Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Attention: cottonball, virus deleted all SD photos

23 Aug 2013   #51
VistaKing

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Take a look in one of these locations

C:\ProgramData\Microsoft\Microsoft Antimalware\Support

C:\ProgramData\Microsoft\Microsoft Security Essentials\Support

Program Data is a hidden folder .


My System SpecsSystem Spec
.
23 Aug 2013   #52
jumanji

Windows 7 Home Premium 32 bit
 
 

" Registry Entries : 4
[RUN][SUSP PATH] HKLM\[...]\Run : 2264 (C:\PROGRA~3\LOCALS~1\Temp\msqjiol.com [x]) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : 2264 (C:\PROGRA~3\LOCALS~1\Temp\msqjiol.com [x]) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND"

What is this msqjiol.com?????? ( goggled and it only gets this thread...... LOL)

It also appears any registry tool to delete those entries also is disabled.

Note: Until your PC is cleaned, keep your PC off the internet. I have a nasty feeling that whatever malware is present is most probably communicating to a parent server and sustaining itself. Trojan.Bot.RV ??????. Cottonball may perhaps throw more light on it.
My System SpecsSystem Spec
23 Aug 2013   #53
cottonball

Windows 7 Home Premium
 
 

ducat1base,

Quote:
I scanned the computer using MSS and it came back saying no viruses were found. But I can't seem to locate the msert.log file now. I did a search from the Start menu but the only the only thing it's finding is the .exe file. Am I missing something?
No worry. If it came back with no viruses, so, it probably did not produce a report.

On the entries that appear on RogueKiller...

This particular malware is a pain.

Need to do some more searching to figure out what may work to get rid of those entries.

Or, if anyone watching this thread has any suggestions, they are appreciated.

Thanks for your patience.
My System SpecsSystem Spec
.

23 Aug 2013   #54
VistaKing

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Can we click on Delete to remove these

[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
My System SpecsSystem Spec
23 Aug 2013   #55
cottonball

Windows 7 Home Premium
 
 

@VistaKing,

These Registry entries are locked. Running a Delete with RogueKiller gave an 'Access is Denied' result.

Some new malware, and it locks the keys by permissions.


@ducat1base,


You can try RogueKiller again, and press: Delete
Then, post its new: RKreport (Mode Delete)

If it gets rid of the entries, we will celebrate!


However, if we do not celebrate, please run FRST64 once again from the Desktop, and post its report.
Let's see if it shows these new entries, since it would be the best, and easiest, tool to get rid of them.


Also run the MiniRegTool64 once again.
Copy and paste the following into the edit box:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Click the List Permissions button.

Press the Go button, and post the result in your reply.


Note: It may be that the SD Card, or any other USB device that was plugged in recently, if only for a few moments, infected the machine once again. Blows the mind, though, since it is vaccinated with Panda's USB Vaccine.

However, jumanji also brought up a good point. Trojan.Bot.RV may also be sustaining itself.
Have looked for info on this malware, and it appears to be new. Removable media appears to be the 'carrier'. As mentioned before, it locks Registry keys by permissions.

A colleague has successfully removed a version of this malware, but this one has some different traits. Aren't we lucky?
My System SpecsSystem Spec
23 Aug 2013   #56
VistaKing

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

You should be fine with Deleting those two .
My System SpecsSystem Spec
23 Aug 2013   #57
cottonball

Windows 7 Home Premium
 
 

@VistaKing,

Yes, last two entries you mentioned should go without problem.

However, the concern is the first two entries:

1. [RUN][SUSP PATH] HKLM\[...]\Run : 2264 (C:\PROGRA~3\LOCALS~1\Temp\msqjiol.com [x]) -> FOUND
2. [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : 2264 (C:\PROGRA~3\LOCALS~1\Temp\msqjiol.com [x]) -> FOUND



3. [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
4. [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND"
My System SpecsSystem Spec
23 Aug 2013   #58
VistaKing

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

That's what I was referring to the one in Blue on your post above .
My System SpecsSystem Spec
23 Aug 2013   #59
cottonball

Windows 7 Home Premium
 
 

@jumanji,

It is unfortunate, but, since there is only the one laptop available, to provide us info, it appears that ducat1base will need to connect to the Internet.
My System SpecsSystem Spec
24 Aug 2013   #60
jumanji

Windows 7 Home Premium 32 bit
 
 

Yep, I understand.

OK, let him try cleaning up the temp folder. If that succeeds in removing the first two entries where msqjiol.com comes into play, we may perhaps assume that communication to that unknown server is eliminated and thereafter it may be safe to connect to the internet.

During this process disconnect from the internet.

To cleanup the temp folder, OP should click on Start, type %temp% in the search field and click on the temp folder to open it. Select all files/folders and press Shift+delete. Some files in use cannot be deleted. Skip those and that should delete everything else and hopefully the msqjiol too. ( This may be a wishful thinking on my part )

Note:ducat1base, before you try this, take a screenshot of the contents of the temp folder and post. Let us examine and someone may come up with any idea on how do delete the suspicious files if those persist even after the above cleanup procedure.
My System SpecsSystem Spec
Reply

 Attention: cottonball, virus deleted all SD photos




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
how to restore deleted photos
I pressed delete but my pictures was highlighted and not the folder i wanted to delete and so deleted everything out of my pictures. So im having a mild panic attack and dont know how to get them back. i have checked the bin but theres only the recent ones which i choose to delete in there. It...
Music, Pictures & Video
ZeroAccess! Attention: cottonball
When I open my Toshiba external, it now shows a shortcut to the external like this: Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting It's never done that before. Now, when I click this new shortcut, this pops up: Image - TinyPic - Free Image Hosting, Photo Sharing...
System Security
"Deleted" Facebook photos still not deleted: a followup
"Deleted" Facebook photos still not deleted: a followup Source: "Deleted" Facebook photos still not deleted: a followup What bullshit. This is why there are no photos of me online... ~Lordbob
Chillout Room
Deleted photos still left in WMP?
Hi Concerning deleted photos previously view via Window Media Player. Concise/short background: I've recently bought a new PC (HP Pavilion dv-7 4032), after the setup procedure and the creation of recovery discs etc... I loaded some photos (.jpg) onto the PC (library/pictures). Now...
Music, Pictures & Video


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:44.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App