Windows 7: Recent virus, lost Libraries, Thunderbird & Catalyst CC won't open.

shawn77 · 20 Feb 2013

Grinler's UNHIDE tool should restore them and resolve catalyst error but before that follow cottonball's suggestion to remove infections.

cottonball · 20 Feb 2013

Slartybart and shawn77,

Thanks for the info!!

That is exactly where we are headed, get rid of the malware, and then, use Grinler's unhide.exe

RogueKiller, and in particular, FRST, should identify the Rootkit and anything else that is lurking in that system.

Trying to reveal the files and folders now is probably an exercise in futility...

VistaKing · 20 Feb 2013

Files should be in %temp%\smtmp\1,2,3,4

%Temp%\smtmp\1 files in there will go C:\ProgramData\Microsoft\Windows\Start Menu

%Temp%\smtmp\2 files in there will go to C:\Users\<your login name here>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

%Temp%\smtmp\3 will in there will go to C:\Users\<your login name here>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

%Temp%\smtmp\4 files inside there will go to C:\Users\Public\Desktop

Save the smtmp folder to a flash drive. Then remove the virus . Don't run any temp files remover programs like Ccleaner .

cottonball · 20 Feb 2013

Thanks for the info, VistaKing!

Y'all making this easier, keep 'em coming!

VistaKing · 20 Feb 2013

No problem , Cottonball .

viciii3 · 22 Feb 2013

here is the text of the Rogue Killer report (hope I did this correctly).

RogueKiller V8.5.1 [Feb 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : mom [Admin rights]
Mode : Scan -- Date : 02/22/2013 11:58:29
| ARK || FAK || MBR |
¤¤¤ Bad processes : 6 ¤¤¤
[SUSP PATH] zuqeanypyqyb.exe -- C:\Users\mom\zuqeanypyqyb.exe [-] -> KILLED [TermProc]
[SUSP PATH] exp7E33.tmp.exe -- C:\Users\mom\AppData\Local\Temp\exp7E33.tmp.exe [-] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : KB01192703.exe ("C:\Users\mom\AppData\Roaming\KB01192703.exe") [-] -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : zuqeanypyqyb (C:\Users\mom\zuqeanypyqyb.exe) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-4093826796-1630646369-247549289-1000[...]\Run : KB01192703.exe ("C:\Users\mom\AppData\Roaming\KB01192703.exe") [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-4093826796-1630646369-247549289-1000[...]\Run : zuqeanypyqyb (C:\Users\mom\zuqeanypyqyb.exe) [-] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\n [-] --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\@ [-] --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\L --> FOUND
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK2555GSX ATA Device +++++
--- User ---
[MBR] ecb72268cfc86f4eba0f32634df3dadc
[BSP] 115bdc51753a8a8a697d04b3e5af154d : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 228693 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 471437312 | Size: 8281 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1]_S_02222013_02d1158.txt >>
RKreport[1]_S_02222013_02d1158.txt

viciii3 · 22 Feb 2013

I am not allowed to post the text from the FRST.txt file...it is too many characters? I can upload the file by FTP to my page, if that will work?

viciii3 · 22 Feb 2013

The FRST.txt file is here:

http://users.frii.com/viciii3/FRST.txt

cottonball · 22 Feb 2013

Please run RogueKiller once again:

Close all windows and browsers
Right-click RogueKiller and select 'Run as Administrator'

Wait until the Prescan finishes
The Status box shows PreScan Finished
Press: Scan

When done, on the right, click: Delete (or Remove)
Wait until the Status box shows: Deleting Finished
Click on Report and provide the content of the new Rkreport (Mode: Remove) in your reply.

VistaKing · 22 Feb 2013

Looking at the FRST.txt . I see that you have an adware by the name of Conduit. Also random numbers.exe running which is located inside your registry .
HKCU\Software\Microsoft\Windows\CurrentVersion\Run : KB01192703.exe
C:\Users\mom\AppData\ Roaming\KB01192703.exe

Download Malwarebytes by clicking on this link Malwarebytes Anti-Malware - CNET Download.com and click on Download Now . Install the program update the definitions and click on start trial . On the Scanner tab, make sure the Perform full scan option is selected and then click on the Scan button to start scanning your computer for infections.

** Don't worry it will remove what ever it finds even though its a trial version .

Windows 7: Recent virus, lost Libraries, Thunderbird & Catalyst CC won't open.

Recent virus, lost Libraries, Thunderbird & Catalyst CC won't open. problems?