Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help


  • This topic is locked This topic is locked
6 replies to this topic

#1 baileydog

baileydog

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 25 March 2007 - 04:08 PM

I got some spyware and can't get it off system.

What I've done.
Turned system restore off.
cwshredder
ran lavasoft
spybot
avg spyware

ran vundofix, Hjthis

Now when I reboot or turn on pc I get error message.
Error Loading
C:\windows\System32\xqepisgu.dll
Invalid access to memory location.

---------------------------------------------------------

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 3:47:19 PM 3/25/2007

Listing files found while scanning....

C:\WINDOWS\System32\jkklj.dll
C:\WINDOWS\System32\jlkkj.bak1
C:\WINDOWS\System32\jlkkj.ini

Beginning removal...

Attempting to delete C:\WINDOWS\System32\jkklj.dll
C:\WINDOWS\System32\jkklj.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\jlkkj.bak1
C:\WINDOWS\System32\jlkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\jlkkj.ini
C:\WINDOWS\System32\jlkkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

---------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:56:05 PM, on 3/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196F93A7-ECBF-45C2-95F5-D24F521C8A6C} - C:\WINDOWS\System32\sstts.dll (file missing)
O2 - BHO: (no name) - {1E95C9E3-72F4-4FE1-91F8-5AE315804DDA} - C:\WINDOWS\System32\awtqq.dll (file missing)
O2 - BHO: (no name) - {33CFF9A3-7ECB-4382-806D-AB0138BC7386} - C:\WINDOWS\system32\opnnopm.dll (file missing)
O2 - BHO: (no name) - {519F5A4A-0B79-46AD-AEDC-5D5227D79C0E} - C:\WINDOWS\System32\jkklj.dll (file missing)
O2 - BHO: (no name) - {5960AE99-5CB6-4268-8E91-42CD2D45B69F} - C:\WINDOWS\System32\sstts.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7CD1ADBA-4278-4AA3-95B0-4CFE56B853Ce} - C:\WINDOWS\System32\sginpnpx.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - blank (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - blank (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xqepisgu.dll",setvm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{18ED2394-B30E-4A8C-825A-308EAA157809}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD97C0F1-A31C-4618-87E7-465818276986}: NameServer = 192.168.1.1
O20 - Winlogon Notify: opnnopm - opnnopm.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007.SP1\RpcSandraSrv.exe


uninstall list

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop 7.0
Adobe Reader 7.0
Anim-FX
AVG 7.5
AVG Anti-Spyware 7.5
Cabela's Big Game Hunter 2006 Season
Call of Duty® 2
CCleaner (remove only)
CD LabelMaker
Clic*Pic Gallery Creator
CloneCD
CloneDVD2
CLSetup for Tiger Woods PGA Tour 07
CLTool for Tiger Woods PGA Tour 07
CoffeeCup Flash Firestarter
ConvertXtoDVD 2.1.9 Beta WIP
Cool MP3 Splitter 2.2
DAEMON Tools
Deer Hunter - The 2005 Season
Digital Photo Navigator 1.0
Diskeeper Professional Edition
DivX Codec
DVD Region+CSS Free 5.9.8.1
DVD Shrink 3.2
EA Link
EA SPORTS online 2007
eMule
End It All
Fraps (remove only)
Game Commander 2
High Heat Major League Baseball 2004
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hijackthis 1.99.1
HijackThis 1.99.1
Hunting Unlimited 4 1.0
Ipswitch WS_FTP Pro
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Jigs@w Puzzle Platinum Edition
K-Lite Codec Pack 2.80 Basic
LimeWire 4.9.37
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia Shockwave Player
MadOnion.com/3DMark2001
Microsoft .NET Framework 1.1
Microsoft Motocross Madness 2
Microsoft Office 2000 Premium
Mozilla Firefox (1.5.0.11)
NASCAR® Racing 2003 Season
Nero Suite
NeroVision Express Content
NVIDIA Drivers
Paint Shop Pro 7
Ping Plotter Freeware
PowerDVD
PowerISO
QuickTime
RealPlayer
Realtek AC'97 Audio
Registry Mechanic
rFactor (remove only)
SiSoftware Sandra Pro Business 2007.SP1 (Win64/32/CE)
Spy Sweeper 4.x.x FIX
Spybot - Search & Destroy 1.4
Stock Car Evolution 0.97
TeamSpeak 2 RC2
The Logo Creator v3
The Logo Creator v4
Tiger Woods PGA TOUR 07
Trophy Hunter 2003 - Rocky Mountain Adventures
Veo Advanced Connect
VSAdd-in for Internet Explorer
Windows Genuine Advantage v1.3.0254.0
Windows Installer Clean Up
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix (SP2) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
Windows XP Service Pack 1a
WinRAR archiver
WinZip

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:46 AM

Posted 28 March 2007 - 05:17 AM

Hello,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {196F93A7-ECBF-45C2-95F5-D24F521C8A6C} - C:\WINDOWS\System32\sstts.dll (file missing)
O2 - BHO: (no name) - {1E95C9E3-72F4-4FE1-91F8-5AE315804DDA} - C:\WINDOWS\System32\awtqq.dll (file missing)
O2 - BHO: (no name) - {33CFF9A3-7ECB-4382-806D-AB0138BC7386} - C:\WINDOWS\system32\opnnopm.dll (file missing)
O2 - BHO: (no name) - {519F5A4A-0B79-46AD-AEDC-5D5227D79C0E} - C:\WINDOWS\System32\jkklj.dll (file missing)
O2 - BHO: (no name) - {5960AE99-5CB6-4268-8E91-42CD2D45B69F} - C:\WINDOWS\System32\sstts.dll (file missing)
O2 - BHO: (no name) - {7CD1ADBA-4278-4AA3-95B0-4CFE56B853Ce} - C:\WINDOWS\System32\sginpnpx.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - blank (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - blank (file missing)
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\System32\xqepisgu.dll",setvm
O20 - Winlogon Notify: opnnopm - opnnopm.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Post a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 baileydog

baileydog
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 28 March 2007 - 08:59 PM

Sorry for the delay. Had to go out of town.



Logfile of HijackThis v1.99.1
Scan saved at 8:55:38 PM, on 3/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{18ED2394-B30E-4A8C-825A-308EAA157809}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD97C0F1-A31C-4618-87E7-465818276986}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Pro Business 2007.SP1\RpcSandraSrv.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:46 AM

Posted 29 March 2007 - 12:10 AM

Hello,

Your HijackThislog looks clean now. How are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 baileydog

baileydog
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 30 March 2007 - 10:25 PM

running great.

Thank you for the help.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:46 AM

Posted 31 March 2007 - 12:25 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:46 AM

Posted 01 April 2007 - 04:30 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users