[HOH_Virus]

OTS report is attached.

Attached Files

•  OTS.Txt   354.88KB   363 downloads

[Advertisements]

Gmer still gives the window saying C:\Windows\system32\config\system:The system cannot find the file specified.

[HOH_Virus]

Gmer still gives the window saying C:\Windows\system32\config\system:The system cannot find the file specified.

[JSntgRvr]

Set Explorer to view Hidden Files and Folders:

• Right-click your Start button and go to "Explore".
• Select Organize from the menu
• Select Folder and Search Options
• Select the View tab
• Click on Show all Files and Folders
• Remove the checkmark from Hide extensions for known file types
• Remove the checkmark from Hide protected operating System files
• Select Apply to All Folders | Yes | Apply | OK.

Please go here:
The Spy Killer Forum

• Click on "New Topic"
• Put your name, e-mail address, and this as the title: "JSntgRvr"
• Put a link to this thread in the description box.
• Then next to the file box, at the bottom, click the browse button, then navigate to this file:
  
  
  • c:\users\matt\appdata\local\temp\ssrrro.DLL
• Click Open.
• Click Post.

Set Explorer to Defaults:

• Right-click your Start button and go to "Explore".
• Select Organize from the menu
• Select Folder and Search Options
• Select the View tab
• Click on Restore Defaults
• Select Apply to All Folders | Yes | Apply | OK.

Note:

EA Download Manager can interfere with the downloads. A bad download will have the same symptoms. In regard to GMER, it may not be compatible with a 64bit system.

Edited by JSntgRvr, 19 February 2010 - 02:53 PM.

[HOH_Virus]

Ok I uploaded the file to the spy killer forum.

[JSntgRvr]

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky. It is a large download but worth it.

• Save it to your desktop.
• Reboot your computer into SafeMode.
  

  You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  Use your up arrow key to highlight SafeMode then hit enter.

• Double click the setup file to run it.
• Click Next to continue.
• It will by default install it to your desktop folder.Click Next.
• Hit ok at the prompt for scanning in Safe Mode.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all
• If it says it cannot be Neutralized then chooose The delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  

  Note: This tool will self uninstall when you close it so please save the log before closing it.

Edited by JSntgRvr, 19 February 2010 - 08:26 PM.

[HOH_Virus]

Im running the Kaspersky VRT and it is on autoscan its been stuck on 1% for 25 minutes. It stopped on a file C:\users\matt\appdata\local\temp\ssrrro.dll When I click under details under result it lists Trojan.Win32.Pincav.qoz four times two times detected and two untreaded. The reason listed for untreated is postponed.

[JSntgRvr]

Rootkit Revealer will fail due to incompatibility. Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

You will need to complete a form in order to access the download page.

• Once you have downloaded the file, double click the sar_15_sfx icon
• Review the licence agreement and click on the Accept button
• The scanner will prompt you to install to C:\Program Files\Sophos\Sophos Anti-Rootkit - DO NOT change this location, simply click the Install button
• Once the program has been installed it ill run.
• Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
• Allow the program to scan your computer - please be patient as it may take some time
• Once the scan has completed a window will pop-up with the results of the scan - click OK to this
• In the main window, you will see each of the entries found by the scan (if any)
  
  • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
  • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
• If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
• To clean up these entries click on the Clean up checked items button
• If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
• Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
• When you have re-booted, please post a fresh OTL log into this thread and tell me how your computer is running now

Note:

This program does not produce a report. If you have doubts on items checked, Stop. Expand the results window and take a screenshot for me to see.

• You can do this by pressing the PrintScreen key.
• Then go to Start > All Programs > Accessories > Paint
• In Paint, go up to Edit > Paste
• Then Go up to File > Save As. Click the drop-down box to change the "Save As Type" to "JPEG", name it what you want, and save it on the desktop.
• Then click Add Reply in this topic.
• Scroll down to Attachments
• Click the Browse button.
• Locate the file you just saved, click on it, then click Open, then Upload.
• Click Manage Current Attachment and click on the green option.
• Add a Reply

Edited by JSntgRvr, 20 February 2010 - 06:14 PM.

[HOH_Virus]

In Sophos Anti Rootkit The Running Processes is checkbox is grayed out and I cannot check it.

[JSntgRvr]

Bear with me, HOH_Virus. Not too many programs run in 64bit systems.

This is a new version of the Sophos scan. Lets try to run the program from a command prompt. I hope your system allows it. The file created must be ran as an administrator.

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as RunMe.bat
• Change the Save as Type to All Files
• and Save it on the desktop
• Once saved, Rightclick click on the RunMe.bat file and select "Run as an administrator".

@Echo Off
for %%D in ("%ProgramFiles%") do set ProgramFiles=%%~sD
cd "%ProgramFiles%\Sophos\Sophos Anti-Rootkit"
sarcli -log="%Userprofile%\desktop\Sarscan.txt"
Exit

If successful, it should run Sophos Antirootkit, then produce a report on your desktop labeled, Sarscan.txt. Attach the report to a reply

The scan takes a while, be patient.

Edited by JSntgRvr, 20 February 2010 - 11:29 PM.

[HOH_Virus]

No luck with the bat file nothing happens after I run as admin.

[HOH_Virus]

I did the scan with sophos with windows registry and local hard drives checked as noted before it will not allow me to check running processes, would you like for me to post the results of that?

[JSntgRvr]

I did the scan with sophos with windows registry and local hard drives checked as noted before it will not allow me to check running processes, would you like for me to post the results of that?

Yes, please.

[HOH_Virus]

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Users\Matt\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\ILBCVELG\general;net=ns;u=,ns-1053605_1266573350,117096926f0d3e6,ce_mobile_blackberry,;;kw=;tile=1;ord1=35657;sz=300x250,336x280;contx=ce_mobile_black
berry;btg=;ord=2897535583898520[1]
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Users\Matt\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\67GRU10L\neral;net=ns;u=,ns-83247421_1266573352,117096926f0d3e6,ce_mobile_blackberry,;;kw=;tile=1;ord1=311875;sz=300x250,336x280;contx=ce_mobile_bla
ckberry;btg=;ord=2897535583898520[1]
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)


Area: Local hard drives
Description: Unknown hidden file
Location: C:\Users\Matt\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\9JN0V3PZ\eral;net=ns;u=,ns-2891020_1266573362,117096926f0d3e6,it_general_opensource,;;kw=;tile=1;ord1=397084;sz=300x250,336x280;contx=it_general_op
ensource;btg=;ord=7873183137090474[1]
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Users\Matt\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5\67GRU10L\ral;net=ns;u=,ns-23199327_1266573363,117096926f0d3e6,it_general_opensource,;;kw=;tile=1;ord1=218745;sz=300x250,336x280;contx=it_general_o
pensource;btg=;ord=7873183137090474[1]
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

[HOH_Virus]

Screenshot

Attached Thumbnails

• 

[JSntgRvr]

Those files are legit.

Start OTS. Copy/Paste the information in the Quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Registry - All]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "opmlllsys" -> c:\users\matt\appdata\local\temp\ssrrro.DLL [rundll32.exe "c:\users\matt\appdata\local\temp\ssrrro.dll",DllRegisterServer]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "tuturpsys" -> c:\users\matt\appdata\local\temp\ssrrro.DLL [rundll32.exe "c:\users\matt\appdata\local\temp\ssrrro.dll",DllRegisterServer]
< 64bit-AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
64bit-*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YN -> avgrssta.dll ->
< 64bit-AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
[Files/Folders - Modified Within 30 Days]
NY -> 46 C:\Users\Matt\AppData\Local\Temp\*.tmp files -> C:\Users\Matt\AppData\Local\Temp\*.tmp
NY -> 46 C:\Users\Matt\AppData\Local\Temp\*.tmp files -> C:\Users\Matt\AppData\Local\Temp\*.tmp
NY -> 2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
NY -> 2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
[Empty Temp Folders]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanit scan log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.