Virus Outbreak -

[JMann Veteran]

Hi all,

I have been asked by a friend to fix a few problems on their Home PC; one of the main things I dread. I have sorted most of the other problems out, but im falling behind on trying to remove a Virus which doesn't seem to die! ;)

The Virus first and foremost is one found in the DLL of SSTQR.dll found in C:\Windows\System32\ssqtr.dll, now I have browsed to that directory and tried to remove it muiltiple times with no-avail. (File is in use, etc). I have done a scan with NOD32 and tried removing it using NOD but that's failed which was frustrating, I have also tried going into Safe Mode which didn't work either and also tried removing the file via command line all saying access denied.

Renaming/moving also same problem, now I had a clever idea earlier which was to download Shift Linux (Neowin's own :)) and make a Live CD, now I booted using this, great stuff browsed to the file and tried to remove it, as I thought it won't be in use because im not in Windows surely. But no, didn't work; Shift said it couldn't remove the file because it was on a read only...? Also tried a removal tool, which starts when the PC first boots but that wouldn't get rid of it.

Now in Shift Linux is there a command I can put to get too the file, and hard-delete it or even rename it without if worrying about Permissions? (If there is I will need the program name, and what too type etc as im pretty much a Linux nub! :))

Or is there anything I can do in Windows, apart from formatting? :)

(I tried finding a website with some more information on this Virus, but the only thing I could find is what NOD32 displayed about it which was: sstqr.dll - WIN32/Trojan.ConHook)

Cheers people, really want to get this sorted.

JMann :)

[Knife Party]

heres some quick advice, get the Kaspersky trial, update and do a full scan in safe mode. that should get rid of the problem, don't give up, reformating isnt always the way 2 go ;)

[Janitor]

Use the command line in Windows.

[richter]

Did you try using Unlocker or some other utility like that? Try using free ewido scan www.ewido.net It's great. It's easier and faster than downloading and running Kaspersky just fix this issue.

[k22]

if unlocker doesn't work, try BartPE boot CD. it can write to NTFS natively, which will allow you to delete the file from outside of the existing Windows environment.

http://www.nu2.nu/pebuilder/

[woodson]

Hi all,

I have been asked by a friend to fix a few problems on their Home PC; one of the main things I dread. I have sorted most of the other problems out, but im falling behind on trying to remove a Virus which doesn't seem to die! ;)

The Virus first and foremost is one found in the DLL of SSTQR.dll found in C:\Windows\System32\ssqtr.dll, now I have browsed to that directory and tried to remove it muiltiple times with no-avail. (File is in use, etc). I have done a scan with NOD32 and tried removing it using NOD but that's failed which was frustrating, I have also tried going into Safe Mode which didn't work either and also tried removing the file via command line all saying access denied.

Renaming/moving also same problem, now I had a clever idea earlier which was to download Shift Linux (Neowin's own :)) and make a Live CD, now I booted using this, great stuff browsed to the file and tried to remove it, as I thought it won't be in use because im not in Windows surely. But no, didn't work; Shift said it couldn't remove the file because it was on a read only...? Also tried a removal tool, which starts when the PC first boots but that wouldn't get rid of it.

Now in Shift Linux is there a command I can put to get too the file, and hard-delete it or even rename it without if worrying about Permissions? (If there is I will need the program name, and what too type etc as im pretty much a Linux nub! :))

Or is there anything I can do in Windows, apart from formatting? :)

(I tried finding a website with some more information on this Virus, but the only thing I could find is what NOD32 displayed about it which was: sstqr.dll - WIN32/Trojan.ConHook)

Cheers people, really want to get this sorted.

JMann :)

By ben13010, Friday, January 20, 2006 at 6:05 p.m.: 11

Ok

O2-BHO: (no name) - (00DBDAC8-4691-4797-8E6A-7C6AB89BC441) - C: \ WINDOWS \ system32 \ awtqn.dll

And

O20 - Winlogon Notify: awtqn-C: \ WINDOWS \ SYSTEM32 \ awtqn.dll

You noted that these two lines are the same ugly dll

It is an infection vundo

You will be ca

Downloads: xp process here:

Http://www.sysinternals.com/files/procexpnt.zip

The decompressed

Disconnects you

Close all programs

Double clicking processxp.exe

* In the main window processxp double clicking winlogon.exe

In the new window that opens click threads

Select only the rows that contain the dll awtqn.dll then selects kill for each line found.

Once done, with valid ok

* In the main window processxp double clicking explorer.exe

In the new window that opens click threads

Select only the rows that contain the dll awtqn.dll then selects kill for each line found.

Once done, with valid ok

Then you open the box kill

Download: Pocket Killbox here

Http://www.downloads.subratam.org/KillBox.exe

Demo User (thanks to a Balltrap34 this achievement):

Http://pageperso.aol.fr/balltrap34/killbox.htm

You glue the dll suspicious and you deleted the

Like this:

Double click on killbox.exe (Killbox Pocket)

- Tick: delete reboot on

- "Full Path of File to Delete"

Copy and paste: C: \ WINDOWS \ SYSTEM32 \ awtqn.dll

- Click on the red cross

- A window will appear for confirmation clicks YES

- A second window may ask whether you want to restart clicks YES

Let the pc restarted.

And after a reposte HijackThis log. There's still some things to fix

Edited October 13, 2007 by woodson

[goretsky Supervisor]

Hello,

Did you try contacting ESET's technical support department? If so, were they able to help you?

Regards,

Aryeh Goretsky

[n301]

I stopped repairing pc's years ago (to much dread) I would though, suggest posting a hijack this log over at

http://www.castlecops.com/

One app i have used for years is Killbox works like a champ. Good luck

[+Warwagon MVC]

make a bartpe cd and boot off that and delete it from there

then go to the system32 diretory and arrange by date and delete all the newest files that look funky, you can just tell. then if you have nod32 burn the nod32 directory from c:\program files\ to a cd or a thumbstick and open it in bartpe and run the nod32.exe and do a scan from bartpe

[JMann Veteran]

Hey everyone, thought I best update with the solution. I tried everything, downloaded and read up on all the tools before I started getting too work all seemed great. (Y) Killbox also looked fairly damn impressive. Same with Bart PE, but the first thing suggested Kaspersky solved the issue well. It did the scan, found the virus and after post boot removed the virus on command line with its own tool.

So impressed with it, im going to purchase a license for it after the trial expires on my own PC. I have kept the other tools for future PC's (if I ever get the courage to do them again!) and will use them if ever needed.

Thanks again. :)

[Knife Party]

see, the power of simplicity, Kaspersky did the job ;)

[JMann Veteran]

see, the power of simplicity, Kaspersky did the job ;)

Better than NOD32, most definately. :p

[Colin-uk Veteran]

Just thought id say the reason shift linux probably couldnt delete it was because the drive is in NTFS and shiftlinux can only mount NTFS drives as read only right now, doing a delete on a file would require writing to the drive to overwrite the data.

[Farstrider]

Better than NOD32, most definately. :p

I am sure a few folk would not be happy with the above statement! :laugh: There are two sides to this argument I would say! Have a look at this! I have never used Kaspersky but since the day I started using NOD32 I have never had a virus on any of my PC's! I suppose I am biased, I am a Eset NOD32 partner and probably have it running on at least 15 servers and plus minus 400 PC's. Glad to hear that the problem is solved!