Recent virus, lost Libraries, Thunderbird & Catalyst CC won't open.

[cottonball]

VistaKing,


FRST can remove those entries using a fixlist.txt run from the System Recovery Options/Command Prompt.

If Malwarebytes picks them up, that is fine also.

In any event, we can run FRST once again later...

 

[viciii3]

RogueKiller V8.5.1 [Feb 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : mom [Admin rights]
Mode : Remove -- Date : 02/23/2013 10:58:08
| ARK || FAK || MBR |
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] zuqeanypyqyb.exe -- C:\Users\mom\zuqeanypyqyb.exe [-] -> KILLED [TermProc]
¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : zuqeanypyqyb (C:\Users\mom\zuqeanypyqyb.exe) [-] -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : KB01192703.exe ("C:\Users\mom\AppData\Roaming\KB01192703.exe") [x] -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\L --> REMOVED
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK2555GSX ATA Device +++++
--- User ---
[MBR] ecb72268cfc86f4eba0f32634df3dadc
[BSP] 115bdc51753a8a8a697d04b3e5af154d : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 228693 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 471437312 | Size: 8281 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[3]_D_02232013_02d1058.txt >>
RKreport[1]_S_02222013_02d1158.txt ; RKreport[2]_S_02232013_02d1056.txt ; RKreport[3]_D_02232013_02d1058.txt

 

[cottonball]

Good job, viciii3!

Please run RogueKiller once again, and this time do a Scan, like in Post #8
and post the RKreport (Mode: Scan) in your reply.



Also, let's useunhide.exe to see if we can reveal Files and Folders hidden by the infection...

Download unhide.exe:
http://download.bleepingcomputer.com/grinler/unhide.exe
Save to the Desktop.

Double-click on the Unhide icon to run the program.
(Note: this program does not unhide files and folders in removable drives)

Screenshot:

When done, the program displays an alert stating that your files are restored.

Reboot your computer for the settings to go into effect.

Are your folders visible again?

 

[viciii3]

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : mom [Admin rights]
Mode : Scan -- Date : 02/23/2013 17:10:32
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK2555GSX ATA Device +++++
--- User ---
[MBR] ecb72268cfc86f4eba0f32634df3dadc
[BSP] 115bdc51753a8a8a697d04b3e5af154d : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 228693 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 471437312 | Size: 8281 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[4]_S_02232013_02d1710.txt >>
RKreport[3]_D_02232013_02d1058.txt ; RKreport[4]_S_02232013_02d1710.txt

 

[viciii3]

Ladies and gentlemen...all the missing files are restored, the CCC error message is gone and we appear to be back!! Very nice work. My wife and I (she says you and I are "Awesome!"...I say it's all you ) appreciate the help and patience you have given. I will wait to hear from you before marking this thread as solved...just in case you have something more you wish me to check. Note that I deleted Thunderbird entirely and will do a clean install of it later...nothing much was lost with that deletion.

Cheers!

Vic

 

[Slartybart]

Well done! now give that dog a bone - click on the scales icon on one of Cottontail's posts

 

[cottonball]

Great news viciii3, for you and the Mrs.!!

As for the "bone", this was a team effort. VistaKing, Slartybart, and shawn77, all contributed, and all deserve a "bone"!

However, don't want you to hurry off yet...

There were some nasties on that machine, and we want to make sure they are gone.

Let's go back to the USB flash drive that has FRST...

Please plug the flash drive into the infected computer.

>>> Restart.

As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.

Use the arrow keys to select the Repair your computer menu item.

Select your language settings, and click: Next
Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu, select: Command Prompt

In the Command window, at the bliking cursor type notepad and press: Enter
In Notepad, under the File menu select: Open

Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
Close out of Notepad.

Click the Command window
Type x:\frst.exe, and press: Enter
>>Note: Replace the drive letter x with the drive letter of your flash drive!

The tool starts and prepares to run. Follow the prompts.
Click Yes to the disclaimer.

Press: Scan

When done, the program saves the FRST.txt report, on the flash drive.
Click the Command prompt window, and type exit, and press: Enter
Back at the System Recovery Options, press: Restart

When the computer boots back into Windows, please provide the FRST.txt in your reply.
It is located in the USB flash drive.

 

[viciii3]

I will get this done in the morning, cottonball.

As for bones...all you "dogs" have a fresh one to gnaw on .

 

[cottonball]

Thank you!!

We are all glad to help.


Tomorrow is fine...do not rush.

Will probably not be here until late afternoon. Going out for a late lunch.

 

[Slartybart]

Woof!​

<('.')> ...............​

Thanks viciiiiiiiiiiiii,

Bill
.

 

[viciii3]

Once again, latest FRST.txt is here:

http://users.frii.com/viciii3/FRST.txt

A couple of things I noticed...why would "regedit.exe" run at startup (if I am looking at the log correctly)? Also, I'm not sure what the "HP button managaer" is?

 

[Slartybart]

Button Mgr: Looks to be a Webcam driver, Regedit has an [x] on the right of the entry - should be resolved.

Why Regedit was started at boot? Not sure.

 

[cottonball]

viciii3,

My apology for the delay...

Before I forget, you may want to consider purchasing a USB Hard Disk Drive, and storing your photos and any other goodies/memories there. In the event another infection took hold of the computer, the HDD would not be plugged in to it. Also, copying the photos to a CD would work. You would need some type of software to copy them. Just a thought.

Let's press on...

Please open: Notepad
Copy the contents of the quote box below.
Paste the to Notepad.
Save it on the flashdrive that has FRST as: fixlist.txt

start
HKLM-x32\...\Run: [] [x]
HKU\mom\...\Run: [Regedit32] C:\windows\system32\regedit.exe [x]
2013-02-19 10:21 - 2013-02-19 10:49 - 00000184 ____A C:\ProgramData\-XHnASFcJrnlLmYDr
2013-02-19 10:21 - 2013-02-19 10:49 - 00000160 ____A C:\ProgramData\-XHnASFcJrnlLmYD
2013-02-19 10:20 - 2013-02-19 10:49 - 00000088 ____A C:\ProgramData\XHnASFcJrnlLmYD
end

Now, restart the computer and enter System Recovery Options/Command Prompt, etc., as you did before.

Run FRST and press the Fix button, just once, and wait.

When done, the tool creates a log on the flashdrive called: Fixlog.txt

Please post Fixlog.txt to your reply.


Also, do you know what these folders are, or what they contain:
C:\Users\mom\Application Data\3D9CBA70
C:\Users\mom\AppData\Roaming\3D9CBA70