Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.



Windows 7: Recent virus, lost Libraries, Thunderbird & Catalyst CC won't open.

20 Feb 2013   #1

Windows 7 home premium 32bit
 
 
Recent virus, lost Libraries, Thunderbird & Catalyst CC won't open.

The problem:
Yesterday my wife contracted some type of oogliness on her Toshiba laptop. On system start up the desktop would have many system error messages, one on top of the other. Also a message "Catalyst Control Center: host application has stopped working" and when attempting to open Thunderbird a message that "Thunderbird window is already open. Close window or restart computer" (or some thing like that). All her picture libraries were gone (I've only managed to recover 2 of them) and who knows what else may have been lost. This morning I had a phone call from our ISP telling us that her email account was shut down after they noticed a huge flood of emails outgoing and many of her friends called to say they had suspicious emails from her account.

What I have done, so far:
We called and texted everyone we could think of with a warning not to open any emails from her account. I performed a system restore to a point one week ago. This got rid of all the system error messages on startup but did nothing to fix the Thunderbird issue, the Catalyst Control Center error or bring back the many missing picture libraries. As I said, I recovered only 2 folders of pictures...the rest appear to be gone. I tried installing a newer version of Thunderbird over the old one...hoping to save the email program and I downloaded and installed the latest drivers from AMD. Neither of these fixed anything.

I believe the system may be a lost cause and might require a reformat and reinstall from the recovery disks we created when we unpacked the laptop originally. I would, however, like to find out what really happened before doing that? Her system runs MS Security Essential and SpywareBlaster (both woefully out of date at the time...my bad). I updated MSSE and performed a scan which found the following:
TrojanDownloader:Win32/Dofoil.O (Removed)
TrojanDownloader:Win32/Dofoil.O (Quarantined)
TrojanDownloader:Win32/Cutwail.BS (Quarantined).

This is where I'm at, at this point. If it can be cleaned up and returned to good operation with all missing files recovered, so much the better. If not, I would still like to figure out how and what happened before doing a complete reformat and reinstall.

I have OTL downloaded on her computer and await any direction you can give.

Thank you very much, gang.

Vic

My System SpecsSystem Spec
.

20 Feb 2013   #2

Windows 7 Home Premium
 
 

viciii3,

Let's approach the issue in a mode before Windows starts.

Need some information in order to proceed...

Confirming the Operating System on the involved computer is Windows Seven 32-bit.

Also, do you have the Repair your computer option in the Advanced Boot Options menu?

To find out:

Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Is the Repair your computer option listed?
If you do not have the option above, do you have your Windows installation CD/DVD available?



And last, do you have a clean USB flash drive available, and do you have access to another computer?
My System SpecsSystem Spec
20 Feb 2013   #3

Windows 7 home premium 32bit
 
 

The OS is Windows 7 32bit
I do have the "repair your computer" option in the advanced boot options menu.
I do not have a Windows installation CD...the laptop did not come with one.
I do have 3 recovery disks created when we first started the computer. (2 recovery disks and a Toshiba software and drivers disk).

I do not have a clean USB flash drive (but I can get one).
I do have access to another computer (which I am using now).
My System SpecsSystem Spec
.


20 Feb 2013   #4

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Try this out

Click Computer,
In the Address bar type %AppData%,
This should take you to the Appdata/Roaming folder,
Navigate to AppData\Roaming\Microsoft\Windows\Libraries.
Make sure the folder and it contents are not hidden.
Right click the folder or files or libraries and click properties.
Uncheck the “Hidden” attribute check box.
For good measure make sure the “Read-Only” attribute check box is not checked.
Log off and log back on to apply changes.

If that doesn't help try this

Click Computer.
Right click libraries on the left hand side in the navigation bar.
Click restore default libraries.
My System SpecsSystem Spec
20 Feb 2013   #5

Windows 7 home premium 32bit
 
 

VistaKing...these things are already tried...it is how I managed to recover 2 picture folders. Many more folders are still missing, however.

I hope you will understand that I do appreciate your input but, as cottonball seems to have a plan, I do not want to confuse the issue by doing more than one thing at a time. I will wait for cottonball to tell me what he needs me to do.

Again, I certainly appreciate your input...thank you.
My System SpecsSystem Spec
20 Feb 2013   #6

Windows 7 Home Premium
 
 

viciii3,

Here we go, but you do need a USB flash drive...

You may want to print these instructions so you can have access to follow them.
Also, you may want to read them once befor you apply them.


Please plug a USB flash drive into a clean computer.


Go to Start > Computer
  • Double-click Computer, and select the flash drive.
  • Right-click and select: Format
  • Press Start on the Format prompt.
Next, download Farbar Recovery Scan Tool:


Farbar Recovery Scan Tool Download
Select the 32-bit download.


Save the program to the >>> USB flash drive.
Remove the drive from the clean computer.


Next, plug the flash drive into the infected computer.




>>>Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select your language settings, and click: Next
  • Select your User account and click: OK (If you did not set a password, leave blank.)
On the System Recovery Options menu you get the following options:
  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Scan your computer's memory for errors.
  • Command Prompt
Select: Command Prompt
  • In the Command window, at the bliking cursor type notepad and press: Enter
  • In Notepad, under the File menu select: Open
  • Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
  • Close out of Notepad.
  • Click the Command window
  • Type x:\frst.exe, and press: Enter
    Note: Replace the drive letter x with the drive letter of your flash drive!
The tool starts and prepares to run. Follow the prompts.
  • Click Yes to the disclaimer.
  • Press: Scan
  • When done, the program saves the FRST.txt report, on the flash drive.
Click the Command prompt window, and type exit, and press: Enter




Back at the System Recovery Options, press: Restart


When the computer boots back into Windows, please provide the FRST.txt in your reply.
It is located in the USB flash drive.
My System SpecsSystem Spec
20 Feb 2013   #7

Windows 7 home premium 32bit
 
 

OK...I will do this tomorrow when I have a flash drive in hand. I will then get back to you here.

Thanks man.

Vic
My System SpecsSystem Spec
20 Feb 2013   #8

Windows 7 Home Premium
 
 

Fine, whenever you are ready.

In the meantime, if you can run programs from the infected computer, do the following:


Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement


Select the version that applies to your system: (the blue button without x64)
Click the blue button to download.

Save to the Desktop


Close all windows and browsers...

Right-click RogueKiller and select 'Run as Administrator'

Press: SCAN


A report opens on the Desktop: RKreport.txt


Please provide the RKreport.txt (Mode: Scan) in your reply.
(Please do not delete anything!)
My System SpecsSystem Spec
20 Feb 2013   #9

x64 (6.1.7601) Win7_SP1 HomePrem
 
 

@viciii3: Once you're sure that your system is clean - cottonball is very good so definitely keep following his (avatar looks male to me) advice - please advise on Libraries missing.

Libraries only point to real locations and present contents from those locations in one place. If you look at the acutal file for a library, it isn't much more than an XML file. What I'm trying to determine is whether the library-ms file was corrupted or if the files it referenced wre corrupted. sometimes viruses just make us panic into thinking they
did more dmage.

I'm not sure, that's why I ask.

Code:
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="Error">
  <name>@shell32.dll,-34620</name>
  <ownerSID>S-1-5-21-1645956821-2123721666-1853574476-1000</ownerSID>
  <version>20</version>
  <isLibraryPinned>true</isLibraryPinned>
  <iconReference>imageres.dll,-1005</iconReference>
  <templateInfo>
    <folderType>{5fa96407-7e77-483c-ac93-691d05850de8}</folderType>
  </templateInfo>
  <propertyStore>
    <property name="HasModifiedLocations" type="boolean"><![CDATA[true]]></property>
  </propertyStore>
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <isDefaultSaveLocation>true</isDefaultSaveLocation>
      <isSupported>true</isSupported>
      <simpleLocation>
        <url>E:\DefLocs\DFL_Videos</url>
        <serialized>MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRgAAA0hmhgM7b3cA6LJwZtB8NHg+SCcWbAfzBAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAsNAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8SR6wFAAAAAAAAAAAAAAAAAAAAAAAAASBQMAAAAAAQkBtxAQgCRlZGTvN2cAwDAIAABA8uvRGE2CEZQbMgKAAAAJVBAAAAAMAAAAAAAAAAAAAAAAAAAAQEAlBgZAwEAvBwYAMHAAAgFAoFAxAAAAAAArIU8FGBCEZETfZVS+FDAAIEAIAABA8uvRGU+CsiQxXoKAAAALVBAAAAADAAAAAAAAAAAAAAAAAAAAQEAGBATA8FAWBQaAQGAlBwbAMHAAAAGAAAAOBAAAwBAAAQAAAAAcAAAAcDAAAAAAAAANBAAAsBAAAwAAAAA8tJGyCBAAAAM0ACTpJmchJXeAUkOcRUZmx0bjNHXEZETfZVakV2bzBAAoAAAAkAAAAKHAAAAxMFUTJuiYZEvMhzQ7y/ETaCmt5MAAAAAAAAAAAGAAAwAAAAoYBAAAAAAAAQZpRmd2AAAAAAAAAAAAAAAawDe2hm25BUmoIOe++Yb6B0Q5WDnHJeEhOAfpPd+MHsG8gndopdeAlJKijnvP2meANUu1w5RiHRoDwX6TnPzBDAAAAA</serialized>
      </simpleLocation>
    </searchConnectorDescription>
    <searchConnectorDescription>
      <isDefaultSaveLocation>false</isDefaultSaveLocation>
      <isSupported>true</isSupported>
      <simpleLocation>
        <url>I:\402_Videos</url>
        <serialized>MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRgAAAs9wwLbPX0cA0qv8zr2BOHAt6L/8qdgzBAAwAAAAAAAABAAAAAAAAAAAAAAAAAAAAkIAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8SS6wFAAAAAAAAAAAAAAAAAAAAAAAAAaBQMAAAAAAgSCpaRRgANwIzXWlkfxAAACBACAQAAv7riAZhiKJkqFpCAAAwyCAAAAAgAAAAAAAAAAAAAAAAAAAAA0AAMAIDAfBgVAkGAkBQZA8GAzBAAAgBAAAQRAAAAcAAAAEAAAAAHAAAA2AAAAAAAAAARAAAAaAAAAMAAAAgvExIBQAAAAQDMyASTlRWahBQS6wFNwIzXWlGZl92cAAAKAAAAJAAAgyBAAAQMTB1UirIWGxLT4M0u8PxkmgZbODAAAAAAAAAAgBAAAMAAAAKWAAAAAAAAAUWakZnNAAAAAAAAAAAAAAA+WXvuhiuVPRq6AbI+FoVJJYDjZGCRiHBqSyX6TnPzBjv11rboob1TkqOwGifBaVSC2wYmhQk4Rgqk8l+05zcwAAAAAA</serialized>
      </simpleLocation>
    </searchConnectorDescription>
    <searchConnectorDescription>
      <isDefaultSaveLocation>false</isDefaultSaveLocation>
      <simpleLocation>
        <url>R:\403_Videos</url>
        <serialized>MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRgAAA8X8lVjQY3cAEts9zr2BOHARLb/8qdgzBAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAkIAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8iU6wFAAAAAAAAAAAAAAAAAAAAAAAAAaBQMAAAAAAgSCpaRRgANwMzXWlkfxAAACBACAQAAv7LjBdyQKJkqFpCAAAQuRAAAAAgAAAAAAAAAAAAAAAAAAAAA0AAMAMDAfBgVAkGAkBQZA8GAzBAAAgBAAAARAAAAcAAAAEAAAAAHAAAA1AAAAAAAAAwQAAAAZAAAAMAAAAQaX4taQAAAAQDMzAiR1J3cAIlOcRDMz8lVpRWZvNHAAAGAAAwAAAAoYBAAAAAAAAQZpRmd2AAAAAAAAAAAAAAAOidEAlcq/0EvEW8OX0JIMBtNMmZIEJeEoKJfpPd+MHsjYHBQJn6PNxLhFvzFdCCTQbDjZGCRiHBqSyX6TnPzBjCAAAQCAAAocAAAAEzUQNl4KilR8yEODtL/TMpJY2mzAAAAAAAAAAAAAAAA</serialized>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>
My System SpecsSystem Spec
20 Feb 2013   #10

x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Virus info:
Encyclopedia entry: TrojanDownloader:Win32/Dofoil.D
Encyclopedia entry: Win32/Cutwail - according to MS this is a rootkit.

You're in good hands with Cotton - Good luck,

Bill
.
My System SpecsSystem Spec
Reply

 Recent virus, lost Libraries, Thunderbird & Catalyst CC won't open.





Thread Tools



Similar help and support threads for2: Recent virus, lost Libraries, Thunderbird & Catalyst CC won't open.
Thread Forum
How do I open XP icon libraries which have libraries within them General Discussion
Help! Catalyst 12.2 wont open. Graphic Cards
PC keeps restarting, seemingly at random, recent PSU and virus issues. BSOD Help and Support
Lost ALL Photos and Videos in Libraries/Album Art Screwed Up :o Music, Pictures & Video
Lost Libraries General Discussion
Win 7 SP1 cannot open Mozilla Thunderbird Windows Updates & Activation
Cant Open CCC (Catalyst Control Center) Graphic Cards

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 07:15 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33