Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie7 Popups And Rundll Error. I Suspect Some Spyware Or Malware.


  • Please log in to reply
3 replies to this topic

#1 crushedguava

crushedguava

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 19 December 2007 - 06:37 AM

Hi there. Its my first time posting here. Hoping that you guys could give me some help with my problem.

I just bought a new Acer laptop with Windows Vista Home Premium 32 bit preinstalled yesterday, and have been happily installing programs and getting it to work when I got careless and downloaded a file off a nocd crack website. The file disappeared after I double clicked on it and I have no idea where it went. However, that may or may not be the cause of my problems.

Right now, the problem(s) I have is this:

1) When the computer starts up, I get the RunDLL error message saying:
"Error loading C:\Users\Crushe~1\AppData\Local\Temp\ssqpn.dll
Access is denied".

2) Internet Explorer 7 displays pop-ups, I've seen 3 different websites:
-hopelessromantic.com
-403 forbidden page
-and a website with chinese characters
-there has also been one instance where I got an alert saying something to the effect of "your computer has been infected and you need to download some anti spyware" with OK and Cancel being the options. Wasn't sure what to do but disconnected my internet before pressing cancel.

3) Internet and computer seems to be a bit sluggish, but then again, it might just be my imagination :thumbsup:

I did a search on google about ssqpn.dll and it seems to be a spyware of some sort.

What I've done so far:

1) did a regedit search for ssqpn.dll and found one mention of it, together with another similar rundll file, ljjkl.dll in Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

2)looked through this website for some tips and have so far downloaded, updated and scanned the computer with the latest versions of AVG Antivirus 7.5, Lavasoft Adaware 2007 Free, Spybot Search & Destroy 1.5 (including immunising IE), and Stinger.exe, all of which did not report any problems, nor solved my problem. Housecall Antivirus did not work for me, in both Firefox and IE.

3) downloaded and ran vundofix.exe, which came up with no problems as well.

My options are limited. Ideally, I would just reformat the laptop and start reinstalling my programs, but apparently the latest Acer laptops do not provide recovery cds, and I can only restore factory settings. Can anyone confirm that restoring factory settings does not remove spyware? If it does, I might just do that.

If anyone can provide me with any assistance or help, I'd be very grateful. Thanks a lot.

JW

Edited by crushedguava, 19 December 2007 - 06:42 AM.


BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 19 December 2007 - 07:30 AM

Please download ATF Cleaner to your Desktop.
Don't run it yet.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

Click Exit on the main menu to close the program.

Restart your computer normally again.

Please download VirtumundoBeGone.exe and save the file to your Desktop.
  • Close ALL running programs including your Internet Browser.
  • Double-click VirtumundoBeGone.exe to launch.
  • Read the introductory information, and then click "Continue".
  • Click "Start".
  • When asked if you want to continue, click "Yes" to run the fix.
  • Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.
  • When finished it will create a log named VBG.TXT on your desktop.
  • Reboot your PC and post the VBG.TXT in your next reply.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Post the contents of VBG.txt and Vundofix.txt in your reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 crushedguava

crushedguava
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 19 December 2007 - 09:23 AM

Thanks for the reply.

I have followed your instructions, and this is the VBG.TXT:


[12/19/2007, 21:40:46] - VirtumundoBeGone v1.5 ( "C:\Users\crushedguava\Desktop\VirtumundoBeGone.exe" )
[12/19/2007, 21:40:49] - Detected System Information:
[12/19/2007, 21:40:49] - Windows Version: 5.1.2600, Service Pack 2
[12/19/2007, 21:40:49] - Current Username: crushedguava (Admin)
[12/19/2007, 21:40:49] - Windows is in NORMAL mode.
[12/19/2007, 21:40:49] - Searching for Browser Helper Objects:
[12/19/2007, 21:40:49] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/19/2007, 21:40:49] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[12/19/2007, 21:40:49] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/19/2007, 21:40:49] - BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[12/19/2007, 21:40:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/19/2007, 21:40:49] - No filename found. Continuing.
[12/19/2007, 21:40:49] - BHO 5: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} (ShowBarObj Class)
[12/19/2007, 21:40:49] - BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[12/19/2007, 21:40:49] - Finished Searching Browser Helper Objects
[12/19/2007, 21:40:49] - Finishing up...
[12/19/2007, 21:40:49] - Nothing found! Exiting...

I have also used Vundofix.exe again but it doesn't produce any vundofix.txt, although it did say that 'nothing was detected' after it ended.

Before I read your first reply, I actually rescanned my computer using AVG, and it detected the virus 'Obfustat.ACYA' in 4 different files, 3 of which were quarantined, one I think deleted.
The 3 that were quarantined (and still are in quarantine) are:
C:\Users\CRUSHE~1\AppData\Local\Temp\ssqpn.dll
C:\Users\Crushedguava\AppData\Local\Temp\opnomkk.dll
C:\Users\Crushedguava\AppData\Local\Temp\tmp00018729

Right now, when I restart my computer, my original problem (the one regarding C:\Users\CRUSHE~1\AppData\Local\Temp\ssqpn.dll) has disappeared, and I get yet another RunDLL error saying:
"Error loading C:\Users\CRUSHE~1\AppData\Local\Temp\ljjkl.dll
The specified module cannot be found"

and this is immediately followed by Spybot's TeaTimer message saying:
"Spybot has detected an important registry entry that has been changed
Category: System Startup User Entry
Change: Value deleted
Entry: MSServer
Old data rundll32.exe C:\Users\CRUSHE~1\AppData\Local\Temp\ljjkl.dll"

and I clicked the 'Allow Change' option after that, but upon restarting again, the same thing (both messages) comes up.

I actually tried using Spybot's 'System Startup' function to disable the ljjkl.dll from starting up, but immediately upon doing that, another entry for ljjkl is created.

Hopefully this makes sense.

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 20 December 2007 - 07:24 AM

It would appear that multiple infections are present on your system. Therefore, I think your best course of action now would be to post your HijackThis log for analysis from our experts. Please follow our Preparation Guide For Use Before Posting a HijackThis Log; running all of the scans before posting your HijackThis log. Do not post your log here, but instead use our HijackThis Logs and Analysis Forum.
After posting a log you should NOT make further changes to your computer except those that are advised by a member of the HijackThis Team; doing so can cause system changes that may not be visible in your log. Please be patient whilst waiting for a response, our HJT Team is currently very busy, and as we try to deal with logs on a "first come first served" basis, you may have to wait a short while.

Edited by rookie147, 20 December 2007 - 07:25 AM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users