My computer is infected with some sort of malware called AntiMalware Doctor. This is like a scanning program that appears to pop up and scan my computer. It also has a windows security logo that pops up on my taskbar. Aside from getting scan popups, the main problem is that I am unable to open any .exe files as it states that I may not have permission to open them. The exact error is as follows:
"Windows cannot access the specific file. You may not have permission to access the item."

This means that I cannot run atfcleaner, the GMER tool or DDS. I can only run Malwarebytes Antimalware as this was already installed on my computer. I did a full scan with Malwarebytes and it detected the trojans and rogue softwares. I selected remove all and restarted the computer. However, upon restart the popups etc. returned.

I would appreciate any help...thanks

Malwarebytes' Anti-Malware 1.46

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

7/15/2010 8:42:07 AM
mbam-log-2010-07-15 (08-42-07).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 318258
Time elapsed: 3 hour(s), 54 minute(s), 17 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
C:\WINDOWS\system32\ (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\HP_Owner.HP\Local Settings\Temp\iexplorer.exe (Malware.Packer.Gen) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{fe5b2d9d-91b0-b04b-ac20-14a260769687} (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tddkki (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.HP\Local Settings\Temp\iexplorer.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.HP\Local Settings\Temp\cwaoxsemrn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{a3108a80-e87c-fb53-f541-fd59cd03b63a}\components\49RNyXkQxtZj7_y.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDdKkI.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.HP\Local Settings\Temp\k0w3o.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\HP_Owner.HP\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.HP\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.HP\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\service.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Owner.HP\Local Settings\Temp\lsass.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\HP_Owner.HP\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\HP_Owner.HP\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\HP_Owner.HP\Local Settings\Temp\win32.exe (Trojan.Downloader) -> Delete on reboot.

Recommended Answers

All 5 Replies

Hello, try this. I want you to try running rkill to stop the process which is likely running in the background and therefore stopping the tools you need from running properly. Follow these steps exactly and then post the logs:
There are five different copies of rkill. Try them one at a time until ONE of them works.
These instructions are from BleepingComputerthe developer of the tool.
"RKill only terminates processes, after running it you should not reboot your computer as any malware processes that are set to start automatically, will just start up again. Instead, after running RKill you should scan your computer using your malware removal tool of choice. If there is a problem after running RKill, just reboot your computer and you will be back to where you started before running the program.
RKill can be downloaded from the following locations. Please note that the other file names below are RKill as well, just renamed in order to allow it run by certain malware.

* Download Link
* RKill.exe Download Link
* RKill.scr Download Link
* eXplorer.exe Download Link - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
* iExplore.exe Download Link

When RKill is run it will display a console screen
That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running.

Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected.
These warnings are just fake alerts by the malware that has hijacked your computer trying to protect itself. Two methods that you can try to get past this and allow RKill to run are:

1. When you receive the warning message, leave the message on the screen and try running RKill again.
2. If that does not work, just keep launching RKill until it catches and stays up long enough to kill the malware"

Once rkill has completed disabling the infection process then Update MBA-M and run a Full Scan with it. Have it Remove Everything Found.
Reboot the System, of course this is very important.

Then see if you can run the steps in the Read Me sticky that you attempted earlier and post the logs here.

Thanks for the quick reply.

I am still unable to run any of the exe files and I get the same message.

Did you attempt to run any of those rkill files? They all are not .exe files.

my own problem with Malware Docter is that having thought I had removed it, my laptop now crshes regularly and also tries to send out emails (which ESET seems to be stopping).
I am currently trying a full scan of Antimalware in safe mode at the moment because I think something nasty was running in the background and taking up all my RAM.
Ill try RKill and see what that does for me after this scan and reboot: any other ideas?

any other ideas?

Yes. Read the sticky (Read Me) at the head of the forum and do not hijack other members threads please.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.