Can't run Spybot, found a plague of malware

[Blade81]

Hi,

Uninstall this vulnerable Java:
J2SE Runtime Environment 5.0 Update 12

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\R\Application Data\Sun\Java\Deployment\cache\6.0\16\78fcee10-72ba7448
C:\Documents and Settings\R\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-27d34503
C:\WINDOWS\system32\wmdtc.exe

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. How's the system running now? Is McAfee license still valid? If it is, let it update its definitions at this point.

 

[Rob13]

ComboFix 09-09-30.05 - R 10/02/2009 19:55.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.609 [GMT -5:00]
Running from: c:\documents and settings\R\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\R\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\R\Application Data\Sun\Java\Deployment\cache\6.0\16\78fcee10-72ba7448"
"c:\documents and settings\R\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-27d34503"
"c:\windows\system32\wmdtc.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\R\Application Data\Sun\Java\Deployment\cache\6.0\16\78fcee10-72ba7448
c:\documents and settings\R\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-27d34503
c:\windows\system32\wmdtc.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.

2009-10-02 02:37 . 2009-10-02 02:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-02 01:59 . 2009-10-02 01:59 -------- d-----w- c:\documents and settings\R\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-10-02 01:55 . 2009-10-02 01:55 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-02 01:53 . 2009-10-02 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-01 10:50 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-01 10:50 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-28 09:21 . 2009-09-28 09:21 -------- d-----w- c:\documents and settings\R\DoctorWeb
2009-09-28 02:24 . 2009-09-28 02:24 -------- d-----w- c:\program files\ESET
2009-09-27 05:22 . 2009-09-27 05:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-14 12:15 . 2009-09-14 12:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-14 04:46 . 2009-09-14 04:46 -------- d-----w- c:\program files\Trend Micro
2009-09-12 21:33 . 2009-09-30 20:41 -------- d--h--w- c:\windows\PIF
2009-09-12 12:46 . 2009-09-12 12:46 -------- d-----w- C:\spoolerlogs
2009-09-10 19:36 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-03 00:50 . 2006-05-10 23:28 -------- d-----w- c:\program files\Java
2009-10-02 02:04 . 2006-05-18 08:58 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-27 01:54 . 2009-06-15 23:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-14 12:15 . 2008-02-09 20:33 -------- d-----w- c:\program files\Lavasoft
2009-09-14 00:12 . 2009-06-15 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-09 05:53 . 2007-02-20 08:02 56 --sh--r- c:\windows\system32\5DAA50A8B0.sys
2009-08-09 05:53 . 2006-07-03 06:11 7518 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-05 09:01 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2005-08-16 09:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2006-11-23 17:05 . 2006-07-03 06:11 88 --sh--r- c:\windows\system32\B0A850AA5D.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-01_10.53.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-02 01:55 . 2009-10-02 01:55 21504 c:\windows\Installer\80d60.msi
+ 2009-10-02 01:55 . 2009-10-02 01:55 27648 c:\windows\Installer\80d5b.msi
+ 2009-10-02 02:37 . 2009-10-02 02:37 149280 c:\windows\system32\javaws.exe
+ 2009-10-02 02:37 . 2009-10-02 02:37 145184 c:\windows\system32\javaw.exe
+ 2009-10-02 02:37 . 2009-10-02 02:37 145184 c:\windows\system32\java.exe
+ 2009-10-02 02:15 . 2009-10-02 02:15 802304 c:\windows\Installer\80e1b.msi
+ 2009-10-02 02:15 . 2009-10-02 02:15 295606 c:\windows\Installer\{AC76BA86-7AD7-5464-3428-900000000004}\ARPPRODUCTICON.exe
+ 2009-01-18 21:05 . 2009-01-18 21:05 675840 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\JP2KLib.dll
+ 2009-10-02 02:08 . 2009-10-02 02:08 6653952 c:\windows\Installer\80e16.msp
+ 2009-10-02 02:09 . 2009-10-02 02:09 1697792 c:\windows\Installer\80e15.msp
+ 2009-10-02 01:57 . 2009-10-02 01:57 3938816 c:\windows\Installer\80d65.msi
+ 2009-10-02 02:37 . 2009-10-02 02:37 1757696 c:\windows\Installer\39031.msi
+ 2009-02-27 17:39 . 2009-02-27 17:39 1302760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\JSByteCodeWin.bin
+ 2008-12-18 21:48 . 2008-12-18 21:48 3645440 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\authplay.dll
+ 2009-02-27 21:37 . 2009-02-27 21:37 20403568 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0100000010\9.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Universal Installer"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"Desktop Software"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-10 98304]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"HostManager"="c:\program files\Common Files\AOL\1170845904\ee\AOLSoftware.exe" [2008-06-24 41824]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 229376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-02 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-17 397312]

c:\documents and settings\R\Start Menu\Programs\Startup\
RT-Updater.lnk - c:\ross-tech\VCDS\VCDS.exe [2008-8-14 1046016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-10 24576]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-6-25 614531]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-6-8 16432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\1170845904\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

S3 PCD5SRVC{FBEA8B78-1B22F121-05040000};PCD5SRVC{FBEA8B78-1B22F121-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms [12/5/2007 3:47 PM 20640]
S3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB.SYS [2/23/2008 5:00 AM 54400]
S3 VAGUSB;VAGUSB.SYS USB Driver;c:\windows\system32\drivers\VAGUSB.sys [12/15/2005 9:27 AM 34639]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (1BRR9A1-R).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-10 23:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = localhost
Trusted Zone: musicmatch.com\online
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 19:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{FBEA8B78-1B22F121-05040000}]
"ImagePath"="\??\c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-10-03 20:01
ComboFix-quarantined-files.txt 2009-10-03 01:00
ComboFix2.txt 2009-10-02 01:29
ComboFix3.txt 2009-10-01 11:00

Pre-Run: 17,584,066,560 bytes free
Post-Run: 17,543,823,360 bytes free

198 --- E O F --- 2009-09-10 20:48

 

[Rob13]

So far I seem to be free of Google redirects, but I still can't get Spybot or Malware to run. If I could get them running I can get my McAfee up to date soon.

 

[Blade81]

Hi,

Please copy this file to the same location with Spybot and drag'n'drop its exe files to the downloaded file. That should make Spybot workable. Repeat same thing with Malwarebytes' Anti-Malware.

Let me know how it goes.

 

[Rob13]

Hi, I tried that to get Spybot and Malware running again, but it gave me the message Windows cannot access file program etc on both of them. Its enough for me to take this laptop into the woods with old man Pekka and finish it off

 

[Blade81]

Did you do as instructed and download inherit.exe file to same folder with Spybot and then drag'n'drop .exe files in Spybot folder (c:\program files\spybot - search & destroy) to inherit.exe file? That should release the file lock. Same thing should be done with .exe files in c:\program files\Malwarebytes' Anti-Malware folder.

 

[Rob13]

I just tried it again, same results. I noticed the Inherit program was blocked, so I unblocked it, but it still didn't work.

 

[Rob13]

I got Ad-Aware to run and it found Win32/Vbimay, which I hope has been removed. Tried the Inherit program again, and it still is blocked ro something, it wouldn't run.

 

[Blade81]

Please run Win32kDiag and attach its report to your post.

 

[Rob13]

Running from: C:\Documents and Settings\R\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\R\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

 

[Blade81]

Hi,

Download a fresh copy of inherit.exe and try with it. If it doesn't work please tell me step-by-step how you attempted to unlock exe files with it. I want to be sure it was done correctly.

 

[Rob13]

Hello, I deleted my old Inherit files and downloaded new ones from the link in this thread. I saved Inherit to My Computer/C Drive/ Program Files/ Spybot, opened that folder up and saved it there. Also performed same save for Malware folder. I then opened folder, rightclicked on the Inherit file and unblocked it under Properties. Then I left click and dragged the Inherit file to the top of the Spybot SDMain file and dropped it. Very briefly,for about one second a blank black screen popped up and disappeared. I then tried to open Spybot, but the same Windows denied access message appears. I drag and dropped the Inherit file to the Spybot Updater exe, and the Updater came on, ran and downloaded all the updates, still Spybot didnt run. I also went to desktop, tried the Spybot icon there,and did a fresh Inherit file download to Desktop and drag and dropped to the Spybot shortcut from there.
I perfromed the same actions for Malware, the only difference being in the Malware folder, when I drag and dropped Inherit on mbam.exe nothing happened at all, no quick black popup screen. Thanks

 

[Rob13]

Something else, I tried to run Ad-Aware again to see if it turned anything up and it acted slugglishly, and wouldn't scan, kept giving various errors as to why it wouldn't work. Out of curiousity, I drag and dropped the Inherit file onto it, and it worked much faster and did a full scan when requested. Nothing was found by it during the scan.

 

[Blade81]

Hi,

Uninstall both Spybot & MBAM. Then reinstall to see if that solves the problem.

 

[Rob13]

Hi, that gets me closer, uninstall/reinstall worked on Malware, but under Control Panel Spybot is no longer shown although it still has a folder under Program Files. It will not allow me to delete it and reinstall, I tried installing into the same folder and it wouldn't run,even with Inherit dropped on it. I ran Malware and it found about 16 infections on board, log created if needed. Thanks

 

[Blade81]

Hi,

Navigate to the folder you want to own, and right click it. Select Properties from the context menu.
Click the Security tab, click the Advanced button, and click the Owner tab.
In the Name list under "Change owner to," click Administrators. To take over ownership of everything within a folder, check the box that says Replace owner on subcontainers and objects.

See if you're able to delete Spybot folder after that.

Kindly post that MBAM log that was created.

 

[Rob13]

Malwarebytes' Anti-Malware 1.41
Database version: 2915
Windows 5.1.2600 Service Pack 3

10/6/2009 10:13:02 AM
mbam-log-2009-10-06 (10-12-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 166467
Time elapsed: 30 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxmvxmbwkm.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxnvyqqjlk.dll.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxyrulvtmx.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir (Backdoor.Bot) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wmdtc.exe.vir (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP252\A0057562.dll (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP252\A0057563.dll (Rootkit.TDSS) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP252\A0057564.dll (Trojan.FakeAlert) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0057593.exe (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0057637.sys (Worm.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP253\A0057803.sys (Worm.Agent) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP267\A0058663.exe (Backdoor.Bot) -> No action taken.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP267\A0058745.sys (Worm.Agent) -> No action taken.
C:\WINDOWS\system32\mdtdisk.sys (Spyware.OnlineGames) -> No action taken.

 

[Rob13]

Hello, tried the right click on folder and all I get is 3 options under Propertys and they are General,Sharing and Customize. I looked at Malwares folder and it was the same as well, both are set to read only also, not sure if thats right? Thanks

 

[Blade81]

Hi,

Did you let MBAM remove its findings?

To reveal the Security tab follow three simple steps:

1. Open Windows Explorer, and choose Folder Options from the Tools menu.
2. On the View tab, scroll to the bottom of the Advanced Settings and clear (click) the check box next to "Use Simple File Sharing."
3. Click OK to apply the change, and you should now have a Security tab.

 

[Rob13]

Hello, I did allow Malware to remove the objects. Following your direction I did get a security tab to appear, but it still will not delete the folder. Its keeps giving me a message Cannot delete SDHelper dll access is denied Make sure file is not write protected or in use.