Recent virus, lost Libraries, Thunderbird & Catalyst CC won't open.

[viciii3]

Recent virus, lost Libraries, Thunderbird & Catalyst CC won't open.

The problem:
Yesterday my wife contracted some type of oogliness on her Toshiba laptop. On system start up the desktop would have many system error messages, one on top of the other. Also a message "Catalyst Control Center: host application has stopped working" and when attempting to open Thunderbird a message that "Thunderbird window is already open. Close window or restart computer" (or some thing like that). All her picture libraries were gone (I've only managed to recover 2 of them) and who knows what else may have been lost. This morning I had a phone call from our ISP telling us that her email account was shut down after they noticed a huge flood of emails outgoing and many of her friends called to say they had suspicious emails from her account.

What I have done, so far:
We called and texted everyone we could think of with a warning not to open any emails from her account. I performed a system restore to a point one week ago. This got rid of all the system error messages on startup but did nothing to fix the Thunderbird issue, the Catalyst Control Center error or bring back the many missing picture libraries. As I said, I recovered only 2 folders of pictures...the rest appear to be gone. I tried installing a newer version of Thunderbird over the old one...hoping to save the email program and I downloaded and installed the latest drivers from AMD. Neither of these fixed anything.

I believe the system may be a lost cause and might require a reformat and reinstall from the recovery disks we created when we unpacked the laptop originally. I would, however, like to find out what really happened before doing that? Her system runs MS Security Essential and SpywareBlaster (both woefully out of date at the time...my bad). I updated MSSE and performed a scan which found the following:
TrojanDownloader:Win32/Dofoil.O (Removed)
TrojanDownloader:Win32/Dofoil.O (Quarantined)
TrojanDownloader:Win32/Cutwail.BS (Quarantined).

This is where I'm at, at this point. If it can be cleaned up and returned to good operation with all missing files recovered, so much the better. If not, I would still like to figure out how and what happened before doing a complete reformat and reinstall.

I have OTL downloaded on her computer and await any direction you can give.

Thank you very much, gang.

Vic

 

[cottonball]

viciii3,

Let's approach the issue in a mode before Windows starts.

Need some information in order to proceed...

Confirming the Operating System on the involved computer is Windows Seven 32-bit.

Also, do you have the Repair your computer option in the Advanced Boot Options menu?

To find out:

Restart the computer.

• As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
• Is the Repair your computer option listed?

If you do not have the option above, do you have your Windows installation CD/DVD available?



And last, do you have a clean USB flash drive available, and do you have access to another computer?

 

[viciii3]

The OS is Windows 7 32bit
I do have the "repair your computer" option in the advanced boot options menu.
I do not have a Windows installation CD...the laptop did not come with one.
I do have 3 recovery disks created when we first started the computer. (2 recovery disks and a Toshiba software and drivers disk).

I do not have a clean USB flash drive (but I can get one).
I do have access to another computer (which I am using now).

 

[VistaKing]

Try this out

Click rb: Computer,
In the Address bar type %AppData%,
This should take you to the Appdata/Roaming folder,
Navigate to AppData\Roaming\Microsoft\Windows\Libraries.
Make sure the folder and it contents are not hidden.
Right click the folder or files or libraries and click properties.
Uncheck the “Hidden” attribute check box.
For good measure make sure the “Read-Only” attribute check box is not checked.
Log off and log back on to apply changes.

If that doesn't help try this

Click rb: Computer.
Right click libraries on the left hand side in the navigation bar.
Click restore default libraries.

 

[viciii3]

VistaKing...these things are already tried...it is how I managed to recover 2 picture folders. Many more folders are still missing, however.

I hope you will understand that I do appreciate your input but, as cottonball seems to have a plan, I do not want to confuse the issue by doing more than one thing at a time. I will wait for cottonball to tell me what he needs me to do.

Again, I certainly appreciate your input...thank you.

 

[cottonball]

viciii3,

Here we go, but you do need a USB flash drive...

You may want to print these instructions so you can have access to follow them.
Also, you may want to read them once befor you apply them.


Please plug a USB flash drive into a clean computer.


Go to Start > Computer

• Double-click Computer, and select the flash drive.
• Right-click and select: Format
• Press Start on the Format prompt.

Next, download Farbar Recovery Scan Tool:


Farbar Recovery Scan Tool Download
Select the 32-bit download.


Save the program to the >>> USB flash drive.
Remove the drive from the clean computer.


Next, plug the flash drive into the infected computer.




>>>Restart the computer.

• As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select your language settings, and click: Next
• Select your User account and click: OK (If you did not set a password, leave blank.)

On the System Recovery Options menu you get the following options:

• Startup Repair
  [*]System Restore
  [*]Windows Complete PC Restore
  [*]Windows Memory Diagnostic Tool
  [*]Scan your computer's memory for errors.
  [*]Command Prompt

Select: Command Prompt

• In the Command window, at the bliking cursor type notepad and press: Enter
• In Notepad, under the File menu select: Open
• Double-click Computer, find the flash drive letter, remember what letter it is, click on it, and press: Open
• Close out of Notepad.
• Click the Command window
• Type x:\frst.exe, and press: Enter
  Note: Replace the drive letter x with the drive letter of your flash drive!

The tool starts and prepares to run. Follow the prompts.

• Click Yes to the disclaimer.
• Press: Scan
• When done, the program saves the FRST.txt report, on the flash drive.

Click the Command prompt window, and type exit, and press: Enter




Back at the System Recovery Options, press: Restart


When the computer boots back into Windows, please provide the FRST.txt in your reply.
It is located in the USB flash drive.

 

[viciii3]

OK...I will do this tomorrow when I have a flash drive in hand. I will then get back to you here.

Thanks man.

Vic

 

[cottonball]

Fine, whenever you are ready.

In the meantime, if you can run programs from the infected computer, do the following:


Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement

Select the version that applies to your system: (the blue button without x64)
Click the blue button to download.

Save to the Desktop


Close all windows and browsers...

Right-click RogueKiller and select 'Run as Administrator'

Press: SCAN


A report opens on the Desktop: RKreport.txt


Please provide the RKreport.txt (Mode: Scan) in your reply.
(Please do not delete anything!)

 

[Slartybart]

@viciii3: Once you're sure that your system is clean - cottonball is very good so definitely keep following his (avatar looks male to me) advice - please advise on Libraries missing.

Libraries only point to real locations and present contents from those locations in one place. If you look at the acutal file for a library, it isn't much more than an XML file. What I'm trying to determine is whether the library-ms file was corrupted or if the files it referenced wre corrupted. sometimes viruses just make us panic into thinking they
did more dmage.

I'm not sure, that's why I ask.

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="[URL="http://schemas.microsoft.com/windows/2009/library"]Error[/URL]">
  <name>@shell32.dll,-34620</name>
  <ownerSID>S-1-5-21-1645956821-2123721666-1853574476-1000</ownerSID>
  <version>20</version>
  <isLibraryPinned>true</isLibraryPinned>
  <iconReference>imageres.dll,-1005</iconReference>
  <templateInfo>
    <folderType>{5fa96407-7e77-483c-ac93-691d05850de8}</folderType>
  </templateInfo>
  <propertyStore>
    <property name="HasModifiedLocations" type="boolean"><![CDATA[true]]></property>
  </propertyStore>
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <isDefaultSaveLocation>true</isDefaultSaveLocation>
      <isSupported>true</isSupported>
      <simpleLocation>
        <url>E:\DefLocs\DFL_Videos</url>
        <serialized>MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRgAAA0hmhgM7b3cA6LJwZtB8NHg+SCcWbAfzBAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAsNAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8SR6wFAAAAAAAAAAAAAAAAAAAAAAAAASBQMAAAAAAQkBtxAQgCRlZGTvN2cAwDAIAABA8uvRGE2CEZQbMgKAAAAJVBAAAAAMAAAAAAAAAAAAAAAAAAAAQEAlBgZAwEAvBwYAMHAAAgFAoFAxAAAAAAArIU8FGBCEZETfZVS+FDAAIEAIAABA8uvRGU+CsiQxXoKAAAALVBAAAAADAAAAAAAAAAAAAAAAAAAAQEAGBATA8FAWBQaAQGAlBwbAMHAAAAGAAAAOBAAAwBAAAQAAAAAcAAAAcDAAAAAAAAANBAAAsBAAAwAAAAA8tJGyCBAAAAM0ACTpJmchJXeAUkOcRUZmx0bjNHXEZETfZVakV2bzBAAoAAAAkAAAAKHAAAAxMFUTJuiYZEvMhzQ7y/ETaCmt5MAAAAAAAAAAAGAAAwAAAAoYBAAAAAAAAQZpRmd2AAAAAAAAAAAAAAAawDe2hm25BUmoIOe++Yb6B0Q5WDnHJeEhOAfpPd+MHsG8gndopdeAlJKijnvP2meANUu1w5RiHRoDwX6TnPzBDAAAAA</serialized>
      </simpleLocation>
    </searchConnectorDescription>
    <searchConnectorDescription>
      <isDefaultSaveLocation>false</isDefaultSaveLocation>
      <isSupported>true</isSupported>
      <simpleLocation>
        <url>I:\402_Videos</url>
        <serialized>MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRgAAAs9wwLbPX0cA0qv8zr2BOHAt6L/8qdgzBAAwAAAAAAAABAAAAAAAAAAAAAAAAAAAAkIAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8SS6wFAAAAAAAAAAAAAAAAAAAAAAAAAaBQMAAAAAAgSCpaRRgANwIzXWlkfxAAACBACAQAAv7riAZhiKJkqFpCAAAwyCAAAAAgAAAAAAAAAAAAAAAAAAAAA0AAMAIDAfBgVAkGAkBQZA8GAzBAAAgBAAAQRAAAAcAAAAEAAAAAHAAAA2AAAAAAAAAARAAAAaAAAAMAAAAgvExIBQAAAAQDMyASTlRWahBQS6wFNwIzXWlGZl92cAAAKAAAAJAAAgyBAAAQMTB1UirIWGxLT4M0u8PxkmgZbODAAAAAAAAAAgBAAAMAAAAKWAAAAAAAAAUWakZnNAAAAAAAAAAAAAAA+WXvuhiuVPRq6AbI+FoVJJYDjZGCRiHBqSyX6TnPzBjv11rboob1TkqOwGifBaVSC2wYmhQk4Rgqk8l+05zcwAAAAAA</serialized>
      </simpleLocation>
    </searchConnectorDescription>
    <searchConnectorDescription>
      <isDefaultSaveLocation>false</isDefaultSaveLocation>
      <simpleLocation>
        <url>R:\403_Videos</url>
        <serialized>MBAAAEAFCAAAAAAAADAAAAAAAY0gAAQBRgAAA8X8lVjQY3cAEts9zr2BOHARLb/8qdgzBAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAkIAUAwHQB+TQDi66kGEiiNCAsCMw0ZGA8iU6wFAAAAAAAAAAAAAAAAAAAAAAAAAaBQMAAAAAAgSCpaRRgANwMzXWlkfxAAACBACAQAAv7LjBdyQKJkqFpCAAAQuRAAAAAgAAAAAAAAAAAAAAAAAAAAA0AAMAMDAfBgVAkGAkBQZA8GAzBAAAgBAAAARAAAAcAAAAEAAAAAHAAAA1AAAAAAAAAwQAAAAZAAAAMAAAAQaX4taQAAAAQDMzAiR1J3cAIlOcRDMz8lVpRWZvNHAAAGAAAwAAAAoYBAAAAAAAAQZpRmd2AAAAAAAAAAAAAAAOidEAlcq/0EvEW8OX0JIMBtNMmZIEJeEoKJfpPd+MHsjYHBQJn6PNxLhFvzFdCCTQbDjZGCRiHBqSyX6TnPzBjCAAAQCAAAocAAAAEzUQNl4KilR8yEODtL/TMpJY2mzAAAAAAAAAAAAAAAA</serialized>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

 

[Slartybart]

Virus info:
Encyclopedia entry: TrojanDownloader:Win32/Dofoil.D
Encyclopedia entry: Win32/Cutwail - according to MS this is a rootkit.

You're in good hands with Cotton - Good luck,

Bill
.

 

[shawn77]

Grinler's UNHIDE tool should restore them and resolve catalyst error but before that follow cottonball's suggestion to remove infections.

 

[cottonball]

Slartybart and shawn77,

Thanks for the info!!

That is exactly where we are headed, get rid of the malware, and then, use Grinler's unhide.exe

RogueKiller, and in particular, FRST, should identify the Rootkit and anything else that is lurking in that system.

Trying to reveal the files and folders now is probably an exercise in futility...

 

[VistaKing]

Files should be in %temp%\smtmp\1,2,3,4


%Temp%\smtmp\1 files in there will go C:\ProgramData\Microsoft\Windows\Start Menu

%Temp%\smtmp\2 files in there will go to C:\Users\<your login name here>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

%Temp%\smtmp\3 will in there will go to C:\Users\<your login name here>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

%Temp%\smtmp\4 files inside there will go to C:\Users\Public\Desktop

Save the smtmp folder to a flash drive. Then remove the virus . Don't run any temp files remover programs like Ccleaner .

 

[cottonball]

Thanks for the info, VistaKing!

Y'all making this easier, keep 'em coming!

 

[VistaKing]

No problem , Cottonball .

 

[viciii3]

here is the text of the Rogue Killer report (hope I did this correctly).

RogueKiller V8.5.1 [Feb 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : RogueKiller - Geeks to Go Forums
Website : Download RogueKiller (Official website)
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : mom [Admin rights]
Mode : Scan -- Date : 02/22/2013 11:58:29
| ARK || FAK || MBR |
¤¤¤ Bad processes : 6 ¤¤¤
[SUSP PATH] zuqeanypyqyb.exe -- C:\Users\mom\zuqeanypyqyb.exe [-] -> KILLED [TermProc]
[SUSP PATH] exp7E33.tmp.exe -- C:\Users\mom\AppData\Local\Temp\exp7E33.tmp.exe [-] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe [x] -> KILLED [TermProc]
¤¤¤ Registry Entries : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : KB01192703.exe ("C:\Users\mom\AppData\Roaming\KB01192703.exe") [-] -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : zuqeanypyqyb (C:\Users\mom\zuqeanypyqyb.exe) [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-4093826796-1630646369-247549289-1000[...]\Run : KB01192703.exe ("C:\Users\mom\AppData\Roaming\KB01192703.exe") [-] -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-4093826796-1630646369-247549289-1000[...]\Run : zuqeanypyqyb (C:\Users\mom\zuqeanypyqyb.exe) [-] -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\n [-] --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\@ [-] --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-4093826796-1630646369-247549289-1000\$32bf8f5f13097800106f306c78257dcb\L --> FOUND
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ Infection : ZeroAccess ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK2555GSX ATA Device +++++
--- User ---
[MBR] ecb72268cfc86f4eba0f32634df3dadc
[BSP] 115bdc51753a8a8a697d04b3e5af154d : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 228693 Mo
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 471437312 | Size: 8281 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1]_S_02222013_02d1158.txt >>
RKreport[1]_S_02222013_02d1158.txt

 

[viciii3]

I am not allowed to post the text from the FRST.txt file...it is too many characters? I can upload the file by FTP to my page, if that will work?

 

[viciii3]

The FRST.txt file is here:

http://users.frii.com/viciii3/FRST.txt

 

[cottonball]

Please run RogueKiller once again:

Close all windows and browsers
Right-click RogueKiller and select 'Run as Administrator'

Wait until the Prescan finishes
The Status box shows PreScan Finished
Press: Scan

When done, on the right, click: Delete (or Remove)
Wait until the Status box shows: Deleting Finished
Click on Report and provide the content of the new Rkreport (Mode: Remove) in your reply.

 

[VistaKing]

Looking at the FRST.txt . I see that you have an adware by the name of Conduit. Also random numbers.exe running which is located inside your registry .
HKCU\Software\Microsoft\Windows\CurrentVersion\Run : KB01192703.exe
C:\Users\mom\AppData\ Roaming\KB01192703.exe

Download Malwarebytes by clicking on this link Malwarebytes Anti-Malware - CNET Download.com and click on Download Now . Install the program update the definitions and click on start trial . On the Scanner tab, make sure the Perform full scan option is selected and then click on the Scan button to start scanning your computer for infections.

** Don't worry it will remove what ever it finds even though its a trial version .