Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Attention: cottonball, virus deleted all SD photos

28 Aug 2013   #81
cottonball

Windows 7 Home Premium
 
 

ducat1base,


Immunizing with the Panda USB Vaccine is a good idea, but, not fail-safe. A second round of malware showed up, even after having Panda. Have never used the program, and do not know if the type of malware presented can find its way to your computer, regardless of Panda. The malware appears to use rundll32.exe to execute a malicious file and avoid detection.

In any event, let’s do the following, and then take a look at the contents of infected SD card #2, and the external drive…


To stop the Autorun feature, download and run the following:
Microsoft Fix It 50471: http://support.microsoft.com/kb/967715
Scroll down to: How to disable or enable all Autorun features in Windows 7 and other operating systems
ClickRun in the File Download dialog box, and follow the steps in the wizard.


Note: There is an option to disable or enable Autorun automatically. You can do so later, but, consider whether other SD cards or USB drives, etc. will be plugged in.

Reboot the system after applying the Microsoft FixIt.

Next, let’s go back to: USBFix
Right-click the USBFix.exe file and select: Run as Administrator
Plug in SD card #2, and the external/removable drive to the computer..

Press: Listing

Once the program is done, a UsbFix.txt file is found at C:\UsbFix.txt

Please post the UsbFix.txt (Listing Mode) in your reply.


My System SpecsSystem Spec
.
28 Aug 2013   #82
ducat1base

Windows 7 Home Premium 64bit
 
 

I ran Microsoft Fix it 50471 and then ran USBFix with two SD cards and an external inserted. Here's what I got:

UsbFix [Listing 2 ] OWNER-HP.txt


My System SpecsSystem Spec
29 Aug 2013   #83
cottonball

Windows 7 Home Premium
 
 

Interesting. USBFix is showing G:\, which may be an SD card, as infected.

Presuming the other SD card is J:\

Is I:\ the external hard drive?


The Farbar Recovery Scan Tool (FRST) is updated once again, and we need to use it.

Please remove your copy of FRST, and get a new one:
Farbar Recovery Scan Tool Download
Save to the Desktop.
Now, please open Notepad once again (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below to Notepad:
Save it on the Desktop, and name it: fixlist.txt

Code:
start
G:\_WY.init
G:\desktop.ini
G:\Thumbs.db
G:\Removable Disk (4GB).lnk
CMD: attrib /d /s -s -h G:\*.*
end
Run FRST, and press the Fix button, just once, and wait.
The tool creates a report on the Desktop called: Fixlog.txt

Please post the Fixlog.txt in your reply.

Also run USBFix once again.
Right-click the USBFix.exe file and select: Run as Administrator
Plug in the SD cards, and the external/removable drive to the same port as before.
Press: Listing

Once the program is done, a UsbFix.txt file is found at C:\UsbFix.txt
Please post the new UsbFix.txt (Listing Mode) in your reply.
My System SpecsSystem Spec
.

29 Aug 2013   #84
ducat1base

Windows 7 Home Premium 64bit
 
 

When running FRST, should I have the external and SD cards plugged in?

G -- SD card
J -- SD card
I -- External
My System SpecsSystem Spec
29 Aug 2013   #85
cottonball

Windows 7 Home Premium
 
 

Yes, please.
My System SpecsSystem Spec
29 Aug 2013   #86
jumanji

Windows 7 Home Premium 32 bit
 
 

Quote   Quote: Originally Posted by cottonball View Post
..........Immunizing with the Panda USB Vaccine is a good idea, but, not fail-safe. A second round of malware showed up, even after having Panda. Have never used the program, and do not know if the type of malware presented can find its way to your computer, regardless of Panda. The malware appears to use rundll32.exe to execute a malicious file and avoid detection.......
Absolutely. Panda USB vaccine - which disables Autorun from inserted devices - can only protect against Autorun Shortcut virus commonly propagated from pen drives. Not any other type of virus that propagate out of Autorun. Those can flow in and out ,in spite of Panda.
My System SpecsSystem Spec
29 Aug 2013   #87
ducat1base

Windows 7 Home Premium 64bit
 
 

Okay, here's the Fixlog:
Fixlog.txt

And USBFix's listing:

UsbFix [Listing 3 ] OWNER-HP.txt


My System SpecsSystem Spec
29 Aug 2013   #88
cottonball

Windows 7 Home Premium
 
 

Actually, I left out an entry on the last fixlist.

Will you use the following fixlist, run FRST and press: fix

Code:
 
start
CMD: attrib /d /s -s -h G:\*.*
Folder: G:
end
Please post the fixlog.txt in order to get a final listing of G:


Also, run Malwarebytes Anti-Malware
Update the program.
Select: Perform Full Scan
When given the option to scan other drives, select G:, I:, and J:
Please post its results when done.
My System SpecsSystem Spec
29 Aug 2013   #89
ducat1base

Windows 7 Home Premium 64bit
 
 

Okay, the fixlog:
Fixlog.txt

... MBAM's report:
mbam-log-2013-08-30 (09-19-09).txt


My System SpecsSystem Spec
30 Aug 2013   #90
cottonball

Windows 7 Home Premium
 
 

On the UsbFix[Listing] report dated 29/08/2013, there is the following info:
Quote:
G:\ -> Removable drive # 4 Gb (4 Mb free - 99%) [] # FAT32
I:\ -> Fixed drive # 298 Gb (284 Mb free - 95%) [] # NTFS
J:\ -> Removable drive # 4 Gb (732 Mb free - 19%) [] # FAT32
Presuming this is the previously infected drive which was formatted, and now has the Panda Vaccination.
Quote:
[17/08/2013 - 05:59:12 | H | 16] G:\AUTORUN.INF
This is the External drive:
Quote:
[28/08/2013 - 23:07:46 | D ] I:\$RECYCLE.BIN
[04/06/2013 - 16:36:52 | D ] I:\App_Mat
[04/06/2013 - 16:38:00 | D ] I:\Blog
[11/08/2013 - 17:35:50 | D ] I:\College
[04/06/2013 - 16:36:54 | D ] I:\Extracurricular
[04/06/2013 - 16:40:17 | D ] I:\Kindle
[11/08/2013 - 17:35:24 | D ] I:\PCV
[25/08/2013 - 09:06:10 | D ] I:\Photos
[15/08/2013 - 10:49:15 | D ] I:\Scholarships for Burma
[26/07/2013 - 19:37:15 | SHD ] I:\System Volume Information
[27/08/2013 - 13:23:36 | D ] I:\Well Survey
[29/04/2013 - 19:47:00 | D ] J:\DCIM
Take action to vaccinate this External drive with Panda.
USBFix can also vaccinate it, but, since you already used Panda, stay with it, just in case there are problems.

After vaccinating, are you able to open the external and see any images in the DCIM folder?


This drive should be the second SD card. Apparently, you plug this card into a MAC machine.
The .Trashes, ._.Trashes, are the same as the Recycle.Bin in Windows.
Quote:
[22/07/2012 - 10:57:00 | AH | 4096] J:\._.Trashes
[22/07/2012 - 10:57:00 | HD ] J:\.Trashes
[22/07/2012 - 10:57:00 | SHD ] J:\.fseventsd
[30/09/2012 - 23:49:52 | AH | 4] J:\_disk_id.pod
[09/05/2013 - 13:19:10 | A | 1467] J:\.fseventsd.lnk
[29/08/2013 - 09:34:10 | H | 16] J:\AUTORUN.INF
The new fixlist.txt, now shows the contents of G:!!
Quote:
2013-08-07 15:00 - 2013-08-07 15:00 - 0000000 ____D () G:\
2011-10-06 20:09 - 2011-10-06 20:09 - 0000000 ____D () G:\ \DCIM
2012-06-28 01:47 - 2012-06-28 01:47 - 0000000 ____D () G:\ \DCIM\107___06
2013-08-17 05:59 - 2013-08-17 05:59 - 0000016 ____H () G:\AUTORUN.INF
2012-11-18 07:11 - 2012-11-18 07:11 - 0000004 ____A () G:\ \_disk_id.pod
2013-08-07 15:00 - 2013-08-24 22:31 - 0000126 ____A () G:\ \desktop.ini
2012-06-29 03:33 - 2012-06-29 19:27 - 1637585 ____A () G:\ \DCIM\107___06\IMG_2014.JPG
2012-06-29 03:33 - 2012-06-29 19:27 - 1636839 ____A () G:\ \DCIM\107___06\IMG_2015.JPG
2012-06-29 04:35 - 2012-06-29 19:27 - 1762389 ____A () G:\ \DCIM\107___06\IMG_2016.JPG
2012-06-29 04:35 - 2012-06-29 19:28 - 1604709 ____A () G:\ \DCIM\107___06\IMG_2017.JPG
2012-06-29 04:36 - 2012-06-29 04:36 - 1368280 ____A () G:\ \DCIM\107___06\IMG_2018.JPG
2012-06-29 04:36 - 2012-06-29 04:36 - 1501613 ____A () G:\ \DCIM\107___06\IMG_2019.JPG
2012-06-29 04:36 - 2012-06-29 19:28 - 1820398 ____A () G:\ \DCIM\107___06\IMG_2020.JPG
2012-06-29 04:36 - 2012-06-29 19:28 - 1454799 ____A () G:\ \DCIM\107___06\IMG_2021.JPG
2012-06-29 04:37 - 2012-06-29 19:28 - 1446210 ____A () G:\ \DCIM\107___06\IMG_2022.JPG
2012-06-29 04:37 - 2012-06-29 04:37 - 1516152 ____A () G:\ \DCIM\107___06\IMG_2023.JPG
2012-06-29 04:38 - 2012-06-29 19:28 - 1929643 ____A () G:\ \DCIM\107___06\IMG_2024.JPG
2012-06-29 04:38 - 2012-06-29 19:28 - 1814626 ____A () G:\ \DCIM\107___06\IMG_2025.JPG
2012-06-29 04:38 - 2012-06-29 19:28 - 1582525 ____A () G:\ \DCIM\107___06\IMG_2026.JPG
2012-06-29 04:38 - 2012-06-29 04:38 - 1614540 ____A () G:\ \DCIM\107___06\IMG_2027.JPG
2012-06-29 04:43 - 2012-06-29 19:29 - 2002291 ____A () G:\ \DCIM\107___06\IMG_2028.JPG
2012-06-29 04:43 - 2012-06-29 19:29 - 2011520 ____A () G:\ \DCIM\107___06\IMG_2029.JPG
2012-06-29 04:43 - 2012-06-29 19:29 - 1940839 ____A () G:\ \DCIM\107___06\IMG_2030.JPG
2012-06-29 04:43 - 2012-06-29 04:43 - 2375814 ____A () G:\ \DCIM\107___06\IMG_2031.JPG
2012-06-29 04:44 - 2012-06-29 04:44 - 2380575 ____A () G:\ \DCIM\107___06\IMG_2032.JPG
2012-06-29 05:07 - 2012-06-29 19:29 - 1495368 ____A () G:\ \DCIM\107___06\IMG_2033.JPG
Open this card, and check out whether you can see the images.



With the SD cards and the External plugged into the same ports...

Also, use the following fixlist, run FRST and press: Fix

Code:
 
start
CMD: attrib /d /s -s -h J:\*.*
Folder: J:
end
Please post the fixlog.txt in order to get a final listing of J:

Also run USBFix once again.
Right-click the USBFix.exe file and select: Run as Administrator
Press: Listing

Please post the new UsbFix.txt (Listing Mode) in your reply.
My System SpecsSystem Spec
Reply

 Attention: cottonball, virus deleted all SD photos




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
how to restore deleted photos
I pressed delete but my pictures was highlighted and not the folder i wanted to delete and so deleted everything out of my pictures. So im having a mild panic attack and dont know how to get them back. i have checked the bin but theres only the recent ones which i choose to delete in there. It...
Music, Pictures & Video
ZeroAccess! Attention: cottonball
When I open my Toshiba external, it now shows a shortcut to the external like this: Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting It's never done that before. Now, when I click this new shortcut, this pops up: Image - TinyPic - Free Image Hosting, Photo Sharing...
System Security
"Deleted" Facebook photos still not deleted: a followup
"Deleted" Facebook photos still not deleted: a followup Source: "Deleted" Facebook photos still not deleted: a followup What bullshit. This is why there are no photos of me online... ~Lordbob
Chillout Room
Deleted photos still left in WMP?
Hi Concerning deleted photos previously view via Window Media Player. Concise/short background: I've recently bought a new PC (HP Pavilion dv-7 4032), after the setup procedure and the creation of recovery discs etc... I loaded some photos (.jpg) onto the PC (library/pictures). Now...
Music, Pictures & Video


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 09:42.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App