which has a TAC rating of 10, whatever that means). Then a tracking cookie with a rating of 3. I attempt to remove them, and then they are supposidly removed, then I run another scan, and they are there again.

    I ran panda activescan, that found a virus, which was removed, and a lot of different spyware, which was also removed my my spyware se plus.

    If anybody else could help, that would be awsome. If you need any other info, just ask me and I'll try to help.

    Here is one quite decieving popup.
    [​IMG]
     
  2. Peddant

    Peddant TS Rookie Posts: 1,446

    Go HERE and follow the instructions,then post an HJT log.
     
  3. piklemeup

    piklemeup TS Rookie Topic Starter Posts: 58

    I can tell my computer is really starting to slow down. I tried that out, with nothing actually removed.
    my hjt log is in the attachment, I hate it when people post their hjt logs right onto the page, it clutters it up and makes it harder to read through when you are having the same problem.

    I'm also having one of those little popups right at the bottom of the taskbar, the text balloon one. It is warning me of a security alert and i should "click this icon" to get more protection.

    I'm going to keep this computer off until I need to give more info or have a proper answer, its going far to slow.
     

    Attached Files:

  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is quite badly infected with various nasties.

    Go HERE and follow the instructions very carefully.

    Post a fresh HJT log after doing the above.

    Regards Howard :)
     
  5. piklemeup

    piklemeup TS Rookie Topic Starter Posts: 58

    done :D
    but still not fixed. I got my homepage back, but my system is running slow (as far as I could see), and I still get random popups. I have both my older and newer hjt log as well as my smitfraudfix report. The newer hjt log is called "hijackthis 2".
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s deffinitely getting better.

    Download the pocket killbox programme from HERE.

    Extract it, but don`t run it yet.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    253d6b4e.exe
    rdgCA2405.exe


    Close task manager.

    Click start/run and type regsvr32 /u C:\WINDOWS\system32\ssqnnkl.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ssqnnkl.dll

    O4 - HKLM\..\Run: [253d6b4e.exe] C:\WINDOWS\system32\253d6b4e.exe

    O4 - HKCU\..\Run: [253d6b4e.exe] C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe

    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCA2405.exe

    O20 - Winlogon Notify: ssqnnkl - C:\WINDOWS\SYSTEM32\ssqnnkl.dll

    O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)


    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    These are the file/filepaths you ned to input into killbox.

    C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe

    C:\WINDOWS\system32\253d6b4e.exe

    C:\WINDOWS\SYSTEM32\ssqnnkl.dll

    Once your system has rebooted, turn on system restore and post a fresh HJT log.

    Regards Howard :)
     
  7. piklemeup

    piklemeup TS Rookie Topic Starter Posts: 58

    Alright, I got an error when trying to use the "run..." thing. I entered all of it, and checked it over and an error comes up. it says "C:\windows\system32\ssqnnkl.dll was loaded, but the DllUnregisterServer entry point was not found. File cannot be registered"

    It's talking about a server, right now I'm in safe mode without networking. So if I get it with networking, maybe it can connect to the server. I'll try it out and see if it works. If not I'll post back here again.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Don`t bother too much about that. Use the Pocket killbox programme to delete the file.

    Regards Howard :)
     
  9. piklemeup

    piklemeup TS Rookie Topic Starter Posts: 58

    wow, that was quick :D
    I'll continue on then.

    *edit*
    Fantastic! everything is gone (as far as I can see). There was a problem removing C:\WINDOWS\system32\ssqnnkl.dll, and It "could not be removed"
    My new hjt log has now been posted, it is the hijackthis 3 file.
    Just kind of wondering, what is the point in turning off system restore and going into safe mode? Also, what is that ssqnnkl.dll file and what does it do if you know?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I can find no info on the ssqnnkl.dll file. However, the fact that it doesn`t want to be deleted, probably means it`s nasty.

    You`ve also still got the C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe entry. This file deffinitely needs to go.

    Did you input this filepath C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe into the killbox programme?

    The c:\windows\system32\253d6b4e.exe entry has gone.

    I`d like you to try the following.

    Go HERE and follow the instructions.

    Then, go HERE and do likewise.

    Post a fresh HJT log after doing the above. BTW, take a look HERE.

    The point in turning off system restore is, it deletes all the restore points and anything nasty that`s in them. This is because no antivirus/spyware programme can delete anything from inside a restore point.

    Safe mode should make it easier to delete some nasty entries, as they shouldn`t be loaded at startup, unlike in normal mode.

    Regards Howard :)
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I have slightly altered the killbox instructions I gave you.

    The changes I have made are in bold type.

    Please try to delete the filepaths again, using the changed instructions.

    Regards Howard :)
     
  12. piklemeup

    piklemeup TS Rookie Topic Starter Posts: 58

    I think my may have misread my post, I'm not having any problems. I tried to remove that 253d6b4e.exe entry, and it's not there anymore... odd. I don't have any popups or annoying ads. I think that ssqnnkl.dll file might be a system file so it cannot be removed, maybe its not anything bad, because as far as I can see, I don't have any problems. What makes you think that its bad?
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    In you last HJT log, the C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe entry was still there. This is some kind of trojan.

    As for the C:\windows\system32\ssqnnkl.dll, Like I said, I can`t find any info for that .dll file. I`m pretty sure it`s not a system file. I certainly don`t have it on my system.

    Normally, legit files can be removed fairly easily. Obviously this one doesn`t want to go. Again this makes me suspicious.

    It`s in your HJT log as a 02 BHO(browser helper object)

    It`s also in your HJT log as an 020 Winlogon notify entry. Again, this is usually a sign of something untoward.

    I wouldn`t mind putting money on this being a nasty file.

    The fact that you`re not now having any problems is no guarantee that your system is clean.

    I`m just trying to be thorough. I`d hate to leave you with something nasty on your system. I loath and detest spyware etc of any description.

    Please post a fresh HJT log.

    Regards Howard :)
     
  14. piklemeup

    piklemeup TS Rookie Topic Starter Posts: 58

    a little after I posted that message, my antivirus (AVG) popped up with an alert saying that I still had a virus. I don't remember the message at the moment, but I will check when I get the time, right now I'm a bit busy.

    I'll post a new HJT log as soon as I'm less busy.
     
  15. piklemeup

    piklemeup TS Rookie Topic Starter Posts: 58

    Here is my hjt log, I also got a fake popup, showing that its not fixed yet. Ewido anti-spyware found a peice of malware called "Adware.Virtumonde", and heres the great part, it shows the location as: C:\WINDOWS\system32\ssqnnkl.dll
     
  16. piklemeup

    piklemeup TS Rookie Topic Starter Posts: 58

    I found these instructions, and I'm hoping they will fix it:
    Note that everything in this is copied and pasted, so the links won't work
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s a nice bit of detective work.

    However, if you had followed the instructions in the link posted by Peddant, you would`ve seen a link to the Vundofix tool. This would`ve got rid of the Vindo infection. For future reference here is the link.

    http://www.atribune.org/content/view/24/2/


    Anyhow never mind, at least it`s gone now.

    The only problem left in your HJT Is the O4 - HKCU\..\Run: [253d6b4e.exe] C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe entry.

    Obviously this file doesn`t seem to want to go.

    Doing a Yahoo and Google search, brings up no results for 253d6b4e.exe. this probably, but not necessarily means it`s nasty. For all I know it might belong to some application you are running. However, with no search results it`s impossible for me to tell.

    How is your system running now?

    Regards Howard :)
     
  18. piklemeup

    piklemeup TS Rookie Topic Starter Posts: 58

    Oh, it is running sooo much better. Yeah, if I keep getting popups from the 253d6b4e.exe then I'll keep posting. It looks like its fixed.
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s excellent news.

    If you have anymore virus/spyware problems, please post in this thread.

    Good luck.

    Regards Howard :)
     
  20. piklemeup

    piklemeup TS Rookie Topic Starter Posts: 58

    Another problem has come up. My comuter doesn't seem to be running slower at all. My AVG antivirus just picked up 2 peices of adware. One is the ssqnnkl.dll. It is in the path C:\!Killbox\ssqnndl.dll. So killbox didn't remove it, just tried to hide it. Then the other one is backup-20060626-145752-271.dll in the folder C:\Documents and Settings\End user\Desktop\backups\backup-20060626-145752-271.dll. Test isn't complete yet, so I might pick up more when it is actually done.

    I just realised that that is on my desktop, and I don't remember putting it there.
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    253d6b4e.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {CA67A79B-3C59-4311-B37F-69053A382B8D} - C:\WINDOWS\system32\gebyw.dll (file missing)

    O4 - HKCU\..\Run: [253d6b4e.exe] C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe

    If the above file won`t delete, use killbox.

    The above is the only nasty entry in your HJT log.

    Reboot into normal mode and turn system restore back on.


    Regards Howard :)
     
  22. djgl

    djgl TS Rookie

    Sysprotection virus is gone!!!

    Howard_hopkinso you are an absolute genius!!! You cured me of my nasty virus! Yesterday, I got the sysprotection virus which did the exact thing to my computer as piklemeup was experiencing. Thankfully I found this site on google, otherwise I'd be taking my laptop in for repairs. I downloaded all the programs exactly like you said with the exception that I had already downloaded Hijackthis from download.com before entering this site. I had also copied my Hijackthis log file into this site: www.hijackthis.de/ and within seconds received an analysis identifying the threats to my computer, which I was then able to have Hijackthis fix. But, I was still getting popups and sysprotection still had control over my homepage, but with following your instructions, I got rid of the problem completely. Thank you so much!! I've never posted in a computer website before, but I just had to tell you how much I appreciated this. Just have one question, do I leave all those virus protection programs on my computer (including ewido which I'll have to buy after the trial) and if I get another virus, I do I just follow the exact instructions again to remove it?

    Deb
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Once the trial of Ewido is finished, you can still use the programme. It`s just that you will lose one or two features that`s all. As for the rest of the programmes you downloaded, you can safely get rid of them.

    Just keep hold of SS&D/Ad-Aware se/Spywareblaster/Ewido/ and your antivirus programme.

    The http://www.hijackthis.de/ site is very good. However, it should only ever be used as a guide and nothing more. This is because the results are not 100% accurate.

    I`m glad your system is now clean.

    Thanks for letting us know.

    Regards Howard :)
     
  24. piklemeup

    piklemeup TS Rookie Topic Starter Posts: 58

    Post virus Checkup

    I just got some kind of virus, i got the main part removed, and fixed the hijacked homepage, but I want to make sure it's all gone. Could somebody run through my hjt log and tell me if I still need anything cleaned up.

    This is probably the wrong place to mention this, but I'm also having a problem with my CLI.exe, the error message is:
    "The application failed to initalize properly (0xc0000135). Click on OK to terminate the application."

    This started just after I did a reboot, while running the smitfraud fix.

    Thanks
    Piklemeup
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I have merged your new thread into this one.

    Your HJT log is clean.

    The error message you`re getting is to do with your ATI software.

    Reinstall the software, that should fix the problem.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of piklemeup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...