unable to move infected file
Hello all,,,newbie to BD. everything seems to be working fine except for one small thing. WHen I ran my first scan BD discovered a Trojan called virtumod.alx, I believe its activated by a file called ssqrp.dll located in my windows system32 file. However after completing the scan BD tells me that disinfecting failed and moving failed. After emailing the report to BD support, they replied and instructed me to reboot in safe mode and locate the ssqrp.dll file in the windows system32 folder and manually delete it and then empty my recycle bin. Then restart in normal mode. I couldnt locate the file(ssqrp.dll) even when doing a search in hidden files and folders. I even looked when in normal mode (not in safe mode) and still couldnt locate the file. BD blocks the trojan when starting. I have emailed them back and informed them that I couldnt locate the file but have yet to hear back from them. I searched their virus database on the BD website and the trojan wasnt listed. Anyone else come across this particular trojan?? I am having some problems when connecting online - I keep getting a popup notification stating that I am not connected when in fact I am, I have to uncheck 'working offline' in my browser most of the time. This notification pops up sometimes even when I am not connected online. Is this a characteristic of the trojan?? I also get another pop up when windows starts - it says that it cant load the file called j4251730.dll the file can not be found or is missing. Are these instances due to the trojan?? Any help will be greatly appreciated.
Thanks.
Tom
P.S. I tried to attach a copy of the report but the forum says that I am not permitted to upload that type of file. Its a simple notepad file, why couldnt I upload it??
Comments
-
Hi!
Check the memory to see if there is any instances of the trojan. If you find any, terminate them. You could also make sure that Explorer displays both hidden or system files (the trojan could set these attributes of the file ssqrp.dll).
You can only upload archive files or image files. You can attach only the text (copy - paste) of the report in a new reply, you don't have the attach the entire file.
Andrei0 -
Hi!
Check the memory to see if there is any instances of the trojan. If you find any, terminate them. You could also make sure that Explorer displays both hidden or system files (the trojan could set these attributes of the file ssqrp.dll).
You can only upload archive files or image files. You can attach only the text (copy - paste) of the report in a new reply, you don't have the attach the entire file.
Andrei
Thanks for replying so quickly. When you say to chek the memory, do you mean to do a memory scan? I have explorer set up to display hidden files.
Thanks again.
Tom0 -
Ypou can open the task manager (pres CTRL+ALT+DEL or press CTRL+SHIFT+ESC or go to run -> taskmgr) and seek any process that looks to be the trojan. If you can, finish them.
Andrei0 -
Hi
To see if it are legit processes or not enter the procesname to the follow websites:
http://www.neuber.com/taskmanager/process/index.html Here you can browse to see if it's a malware process or not. If you can't find it kill the process.
I also recommend that you download superantispyware free : http://downloads2.superantispyware.com/dow...AntiSpyware.exe Update it reboot your pc and press several times on the F8 button before the windows loading screen choose for safe mode. After that start superantispyware and perform a complete scan.
Regards
Niels0 -
Hi
To see if it are legit processes or not enter the procesname to the follow websites:
http://www.neuber.com/taskmanager/process/index.html Here you can browse to see if it's a malware process or not. If you can't find it kill the process.
I also recommend that you download superantispyware free : http://downloads2.superantispyware.com/dow...AntiSpyware.exe Update it reboot your pc and press several times on the F8 button before the windows loading screen choose for safe mode. After that start superantispyware and perform a complete scan.
Regards
Niels
I've already been to 'process library' the process 'ssqrp.dll' is not listed, I would delete the process from my pc is I couild locate it on my pc. Its nowhere to be found!! Ive done complete search and no 'ssqrp.dll' is found. but yet BD detects it when doing a scan. I use 'Process Explorer' instead of the normal task manager, and it doest even show up there. I have pasted a portion of the scan report - :
C:\WINDOWS\system32\ssqrp.dll Infected: MemScan:Trojan.Virtumod.ALX
C:\WINDOWS\system32\ssqrp.dll Disinfection failed
C:\WINDOWS\system32\ssqrp.dll Move failed
Here is a report of the memory scan that was done a few days ago - :
Summary:
C:\WINDOWS\system32\ssqrp.dll Infected: MemScan:Trojan.Virtumod.ALX
C:\WINDOWS\system32\ssqrp.dll Rename failed0 -
Hi
Download also superantispyware as I suggested in my previous post. Because superantispyware can remove vundo variants and other difficult malware.
Regards
Niels0 -
Open your registry editor (go to Start -> Run -> Regedit <enter>).
The browse to the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run
and
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Run
and seek any refference which points to that dll. If you find any, delete it. Then reboot and do another scan, to see if BD can delete the file.
Andrei0 -
Hi
You will see ab-icons when you navigate to the registrykeys Andrei mentionned. To deny a proces to be loaded with windows you have to delete the ab-icon. To verify that you don't remove legit start up items enter them on this website : http://castlecops.com/StartupList.html Take also a look here: start,run,at the run dialog box type msconfig press go to startup (boot) and see if you find any reference to that particular dll file. Use also the site I mentioned to verify it. If you find the dll file uncheck it. After that check also this location start,all programs,startup. But I still recommend that you run a superantispyware scan afterwards.
Regards
Niels0 -
Ok, what exactly are 'ab-icons' ?? I didnt even think of checking start up options under msconfig! Ill check the registry as well. And Ill download the superantispyware software too. Ill post a reply later this evening. Hope all goes well. thanks in advance.
0 -
Ok, what exactly are 'ab-icons' ?? I didnt even think of checking start up options under msconfig! Ill check the registry as well. And Ill download the superantispyware software too. Ill post a reply later this evening. Hope all goes well. thanks in advance.
Hi!
What Niels reffered to are that small icons which contain a red "ab".0 -
Hi
Sorry that I wasn't clear but I referred what Andrei said in his post. Also I don't have a English windows version. So sometimes it could be that it's named differently. You can also take a look if the trojan also don't use a service: start,run,at the run dialog box type services.msc press enter. But that isn't always the case.
Regards
Niels0 -
Well, I've tried everything everybody has mentioned or suggested I do. BD is still unable to delete the infected file. As a final resort and just because I was tired and fed up with nothing working, I reformatted my HDD and did a clean install. I am still in the process of loading all of the applications I have. But everything is running smoothly. I really appreciate those of you who offered assistance and suggestions to me. Thanks again.
0 -
Hi
So you also tried superantispyware (sa) in safe mode? Because normally SA could remove it. A format is a little bit too drastic. I knew another solution. But I agree that you than can say that your pc is clean. Good to hear that everything is fine now. Glad that we could assist you.
Regards
Niels0 -
Glad that we could help you (even if you took that drastic decision
)
Andrei0 -
Nope Niels, sorry to say I didnt try the SuperAntiSpyware, at that point my impatience had gotten the best of me and I just went ahead and resorted to drastic measures and reformatted. I am going to still download the SA software and keep it on a flash drive just incase something like this happens again, which of course we all hope doesnt doesnt happen again! Again thanks for everybodies help.
Tom0 -
You don't have to apologize. Personally for me a format is the latest solution I suggest. But that is my opinion.
Niels0
