Attention: cottonball, virus deleted all SD photos

Take a look in one of these locations

C:\ProgramData\Microsoft\Microsoft Antimalware\Support

C:\ProgramData\Microsoft\Microsoft Security Essentials\Support

Program Data is a hidden folder .

"¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : 2264 (C:\PROGRA~3\LOCALS~1\Temp\msqjiol.com [x]) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : 2264 (C:\PROGRA~3\LOCALS~1\Temp\msqjiol.com [x]) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND"

What is this msqjiol.com?????? ( goggled and it only gets this thread...... LOL)

It also appears any registry tool to delete those entries also is disabled.

Note: Until your PC is cleaned, keep your PC off the internet. I have a nasty feeling that whatever malware is present is most probably communicating to a parent server and sustaining itself. Trojan.Bot.RV ??????. Cottonball may perhaps throw more light on it.

ducat1base,

I scanned the computer using MSS and it came back saying no viruses were found. But I can't seem to locate the msert.log file now. I did a search from the Start menu but the only the only thing it's finding is the .exe file. Am I missing something?

No worry. If it came back with no viruses, so, it probably did not produce a report.

On the entries that appear on RogueKiller...

This particular malware is a pain.

Need to do some more searching to figure out what may work to get rid of those entries.

Or, if anyone watching this thread has any suggestions, they are appreciated.

Thanks for your patience.

Can we click on Delete to remove these

[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

@VistaKing,

These Registry entries are locked. Running a Delete with RogueKiller gave an 'Access is Denied' result.

Some new malware, and it locks the keys by permissions.


@ducat1base,


You can try RogueKiller again, and press: Delete
Then, post its new: RKreport (Mode Delete)

If it gets rid of the entries, we will celebrate!


However, if we do not celebrate, please run FRST64 once again from the Desktop, and post its report.
Let's see if it shows these new entries, since it would be the best, and easiest, tool to get rid of them.


Also run the MiniRegTool64 once again.
Copy and paste the following into the edit box:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Click the List Permissions button.

Press the Go button, and post the result in your reply.


Note: It may be that the SD Card, or any other USB device that was plugged in recently, if only for a few moments, infected the machine once again. Blows the mind, though, since it is vaccinated with Panda's USB Vaccine.

However, jumanji also brought up a good point. Trojan.Bot.RV may also be sustaining itself.
Have looked for info on this malware, and it appears to be new. Removable media appears to be the 'carrier'. As mentioned before, it locks Registry keys by permissions.

A colleague has successfully removed a version of this malware, but this one has some different traits. Aren't we lucky?

You should be fine with Deleting those two .

@VistaKing,

Yes, last two entries you mentioned should go without problem.

However, the concern is the first two entries:

1. [RUN][SUSP PATH] HKLM\[...]\Run : 2264 (C:\PROGRA~3\LOCALS~1\Temp\msqjiol.com [x]) -> FOUND
2. [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : 2264 (C:\PROGRA~3\LOCALS~1\Temp\msqjiol.com [x]) -> FOUND


3. [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
4. [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND"

That's what I was referring to the one in Blue on your post above .

@jumanji,

It is unfortunate, but, since there is only the one laptop available, to provide us info, it appears that ducat1base will need to connect to the Internet.

Yep, I understand.

OK, let him try cleaning up the temp folder. If that succeeds in removing the first two entries where msqjiol.com comes into play, we may perhaps assume that communication to that unknown server is eliminated and thereafter it may be safe to connect to the internet.

During this process disconnect from the internet.

To cleanup the temp folder, OP should click on Start, type %temp% in the search field and click on the temp folder to open it. Select all files/folders and press Shift+delete. Some files in use cannot be deleted. Skip those and that should delete everything else and hopefully the msqjiol too. ( This may be a wishful thinking on my part )

Note:ducat1base, before you try this, take a screenshot of the contents of the temp folder and post. Let us examine and someone may come up with any idea on how do delete the suspicious files if those persist even after the above cleanup procedure.