Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Attention: cottonball, virus deleted all SD photos

17 Aug 2013   #11
cottonball

Windows 7 Home Premium
 
 

Last try...go back to Safe Mode with Command Prompt as you did before

At the Command Prompt, proceed with the following commands:

Code:
j:
attrib -h -r -s autorun.inf
edit autorun.inf
The above should display the contents of the file.

To copy the info provided, right-click the small command prompt icon on the upper left side
From the menu, go to Edit > Select All
Next, go to Edit > Copy

Now, to close the Command Prompt, type in: exit

Open Notepad (Start > All Programs > Accessories > Notepad), and paste the contents of the copied info for autorun.inf in your reply.

^^ If the above does not work, the Panda USB Vaccine must have blocked the autorun.inf file, preventing it from being read, or modified. This cannot be reversed except with a format.
Can't do!

Pressing on with FRST...

Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the quote box below (Do not copy the word 'Quote')
Save it on the Desktop, and name it: fixlist.txt

Quote:
start
HKCU\...\CurrentVersion\Windows: [Load] C:\Users\Owner\LOCALS~1\Temp\msofzw.cmd <===== ATTENTION!
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
end
This script is written specifically for ducat1base, and, only for use on this infected computer.
Running this on another computer may cause damage to the Operating System!!

Run FRST, and press the Fix button, just once, and wait.
The tool creates a report on the Desktop called: Fixlog.txt
Please post the Fixlog.txt in your reply.


Now, let's use unhide.exe to see if it can reveal what was hidden...

Download:
http://www.bleepingcomputer.com/download/unhide/
Save to the Desktop.

Double-click on the Unhide icon to run the program.
When done, the program displays an alert stating that your files are restored.

Reboot your computer for the settings to go into effect.

Check the SD card, and see if the images show now.

Next, please use RKill.exe to terminate any malware processes (if still present): http://www.bleepingcomputer.com/download/rkill/
Save to the Desktop.

If RKill.exe does not run, then download and try to run RKill.com:
http://www.bleepingcomputer.com/download/rkill/

You only need to get one of the versions of RKill to run.

There are additional versions:
RKill.scr: http://www.bleepingcomputer.com/download/rkill/

Also, RKill, renamed, can be downloaded from the following links:
iExplore.exe: http://www.bleepingcomputer.com/download/rkill/
uSeRiNiT.exe: http://www.bleepingcomputer.com/download/rkill/
WiNlOgOn.exe: http://www.bleepingcomputer.com/download/rkill/

If your AntiVirus warns you about this tool, ignore the warning, or temporarily disable your AntiVirus.

Right-click on the downloaded RKill file and select: Run as Administrator

A black DOS box briefly flashes and then disappear. This is normal and indicates the tool ran successfully.
After running the tool, do not reboot.

When the scan is done Notepad opens with the RKill report.

Please post the RKill report in your reply.


Without a reboot, please close all windows and browsers, and run RogueKiller again.
Right-click and select: Run as Administrator

At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished.)

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.


Follow up with Malwarebytes Anti-Malware:
Download: http://www.bleepingcomputer.com/down...-anti-malware/
Save to the Desktop

Make sure J: (the SD Card) is the only removable storage connected to the computer.
Right-click the downloaded MBAM file, and select: Run as Administrator

When the installation begins, follow the prompts in the setup process.
DO NOT make any changes to default settings and when the program has finished installing, make sure only the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware options are checked.
Uncheck: Enable free trial of Malwarebytes Anti-Malware PRO
Click on the Finish button.

If an update is found, the program automatically updates itself.
At the program console, on the Scanner tab, and select: Perform Full Scan
When the Select the Drives to scan appears, make sure all drives (except CD-Rom, DVD) are selected, and in particular, J:.

Next, click on the Scan button.

When the Malwarebytes scan is completed, click on: Show Results
When presented with a screen showing the malware detected, make sure everything is Checked, and click on: Remove Selected

When removal is completed, a report opens in Notepad.
Please copy/paste the entire contents of the MBAM report in your reply.


Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.


My System SpecsSystem Spec
.
17 Aug 2013   #12
cottonball

Windows 7 Home Premium
 
 

Note: Post above was edited!!
My System SpecsSystem Spec
17 Aug 2013   #13
jumanji

Windows 7 Home Premium 32 bit
 
 

Hi ducat1base,

Sometimes we overlook some obvious fact and keep running around. This one really beat me and in a flash I suddenly remembered that tiny little switch on the SD Card.

Are you sure the switch is in unlocked position? !!!!!!!!!!!
My System SpecsSystem Spec
.

18 Aug 2013   #14
ducat1base

Windows 7 Home Premium 64bit
 
 

Hey @jumanji, the SD Card is unlocked. @cottonball, whatever is in the system has done the same to my other SD cards. Evidently they were infected before I noticed the first instance. After running everything in your above post, still no photos on any of them Here are the results from your instructions:

Fixlog.txt

Rkill.txt

RKreport[0]_D_08182013_101816.txt

mbam-log-2013-08-18 (10-27-54).txt


I noticed MBAM found quite a bit of malware. When we get through debugging this (and maybe, yet again, it's my computer that's infected and not the USB?!), I'd appreciate advice on how I can prevent this from happening in the future. As I mentioned in our last exchange, I work in rural villages in Cambodia. I'm often the only one with a computer and as a result all USB drives go straight to me. Many villagers unwittingly plug their USBs into any computer without protection and as a result a good number of them are infected. Many know they have a virus but don't understand what that means for their files or my computer! Is there any software out there that guarantees me protection against the viruses and infections from USBs I'm receiving? @jumanji mentioned Panda, and I now have that, but is there anything a bit more proactive in deterrence? Maybe I should just run the programs you're having me run now more frequently? As much as I love our exchanges, I really don't want to keep losing files and getting infected! I'd appreciate any suggestions.


My System SpecsSystem Spec
18 Aug 2013   #15
cottonball

Windows 7 Home Premium
 
 

@jumanji,

If the SD drive was locked, I think a message with "The disk cannot be written to because...etc." would have shown up earlier in the game.


@ducat1base,

Did you reboot when MBAM was done?


There were a couple of entries for which 'Access is denied', or, there was an 'Error setting value', etc. showing in FRST and in RogueKiller.

Let's see if you got rid of those for sure.


Please run FRST once again, but, plug in the SD card (only J) before you do so.

Press the Scan button.
FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

Please provide the new FRST.txt in your reply.


Also run RogueKiller, and just do a Scan.


Are the images you are looking for in the SD card in a folder of their own, or, are they all over?
My System SpecsSystem Spec
18 Aug 2013   #16
jumanji

Windows 7 Home Premium 32 bit
 
 

Quote   Quote: Originally Posted by cottonball View Post
@jumanji,

If the SD drive was locked, I think a message with "The disk cannot be written to because...etc." would have shown up earlier in the game......
OK, I just wanted to make sure it was not locked. My turn to take a beating .
My System SpecsSystem Spec
18 Aug 2013   #17
cottonball

Windows 7 Home Premium
 
 

@jumanji,

Quote:
My turn to take a beating...
Thought it was called a constructive comment!
My System SpecsSystem Spec
18 Aug 2013   #18
cottonball

Windows 7 Home Premium
 
 

ducat1base,

Do you have a Canon camera?

DCIM (Folder) = Digital Camera IMages (stores the pictures?)

MISC (Folder) = catch-all folder that stores anything that doesn't belong in the DCIM folder


Could you check out what is inside the DCIM folder?
My System SpecsSystem Spec
18 Aug 2013   #19
cottonball

Windows 7 Home Premium
 
 

If DCIM does not open, either by double-clicking, right-clicking and selecting Open, or, using WinRAR, please do the following:

Go to Start > All Programs > Accessories > Command Prompt
Right-click on the Command Prompt and select: Run As Administrator

At the blinking cursor of the Command Prompt, type in (or copy/paste with mouse) the following commands inside the code box,, and press Enter:

Code:
cd\
j:
dir /s
cd DCIM
dir /s
To copy the text contained/produced in the Command Prompt, click on the small command icon in the top left corner, and then choose:
Edit > Select All
Once again, Edit > Copy

Open Notepad, and paste the text to it.
Please post the text in your reply.

To close the Command Prompt, use the [X], or type in: exit
My System SpecsSystem Spec
18 Aug 2013   #20
ducat1base

Windows 7 Home Premium 64bit
 
 

Yes, I have a Canon G12. There's nothing in either the DCIM or MISC folder when I open it.

And I don't believe I rebooted immediately after running MBAM. I posted the reports on this thread and then shut the computer down shortly after.

Here is the new FRST report:
FRST.txt

And the new RKiller report:
RKreport[0]_S_08192013_064446.txt


My System SpecsSystem Spec
Reply

 Attention: cottonball, virus deleted all SD photos




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
how to restore deleted photos
I pressed delete but my pictures was highlighted and not the folder i wanted to delete and so deleted everything out of my pictures. So im having a mild panic attack and dont know how to get them back. i have checked the bin but theres only the recent ones which i choose to delete in there. It...
Music, Pictures & Video
ZeroAccess! Attention: cottonball
When I open my Toshiba external, it now shows a shortcut to the external like this: Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting It's never done that before. Now, when I click this new shortcut, this pops up: Image - TinyPic - Free Image Hosting, Photo Sharing...
System Security
"Deleted" Facebook photos still not deleted: a followup
"Deleted" Facebook photos still not deleted: a followup Source: "Deleted" Facebook photos still not deleted: a followup What bullshit. This is why there are no photos of me online... ~Lordbob
Chillout Room
Deleted photos still left in WMP?
Hi Concerning deleted photos previously view via Window Media Player. Concise/short background: I've recently bought a new PC (HP Pavilion dv-7 4032), after the setup procedure and the creation of recovery discs etc... I loaded some photos (.jpg) onto the PC (library/pictures). Now...
Music, Pictures & Video


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:55.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App