New
#11
Grinler's UNHIDE tool should restore them and resolve catalyst error but before that follow cottonball's suggestion to remove infections.
Grinler's UNHIDE tool should restore them and resolve catalyst error but before that follow cottonball's suggestion to remove infections.
Slartybart and shawn77,
Thanks for the info!!
That is exactly where we are headed, get rid of the malware, and then, use Grinler's unhide.exe
RogueKiller, and in particular, FRST, should identify the Rootkit and anything else that is lurking in that system.
Trying to reveal the files and folders now is probably an exercise in futility...
Files should be in %temp%\smtmp\1,2,3,4
%Temp%\smtmp\1 files in there will go C:\ProgramData\Microsoft\Windows\Start Menu
%Temp%\smtmp\2 files in there will go to C:\Users\<your login name here>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\
%Temp%\smtmp\3 will in there will go to C:\Users\<your login name here>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
%Temp%\smtmp\4 files inside there will go to C:\Users\Public\Desktop
Save the smtmp folder to a flash drive. Then remove the virus . Don't run any temp files remover programs like Ccleaner .
here is the text of the Rogue Killer report (hope I did this correctly).
RogueKiller V8.5.1 [Feb 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : mom [Admin rights]
Mode : Scan -- Date : 02/22/2013 11:58:29
| ARK || FAK || MBR |
¤¤¤ Bad processes : 6 ¤¤¤
[SUSP PATH] zuqeanypyqyb.exe -- C:\Users\mom\zuqeanypyqyb.exe [-] -> KILLED [TermProc]
[SUSP PATH] exp7E33.tmp.exe -- C:\Users\mom\AppData\Local\Temp\exp7E33.tmp.exe [-] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : KB01192703.exe ("C:\Users\mom\AppData\Roaming\KB01192703.exe") [-] -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : zuqeanypyqyb (C:\Users\mom\zuqeanypyqyb.exe) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-4093826796-1630646369-247549289-1000[...]\Run : KB01192703.exe ("C:\Users\mom\AppData\Roaming\KB01192703.exe") [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-4093826796-1630646369-247549289-1000[...]\Run : zuqeanypyqyb (C:\Users\mom\zuqeanypyqyb.exe) [-] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\n [-] --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\@ [-] --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\L --> FOUND
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK2555GSX ATA Device +++++
--- User ---
[MBR] ecb72268cfc86f4eba0f32634df3dadc
[BSP] 115bdc51753a8a8a697d04b3e5af154d : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 228693 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 471437312 | Size: 8281 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1]_S_02222013_02d1158.txt >>
RKreport[1]_S_02222013_02d1158.txt
I am not allowed to post the text from the FRST.txt file...it is too many characters? I can upload the file by FTP to my page, if that will work?
The FRST.txt file is here:
http://users.frii.com/viciii3/FRST.txt
Please run RogueKiller once again:
Close all windows and browsers
Right-click RogueKiller and select 'Run as Administrator'
Wait until the Prescan finishes
The Status box shows PreScan Finished
Press: Scan
When done, on the right, click: Delete (or Remove)
Wait until the Status box shows: Deleting Finished
Click on Report and provide the content of the new Rkreport (Mode: Remove) in your reply.
Looking at the FRST.txt . I see that you have an adware by the name of Conduit. Also random numbers.exe running which is located inside your registry .
HKCU\Software\Microsoft\Windows\CurrentVersion\Run : KB01192703.exe
C:\Users\mom\AppData\ Roaming\KB01192703.exe
Download Malwarebytes by clicking on this link Malwarebytes Anti-Malware - CNET Download.com and click on Download Now . Install the program update the definitions and click on start trial . On the Scanner tab, make sure the Perform full scan option is selected and then click on the Scan button to start scanning your computer for infections.
** Don't worry it will remove what ever it finds even though its a trial version .