Spyware Problems

[piklemeup]

I think this is the right place to post it, so here it goes.

I was being stupid on the internet the other day and I got some spyware and malware. I got rid of the spywarequake problem I had, but now I still still have random popups and my homepage is messed up. Right now my homepage is http://www.sysprotectionpage.com/, and I can't change it. Also, I get popups that look like real problems, but then it says I don't have efficient anti-virus software. I also got an "adult" finder that randomly pops up (my mom isn't too happy about this one).

Just a second ago AVG antivirus popued up with this:
While opening file: C:\WINDOWS\Temp\win1EC.tmp.exe
Trojan horse Dialer.BZB
I selected heal, and it says it's healed, but I can't be sure.
Just again it happened:
While opening file: C:\Documents and Settings\***my username***\local settings\temporary internet files\content.IE5\03WZELQD\bgates[1].exe
Trojan horse Dialer.BZB
And again healed, then another one:
while opening file C:\Windows\temp\win1ED.tmp.exe
Trojan horse dialer.BZB
and another
C:\Windows\temp\win1ee.tmp.exe
trojan horse dialer.bzb

(now its just getting annoying)

I also have adware SE plus (I don't know if this is any good though) and it keeps coming up with 3 or 4 different pieces of spyware. one is virtumonde (which has a TAC rating of 10, whatever that means). Then a tracking cookie with a rating of 3. I attempt to remove them, and then they are supposidly removed, then I run another scan, and they are there again.

I ran panda activescan, that found a virus, which was removed, and a lot of different spyware, which was also removed my my spyware se plus.

If anybody else could help, that would be awsome. If you need any other info, just ask me and I'll try to help.

Here is one quite decieving popup.

 

[Peddant]

Go HERE and follow the instructions,then post an HJT log.

 

[piklemeup]

I can tell my computer is really starting to slow down. I tried that out, with nothing actually removed.
my hjt log is in the attachment, I hate it when people post their hjt logs right onto the page, it clutters it up and makes it harder to read through when you are having the same problem.

I'm also having one of those little popups right at the bottom of the taskbar, the text balloon one. It is warning me of a security alert and I should "click this icon" to get more protection.

I'm going to keep this computer off until I need to give more info or have a proper answer, its going far to slow.

 

[howard_hopkinso]

Your system is quite badly infected with various nasties.

Go HERE and follow the instructions very carefully.

Post a fresh HJT log after doing the above.

Regards Howard

 

[piklemeup]

done
but still not fixed. I got my homepage back, but my system is running slow (as far as I could see), and I still get random popups. I have both my older and newer hjt log as well as my smitfraudfix report. The newer hjt log is called "hijackthis 2".

 

[howard_hopkinso]

It`s deffinitely getting better.

Download the pocket killbox programme from HERE.

Extract it, but don`t run it yet.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

253d6b4e.exe
rdgCA2405.exe


Close task manager.

Click start/run and type regsvr32 /u C:\WINDOWS\system32\ssqnnkl.dll into the run box and press the enter key. Note the space between the 2 and the forward slash and again between the u and c.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ssqnnkl.dll

O4 - HKLM\..\Run: [253d6b4e.exe] C:\WINDOWS\system32\253d6b4e.exe

O4 - HKCU\..\Run: [253d6b4e.exe] C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe

O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgCA2405.exe

O20 - Winlogon Notify: ssqnnkl - C:\WINDOWS\SYSTEM32\ssqnnkl.dll

O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)


Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

These are the file/filepaths you ned to input into killbox.

C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe

C:\WINDOWS\system32\253d6b4e.exe

C:\WINDOWS\SYSTEM32\ssqnnkl.dll

Once your system has rebooted, turn on system restore and post a fresh HJT log.

Regards Howard

 

[piklemeup]

Alright, I got an error when trying to use the "run..." thing. I entered all of it, and checked it over and an error comes up. it says "C:\windows\system32\ssqnnkl.dll was loaded, but the DllUnregisterServer entry point was not found. File cannot be registered"

It's talking about a server, right now I'm in safe mode without networking. So if I get it with networking, maybe it can connect to the server. I'll try it out and see if it works. If not I'll post back here again.

 

[howard_hopkinso]

Don`t bother too much about that. Use the Pocket killbox programme to delete the file.

Regards Howard

 

[piklemeup]

wow, that was quick
I'll continue on then.

*edit*
Fantastic! everything is gone (as far as I can see). There was a problem removing C:\WINDOWS\system32\ssqnnkl.dll, and It "could not be removed"
My new hjt log has now been posted, it is the hijackthis 3 file.
Just kind of wondering, what is the point in turning off system restore and going into safe mode? Also, what is that ssqnnkl.dll file and what does it do if you know?

 

[howard_hopkinso]

I can find no info on the ssqnnkl.dll file. However, the fact that it doesn`t want to be deleted, probably means it`s nasty.

You`ve also still got the C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe entry. This file deffinitely needs to go.

Did you input this filepath C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe into the killbox programme?

The c:\windows\system32\253d6b4e.exe entry has gone.

I`d like you to try the following.

Go HERE and follow the instructions.

Then, go HERE and do likewise.

Post a fresh HJT log after doing the above. BTW, take a look HERE.

The point in turning off system restore is, it deletes all the restore points and anything nasty that`s in them. This is because no antivirus/spyware programme can delete anything from inside a restore point.

Safe mode should make it easier to delete some nasty entries, as they shouldn`t be loaded at startup, unlike in normal mode.

Regards Howard

 

[howard_hopkinso]

I have slightly altered the killbox instructions I gave you.

The changes I have made are in bold type.

Please try to delete the filepaths again, using the changed instructions.

Regards Howard

 

[piklemeup]

I think my may have misread my post, I'm not having any problems. I tried to remove that 253d6b4e.exe entry, and it's not there anymore... odd. I don't have any popups or annoying ads. I think that ssqnnkl.dll file might be a system file so it cannot be removed, maybe its not anything bad, because as far as I can see, I don't have any problems. What makes you think that its bad?

 

[howard_hopkinso]

In you last HJT log, the C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe entry was still there. This is some kind of trojan.

As for the C:\windows\system32\ssqnnkl.dll, Like I said, I can`t find any info for that .dll file. I`m pretty sure it`s not a system file. I certainly don`t have it on my system.

Normally, legit files can be removed fairly easily. Obviously this one doesn`t want to go. Again this makes me suspicious.

It`s in your HJT log as a 02 BHO(browser helper object)

It`s also in your HJT log as an 020 Winlogon notify entry. Again, this is usually a sign of something untoward.

I wouldn`t mind putting money on this being a nasty file.

The fact that you`re not now having any problems is no guarantee that your system is clean.

I`m just trying to be thorough. I`d hate to leave you with something nasty on your system. I loath and detest spyware etc of any description.

Please post a fresh HJT log.

Regards Howard

 

[piklemeup]

a little after I posted that message, my antivirus (AVG) popped up with an alert saying that I still had a virus. I don't remember the message at the moment, but I will check when I get the time, right now I'm a bit busy.

I'll post a new HJT log as soon as I'm less busy.

 

[piklemeup]

Here is my hjt log, I also got a fake popup, showing that its not fixed yet. Ewido anti-spyware found a peice of malware called "Adware.Virtumonde", and heres the great part, it shows the location as: C:\WINDOWS\system32\ssqnnkl.dll

 

[piklemeup]

I found these instructions, and I'm hoping they will fix it:
Note that everything in this is copied and pasted, so the links won't work

What this program does:

Trojan.Vundo is a component of an adware program that downloads and displays pop-up advertisements. It is known to be installed by visiting a Web site link contained in a spammed email.

Tools needed for this fix:
Vundo Fix
VirtumundoBegone
Note: The entries shown below may have different file names. You will though, have a 02 entry, that may contain the word "MSEvents" and a 020 entry that has the same file name as the 02 entry. For example, as you can see the following color coded sets each have a O2 and O20 entry with the same filename.

O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\System32\ddaya.dll
O20 - Winlogon Notify: ddaya - C:\WINDOWS\System32\ddaya.dll


O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\mljjk.dll
O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\mljjk.dll


O2 - BHO: MFCOptimizeClass Object - {A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} - C:\WINDOWS\System32\ssqrs.dl
O20 - Winlogon Notify: mljjk - C:\WINDOWS\system32\ssqrs.dll

Note: This fix only applies to Vundo infections where the O2 entry contains MSEvents or ATLDistrib.

Preperation Steps:

Please do both of the following before we start:

1. Please print these instructions as they will be needed later when Internet access is not available.

2. Save these instructions in word or notepad to the desktop where they can be easily found.

At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things will help to get it back to how it was in a faster manner.


Removal Steps:

Download VundoFix.exe and save it to your desktop.
Double-click VundoFix.exe to run it.


Place a check in the checkbox labeled Run VundoFix as a task. You will receive a message stating that VundoFix will close and re-open in a minute or less.


When VundoFix reopens, click the OK button.


Click the Scan for Vundo button.


Once it's done scanning, click the Remove Vundo button.


You will receive a prompt asking if you want to remove the files, click the YES button.


Once you click yes, your desktop will go blank as it starts removing Vundo.


When completed, it will prompt that it will shutdown your computer, click the OK button.


When the computer has shutdown, turn your computer back on.


The Winfixer/Vundo infection should now be cleaned from your computer. If you are still having a problem then please proceed to Step 2.
This step should only be used if the instructions in Step 1 did not remove the infection.

Download VirtumundoBegone and save it to your desktop.

VirtumundoBegone

Reboot your computer into Safe Mode

Then double click VirtumundoBeGone.exe you just downloaded and follow the instructions.

Exit when it has finished


If after attempting the instructions in this guide the infection is still present, then it is advised that you post your HijackThis log so one of our experts can help you remove the infection. You can post your HijackThis log at this forum:

HijackThis Analysis and Spyware Removal

 

[howard_hopkinso]

That`s a nice bit of detective work.

However, if you had followed the instructions in the link posted by Peddant, you would`ve seen a link to the Vundofix tool. This would`ve got rid of the Vindo infection. For future reference here is the link.

http://www.atribune.org/content/view/24/2/


Anyhow never mind, at least it`s gone now.

The only problem left in your HJT Is the O4 - HKCU\..\Run: [253d6b4e.exe] C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe entry.

Obviously this file doesn`t seem to want to go.

Doing a Yahoo and Google search, brings up no results for 253d6b4e.exe. this probably, but not necessarily means it`s nasty. For all I know it might belong to some application you are running. However, with no search results it`s impossible for me to tell.

How is your system running now?

Regards Howard

 

[piklemeup]

Oh, it is running sooo much better. Yeah, if I keep getting popups from the 253d6b4e.exe then I'll keep posting. It looks like its fixed.

 

[howard_hopkinso]

That`s excellent news.

If you have anymore virus/spyware problems, please post in this thread.

Good luck.

Regards Howard

 

[piklemeup]

Another problem has come up. My comuter doesn't seem to be running slower at all. My AVG antivirus just picked up 2 peices of adware. One is the ssqnnkl.dll. It is in the path C:\!Killbox\ssqnndl.dll. So killbox didn't remove it, just tried to hide it. Then the other one is backup-20060626-145752-271.dll in the folder C:\Documents and Settings\End user\Desktop\backups\backup-20060626-145752-271.dll. Test isn't complete yet, so I might pick up more when it is actually done.

I just realised that that is on my desktop, and I don't remember putting it there.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

253d6b4e.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {CA67A79B-3C59-4311-B37F-69053A382B8D} - C:\WINDOWS\system32\gebyw.dll (file missing)

O4 - HKCU\..\Run: [253d6b4e.exe] C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\EndUser\Local Settings\Application Data\253d6b4e.exe

If the above file won`t delete, use killbox.

The above is the only nasty entry in your HJT log.

Reboot into normal mode and turn system restore back on.


Regards Howard

 

[djgl]

Sysprotection virus is gone!!!

Howard_hopkinso you are an absolute genius!!! You cured me of my nasty virus! Yesterday, I got the sysprotection virus which did the exact thing to my computer as piklemeup was experiencing. Thankfully I found this site on google, otherwise I'd be taking my laptop in for repairs. I downloaded all the programs exactly like you said with the exception that I had already downloaded Hijackthis from download.com before entering this site. I had also copied my Hijackthis log file into this site: www.hijackthis.de/ and within seconds received an analysis identifying the threats to my computer, which I was then able to have Hijackthis fix. But, I was still getting popups and sysprotection still had control over my homepage, but with following your instructions, I got rid of the problem completely. Thank you so much!! I've never posted in a computer website before, but I just had to tell you how much I appreciated this. Just have one question, do I leave all those virus protection programs on my computer (including ewido which I'll have to buy after the trial) and if I get another virus, I do I just follow the exact instructions again to remove it?

Deb

 

[howard_hopkinso]

Once the trial of Ewido is finished, you can still use the programme. It`s just that you will lose one or two features that`s all. As for the rest of the programmes you downloaded, you can safely get rid of them.

Just keep hold of SS&D/Ad-Aware se/Spywareblaster/Ewido/ and your antivirus programme.

The http://www.hijackthis.de/ site is very good. However, it should only ever be used as a guide and nothing more. This is because the results are not 100% accurate.

I`m glad your system is now clean.

Thanks for letting us know.

Regards Howard

 

[piklemeup]

Post virus Checkup

I just got some kind of virus, i got the main part removed, and fixed the hijacked homepage, but I want to make sure it's all gone. Could somebody run through my hjt log and tell me if I still need anything cleaned up.

This is probably the wrong place to mention this, but I'm also having a problem with my CLI.exe, the error message is:
"The application failed to initalize properly (0xc0000135). Click on OK to terminate the application."

This started just after I did a reboot, while running the smitfraud fix.

Thanks
Piklemeup

 

[howard_hopkinso]

I have merged your new thread into this one.

Your HJT log is clean.

The error message you`re getting is to do with your ATI software.

Reinstall the software, that should fix the problem.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of piklemeup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.