Recent virus, lost Libraries, Thunderbird & Catalyst CC won't open.

cottonball · 22 Feb 2013

VistaKing,

FRST can remove those entries using a fixlist.txt run from the System Recovery Options/Command Prompt.

If Malwarebytes picks them up, that is fine also.

In any event, we can run FRST once again later...

viciii3 · 23 Feb 2013

RogueKiller V8.5.1 [Feb 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : mom [Admin rights]
Mode : Remove -- Date : 02/23/2013 10:58:08
| ARK || FAK || MBR |
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] zuqeanypyqyb.exe -- C:\Users\mom\zuqeanypyqyb.exe [-] -> KILLED [TermProc]
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : zuqeanypyqyb (C:\Users\mom\zuqeanypyqyb.exe) [-] -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : KB01192703.exe ("C:\Users\mom\AppData\Roaming\KB01192703.exe") [x] -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\L --> REMOVED
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK2555GSX ATA Device +++++
--- User ---
[MBR] ecb72268cfc86f4eba0f32634df3dadc
[BSP] 115bdc51753a8a8a697d04b3e5af154d : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 228693 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 471437312 | Size: 8281 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[3]_D_02232013_02d1058.txt >>
RKreport[1]_S_02222013_02d1158.txt ; RKreport[2]_S_02232013_02d1056.txt ; RKreport[3]_D_02232013_02d1058.txt

cottonball · 23 Feb 2013

Good job, viciii3!

Please run RogueKiller once again, and this time do a Scan, like in Post #8
and post the RKreport (Mode: Scan) in your reply.

Also, let's useunhide.exe to see if we can reveal Files and Folders hidden by the infection...

Download unhide.exe:
http://download.bleepingcomputer.com/grinler/unhide.exe
Save to the Desktop.

Double-click on the Unhide icon to run the program.
(Note: this program does not unhide files and folders in removable drives)

Screenshot:

When done, the program displays an alert stating that your files are restored.

Reboot your computer for the settings to go into effect.

Are your folders visible again?

viciii3 · 23 Feb 2013

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : mom [Admin rights]
Mode : Scan -- Date : 02/23/2013 17:10:32
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK2555GSX ATA Device +++++
--- User ---
[MBR] ecb72268cfc86f4eba0f32634df3dadc
[BSP] 115bdc51753a8a8a697d04b3e5af154d : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 228693 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 471437312 | Size: 8281 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[4]_S_02232013_02d1710.txt >>
RKreport[3]_D_02232013_02d1058.txt ; RKreport[4]_S_02232013_02d1710.txt

viciii3 · 23 Feb 2013

Ladies and gentlemen...all the missing files are restored, the CCC error message is gone and we appear to be back!! Very nice work. My wife and I (she says you and I are "Awesome!"...I say it's all you

) appreciate the help and patience you have given. I will wait to hear from you before marking this thread as solved...just in case you have something more you wish me to check. Note that I deleted Thunderbird entirely and will do a clean install of it later...nothing much was lost with that deletion.

Cheers!

Vic

Slartybart · 23 Feb 2013

Well done! now give that dog a bone - click on the scales icon on one of Cottontail's posts

cottonball · 23 Feb 2013

Great news viciii3, for you and the Mrs.!!

As for the "bone", this was a team effort. VistaKing, Slartybart, and shawn77, all contributed, and all deserve a "bone"!

However, don't want you to hurry off yet...

There were some nasties on that machine, and we want to make sure they are gone.

Let's go back to the USB flash drive that has FRST...

Please plug the flash drive into the infected computer.

>>> Restart.

As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.

Use the arrow keys to select the Repair your computer menu item.

Select your language settings, and click: Next
Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu, select: Command Prompt

In the Command window, at the bliking cursor type notepad and press: Enter
In Notepad, under the File menu select: Open

Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
Close out of Notepad.

Click the Command window
Type x:\frst.exe, and press: Enter
>>Note: Replace the drive letter x with the drive letter of your flash drive!

The tool starts and prepares to run. Follow the prompts.
Click Yes to the disclaimer.

Press: Scan

When done, the program saves the FRST.txt report, on the flash drive.
Click the Command prompt window, and type exit, and press: Enter
Back at the System Recovery Options, press: Restart

When the computer boots back into Windows, please provide the FRST.txt in your reply.
It is located in the USB flash drive.

viciii3 · 23 Feb 2013

I will get this done in the morning, cottonball.

As for bones...all you "dogs" have a fresh one to gnaw on

.

cottonball · 23 Feb 2013

Thank you!!

We are all glad to help.

Tomorrow is fine...do not rush.

Will probably not be here until late afternoon. Going out for a late lunch.

Slartybart · 24 Feb 2013

Woof!

<('.')> ...............

Thanks viciiiiiiiiiiiii,

Bill
.