Recent virus, lost Libraries, Thunderbird & Catalyst CC won't open.

viciii3 · 20 Feb 2013

The problem:
Yesterday my wife contracted some type of oogliness on her Toshiba laptop. On system start up the desktop would have many system error messages, one on top of the other. Also a message "Catalyst Control Center: host application has stopped working" and when attempting to open Thunderbird a message that "Thunderbird window is already open. Close window or restart computer" (or some thing like that). All her picture libraries were gone (I've only managed to recover 2 of them) and who knows what else may have been lost. This morning I had a phone call from our ISP telling us that her email account was shut down after they noticed a huge flood of emails outgoing and many of her friends called to say they had suspicious emails from her account.

What I have done, so far:
We called and texted everyone we could think of with a warning not to open any emails from her account. I performed a system restore to a point one week ago. This got rid of all the system error messages on startup but did nothing to fix the Thunderbird issue, the Catalyst Control Center error or bring back the many missing picture libraries. As I said, I recovered only 2 folders of pictures...the rest appear to be gone. I tried installing a newer version of Thunderbird over the old one...hoping to save the email program and I downloaded and installed the latest drivers from AMD. Neither of these fixed anything.

I believe the system may be a lost cause and might require a reformat and reinstall from the recovery disks we created when we unpacked the laptop originally. I would, however, like to find out what really happened before doing that? Her system runs MS Security Essential and SpywareBlaster (both woefully out of date at the time...my bad). I updated MSSE and performed a scan which found the following:
TrojanDownloader:Win32/Dofoil.O (Removed)
TrojanDownloader:Win32/Dofoil.O (Quarantined)
TrojanDownloader:Win32/Cutwail.BS (Quarantined).

This is where I'm at, at this point. If it can be cleaned up and returned to good operation with all missing files recovered, so much the better. If not, I would still like to figure out how and what happened before doing a complete reformat and reinstall.

I have OTL downloaded on her computer and await any direction you can give.

Thank you very much, gang.

Vic

cottonball · 20 Feb 2013

viciii3,

Let's approach the issue in a mode before Windows starts.

Need some information in order to proceed...

Confirming the Operating System on the involved computer is Windows Seven 32-bit.

Also, do you have the Repair your computer option in the Advanced Boot Options menu?

To find out:

Restart the computer.

As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
Is the Repair your computer option listed?

If you do not have the option above, do you have your Windows installation CD/DVD available?

And last, do you have a clean USB flash drive available, and do you have access to another computer?

viciii3 · 20 Feb 2013

The OS is Windows 7 32bit
I do have the "repair your computer" option in the advanced boot options menu.
I do not have a Windows installation CD...the laptop did not come with one.
I do have 3 recovery disks created when we first started the computer. (2 recovery disks and a Toshiba software and drivers disk).

I do not have a clean USB flash drive (but I can get one).
I do have access to another computer (which I am using now).

VistaKing · 20 Feb 2013

Try this out

Click

Computer,
In the Address bar type %AppData%,
This should take you to the Appdata/Roaming folder,
Navigate to AppData\Roaming\Microsoft\Windows\Libraries.
Make sure the folder and it contents are not hidden.
Right click the folder or files or libraries and click properties.
Uncheck the “Hidden” attribute check box.
For good measure make sure the “Read-Only” attribute check box is not checked.
Log off and log back on to apply changes.

If that doesn't help try this

Click

Computer.
Right click libraries on the left hand side in the navigation bar.
Click restore default libraries.

viciii3 · 20 Feb 2013

VistaKing...these things are already tried...it is how I managed to recover 2 picture folders. Many more folders are still missing, however.

I hope you will understand that I do appreciate your input but, as cottonball seems to have a plan, I do not want to confuse the issue by doing more than one thing at a time. I will wait for cottonball to tell me what he needs me to do.

Again, I certainly appreciate your input...thank you.

cottonball · 20 Feb 2013

viciii3,

Here we go, but you do need a USB flash drive...

You may want to print these instructions so you can have access to follow them.
Also, you may want to read them once befor you apply them.

Please plug a USB flash drive into a clean computer.

Go to Start > Computer

Double-click Computer, and select the flash drive.
Right-click and select: Format
Press Start on the Format prompt.

Next, download Farbar Recovery Scan Tool:

Farbar Recovery Scan Tool Download
Select the 32-bit download.

Save the program to the >>> USB flash drive.
Remove the drive from the clean computer.

Next, plug the flash drive into the infected computer.

>>>Restart the computer.

As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
Use the arrow keys to select the Repair your computer menu item.
Select your language settings, and click: Next
Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu you get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt

Select: Command Prompt

In the Command window, at the bliking cursor type notepad and press: Enter
In Notepad, under the File menu select: Open
Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
Close out of Notepad.
Click the Command window
Type x:\frst.exe, and press: Enter
Note: Replace the drive letter x with the drive letter of your flash drive!

The tool starts and prepares to run. Follow the prompts.

Click Yes to the disclaimer.
Press: Scan
When done, the program saves the FRST.txt report, on the flash drive.

Click the Command prompt window, and type exit, and press: Enter

Back at the System Recovery Options, press: Restart

When the computer boots back into Windows, please provide the FRST.txt in your reply.
It is located in the USB flash drive.

viciii3 · 20 Feb 2013

OK...I will do this tomorrow when I have a flash drive in hand. I will then get back to you here.

Thanks man.

Vic

cottonball · 20 Feb 2013

Fine, whenever you are ready.

In the meantime, if you can run programs from the infected computer, do the following:

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement

Select the version that applies to your system: (the blue button without x64)
Click the blue button to download.

Save to the Desktop

Close all windows and browsers...

Right-click RogueKiller and select 'Run as Administrator'

Press: SCAN

A report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.
(Please do not delete anything!)

Slartybart · 20 Feb 2013

@viciii3: Once you're sure that your system is clean - cottonball is very good so definitely keep following his (avatar looks male to me) advice - please advise on Libraries missing.

Libraries only point to real locations and present contents from those locations in one place. If you look at the acutal file for a library, it isn't much more than an XML file. What I'm trying to determine is whether the library-ms file was corrupted or if the files it referenced wre corrupted. sometimes viruses just make us panic into thinking they
did more dmage.

I'm not sure, that's why I ask.

Code:

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="Error">
  <name>@shell32.dll,-34620</name>
  <ownerSID>S-1-5-21-1645956821-2123721666-1853574476-1000</ownerSID>
  <version>20</version>
  <isLibraryPinned>true</isLibraryPinned>
  <iconReference>imageres.dll,-1005</iconReference>
  <templateInfo>
    <folderType>{5fa96407-7e77-483c-ac93-691d05850de8}</folderType>
  </templateInfo>
  <propertyStore>
    <property name="HasModifiedLocations" type="boolean"><![CDATA[true]]></property>
  </propertyStore>
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <isDefaultSaveLocation>true</isDefaultSaveLocation>
      <isSupported>true</isSupported>
      <simpleLocation>
        <url>E:\DefLocs\DFL_Videos</url>
        <serialized>MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRgAAA0hmhgM7b3cA6LJwZtB8NHg+SCcWbAfzBAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAsNAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8SR6wFAAAAAAAAAAAAAAAAAAAAAAAAASBQMAAAAAAQkBtxAQgCRlZGTvN2cAwDAIAABA8uvRGE2CEZQbMgKAAAAJVBAAAAAMAAAAAAAAAAAAAAAAAAAAQEAlBgZAwEAvBwYAMHAAAgFAoFAxAAAAAAArIU8FGBCEZETfZVS+FDAAIEAIAABA8uvRGU+CsiQxXoKAAAALVBAAAAADAAAAAAAAAAAAAAAAAAAAQEAGBATA8FAWBQaAQGAlBwbAMHAAAAGAAAAOBAAAwBAAAQAAAAAcAAAAcDAAAAAAAAANBAAAsBAAAwAAAAA8tJGyCBAAAAM0ACTpJmchJXeAUkOcRUZmx0bjNHXEZETfZVakV2bzBAAoAAAAkAAAAKHAAAAxMFUTJuiYZEvMhzQ7y/ETaCmt5MAAAAAAAAAAAGAAAwAAAAoYBAAAAAAAAQZpRmd2AAAAAAAAAAAAAAAawDe2hm25BUmoIOe++Yb6B0Q5WDnHJeEhOAfpPd+MHsG8gndopdeAlJKijnvP2meANUu1w5RiHRoDwX6TnPzBDAAAAA</serialized>
      </simpleLocation>
    </searchConnectorDescription>
    <searchConnectorDescription>
      <isDefaultSaveLocation>false</isDefaultSaveLocation>
      <isSupported>true</isSupported>
      <simpleLocation>
        <url>I:\402_Videos</url>
        <serialized>MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRgAAAs9wwLbPX0cA0qv8zr2BOHAt6L/8qdgzBAAwAAAAAAAABAAAAAAAAAAAAAAAAAAAAkIAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8SS6wFAAAAAAAAAAAAAAAAAAAAAAAAAaBQMAAAAAAgSCpaRRgANwIzXWlkfxAAACBACAQAAv7riAZhiKJkqFpCAAAwyCAAAAAgAAAAAAAAAAAAAAAAAAAAA0AAMAIDAfBgVAkGAkBQZA8GAzBAAAgBAAAQRAAAAcAAAAEAAAAAHAAAA2AAAAAAAAAARAAAAaAAAAMAAAAgvExIBQAAAAQDMyASTlRWahBQS6wFNwIzXWlGZl92cAAAKAAAAJAAAgyBAAAQMTB1UirIWGxLT4M0u8PxkmgZbODAAAAAAAAAAgBAAAMAAAAKWAAAAAAAAAUWakZnNAAAAAAAAAAAAAAA+WXvuhiuVPRq6AbI+FoVJJYDjZGCRiHBqSyX6TnPzBjv11rboob1TkqOwGifBaVSC2wYmhQk4Rgqk8l+05zcwAAAAAA</serialized>
      </simpleLocation>
    </searchConnectorDescription>
    <searchConnectorDescription>
      <isDefaultSaveLocation>false</isDefaultSaveLocation>
      <simpleLocation>
        <url>R:\403_Videos</url>
        <serialized>MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRgAAA8X8lVjQY3cAEts9zr2BOHARLb/8qdgzBAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAkIAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8iU6wFAAAAAAAAAAAAAAAAAAAAAAAAAaBQMAAAAAAgSCpaRRgANwMzXWlkfxAAACBACAQAAv7LjBdyQKJkqFpCAAAQuRAAAAAgAAAAAAAAAAAAAAAAAAAAA0AAMAMDAfBgVAkGAkBQZA8GAzBAAAgBAAAARAAAAcAAAAEAAAAAHAAAA1AAAAAAAAAwQAAAAZAAAAMAAAAQaX4taQAAAAQDMzAiR1J3cAIlOcRDMz8lVpRWZvNHAAAGAAAwAAAAoYBAAAAAAAAQZpRmd2AAAAAAAAAAAAAAAOidEAlcq/0EvEW8OX0JIMBtNMmZIEJeEoKJfpPd+MHsjYHBQJn6PNxLhFvzFdCCTQbDjZGCRiHBqSyX6TnPzBjCAAAQCAAAocAAAAEzUQNl4KilR8yEODtL/TMpJY2mzAAAAAAAAAAAAAAAA</serialized>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

Slartybart · 20 Feb 2013

Virus info:
Encyclopedia entry: TrojanDownloader:Win32/Dofoil.D
Encyclopedia entry: Win32/Cutwail - according to MS this is a rootkit.

You're in good hands with Cotton - Good luck,

Bill
.