Attention: cottonball, virus deleted all SD photos

cottonball · 28 Aug 2013

ducat1base,

Immunizing with the Panda USB Vaccine is a good idea, but, not fail-safe. A second round of malware showed up, even after having Panda. Have never used the program, and do not know if the type of malware presented can find its way to your computer, regardless of Panda. The malware appears to use rundll32.exe to execute a malicious file and avoid detection.

In any event, let’s do the following, and then take a look at the contents of infected SD card #2, and the external drive…

To stop the Autorun feature, download and run the following:
Microsoft Fix It 50471: http://support.microsoft.com/kb/967715
Scroll down to: How to disable or enable all Autorun features in Windows 7 and other operating systems
ClickRun in the File Download dialog box, and follow the steps in the wizard.

Note: There is an option to disable or enable Autorun automatically. You can do so later, but, consider whether other SD cards or USB drives, etc. will be plugged in.

Reboot the system after applying the Microsoft FixIt.

Next, let’s go back to: USBFix
Right-click the USBFix.exe file and select: Run as Administrator
Plug in SD card #2, and the external/removable drive to the computer..

Press: Listing

Once the program is done, a UsbFix.txt file is found at C:\UsbFix.txt

Please post the UsbFix.txt (Listing Mode) in your reply.

ducat1base · 28 Aug 2013

I ran Microsoft Fix it 50471 and then ran USBFix with two SD cards and an external inserted. Here's what I got:

UsbFix [Listing 2 ] OWNER-HP.txt

cottonball · 29 Aug 2013

Interesting. USBFix is showing G:\, which may be an SD card, as infected.

Presuming the other SD card is J:\

Is I:\ the external hard drive?

The Farbar Recovery Scan Tool (FRST) is updated once again, and we need to use it.

Please remove your copy of FRST, and get a new one:
Farbar Recovery Scan Tool Download
Save to the Desktop.
Now, please open Notepad once again (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below to Notepad:
Save it on the Desktop, and name it: fixlist.txt

Code:

start
G:\_WY.init
G:\desktop.ini
G:\Thumbs.db
G:\Removable Disk (4GB).lnk
CMD: attrib /d /s -s -h G:\*.*
end

Run FRST, and press the Fix button, just once, and wait.
The tool creates a report on the Desktop called: Fixlog.txt

Please post the Fixlog.txt in your reply.

Also run USBFix once again.
Right-click the USBFix.exe file and select: Run as Administrator
Plug in the SD cards, and the external/removable drive to the same port as before.
Press: Listing

Once the program is done, a UsbFix.txt file is found at C:\UsbFix.txt

Please post the new UsbFix.txt (Listing Mode) in your reply.

ducat1base · 29 Aug 2013

When running FRST, should I have the external and SD cards plugged in?

G -- SD card
J -- SD card
I -- External

cottonball · 29 Aug 2013

Yes, please.

jumanji · 29 Aug 2013

cottonball said:

..........Immunizing with the Panda USB Vaccine is a good idea, but, not fail-safe. A second round of malware showed up, even after having Panda. Have never used the program, and do not know if the type of malware presented can find its way to your computer, regardless of Panda. The malware appears to use rundll32.exe to execute a malicious file and avoid detection.......

Absolutely. Panda USB vaccine - which disables Autorun from inserted devices - can only protect against Autorun Shortcut virus commonly propagated from pen drives. Not any other type of virus that propagate out of Autorun. Those can flow in and out ,in spite of Panda. :)

ducat1base · 29 Aug 2013

Okay, here's the Fixlog:
Fixlog.txt

And USBFix's listing:

UsbFix [Listing 3 ] OWNER-HP.txt

cottonball · 29 Aug 2013

Actually, I left out an entry on the last fixlist.

Will you use the following fixlist, run FRST and press: fix

Code:

 
start
CMD: attrib /d /s -s -h G:\*.*
Folder: G:
end

Please post the fixlog.txt in order to get a final listing of G:

Also, run Malwarebytes Anti-Malware
Update the program.
Select: Perform Full Scan
When given the option to scan other drives, select G:, I:, and J:
Please post its results when done.

ducat1base · 29 Aug 2013

Okay, the fixlog:
Fixlog.txt

... MBAM's report:
mbam-log-2013-08-30 (09-19-09).txt

cottonball · 30 Aug 2013

On the UsbFix [Listing] report dated 29/08/2013, there is the following info:

G:\ -> Removable drive # 4 Gb (4 Mb free - 99%) [] # FAT32
I:\ -> Fixed drive # 298 Gb (284 Mb free - 95%) [] # NTFS
J:\ -> Removable drive # 4 Gb (732 Mb free - 19%) [] # FAT32

Presuming this is the previously infected drive which was formatted, and now has the Panda Vaccination.

[17/08/2013 - 05:59:12 | H | 16] G:\AUTORUN.INF

This is the External drive:

Take action to vaccinate this External drive with Panda.
USBFix can also vaccinate it, but, since you already used Panda, stay with it, just in case there are problems.

After vaccinating, are you able to open the external and see any images in the DCIM folder?

This drive should be the second SD card. Apparently, you plug this card into a MAC machine.
The .Trashes, ._.Trashes, are the same as the Recycle.Bin in Windows.

[22/07/2012 - 10:57:00 | AH | 4096] J:\._.Trashes
[22/07/2012 - 10:57:00 | HD ] J:\.Trashes
[22/07/2012 - 10:57:00 | SHD ] J:\.fseventsd
[30/09/2012 - 23:49:52 | AH | 4] J:\_disk_id.pod
[09/05/2013 - 13:19:10 | A | 1467] J:\.fseventsd.lnk
[29/08/2013 - 09:34:10 | H | 16] J:\AUTORUN.INF

The new fixlist.txt, now shows the contents of G:!!

2013-08-07 15:00 - 2013-08-07 15:00 - 0000000 ____D () G:\
2011-10-06 20:09 - 2011-10-06 20:09 - 0000000 ____D () G:\ \DCIM
2012-06-28 01:47 - 2012-06-28 01:47 - 0000000 ____D () G:\ \DCIM\107___06
2013-08-17 05:59 - 2013-08-17 05:59 - 0000016 ____H () G:\AUTORUN.INF
2012-11-18 07:11 - 2012-11-18 07:11 - 0000004 ____A () G:\ \_disk_id.pod
2013-08-07 15:00 - 2013-08-24 22:31 - 0000126 ____A () G:\ \desktop.ini
2012-06-29 03:33 - 2012-06-29 19:27 - 1637585 ____A () G:\ \DCIM\107___06\IMG_2014.JPG
2012-06-29 03:33 - 2012-06-29 19:27 - 1636839 ____A () G:\ \DCIM\107___06\IMG_2015.JPG
2012-06-29 04:35 - 2012-06-29 19:27 - 1762389 ____A () G:\ \DCIM\107___06\IMG_2016.JPG
2012-06-29 04:35 - 2012-06-29 19:28 - 1604709 ____A () G:\ \DCIM\107___06\IMG_2017.JPG
2012-06-29 04:36 - 2012-06-29 04:36 - 1368280 ____A () G:\ \DCIM\107___06\IMG_2018.JPG
2012-06-29 04:36 - 2012-06-29 04:36 - 1501613 ____A () G:\ \DCIM\107___06\IMG_2019.JPG
2012-06-29 04:36 - 2012-06-29 19:28 - 1820398 ____A () G:\ \DCIM\107___06\IMG_2020.JPG
2012-06-29 04:36 - 2012-06-29 19:28 - 1454799 ____A () G:\ \DCIM\107___06\IMG_2021.JPG
2012-06-29 04:37 - 2012-06-29 19:28 - 1446210 ____A () G:\ \DCIM\107___06\IMG_2022.JPG
2012-06-29 04:37 - 2012-06-29 04:37 - 1516152 ____A () G:\ \DCIM\107___06\IMG_2023.JPG
2012-06-29 04:38 - 2012-06-29 19:28 - 1929643 ____A () G:\ \DCIM\107___06\IMG_2024.JPG
2012-06-29 04:38 - 2012-06-29 19:28 - 1814626 ____A () G:\ \DCIM\107___06\IMG_2025.JPG
2012-06-29 04:38 - 2012-06-29 19:28 - 1582525 ____A () G:\ \DCIM\107___06\IMG_2026.JPG
2012-06-29 04:38 - 2012-06-29 04:38 - 1614540 ____A () G:\ \DCIM\107___06\IMG_2027.JPG
2012-06-29 04:43 - 2012-06-29 19:29 - 2002291 ____A () G:\ \DCIM\107___06\IMG_2028.JPG
2012-06-29 04:43 - 2012-06-29 19:29 - 2011520 ____A () G:\ \DCIM\107___06\IMG_2029.JPG
2012-06-29 04:43 - 2012-06-29 19:29 - 1940839 ____A () G:\ \DCIM\107___06\IMG_2030.JPG
2012-06-29 04:43 - 2012-06-29 04:43 - 2375814 ____A () G:\ \DCIM\107___06\IMG_2031.JPG
2012-06-29 04:44 - 2012-06-29 04:44 - 2380575 ____A () G:\ \DCIM\107___06\IMG_2032.JPG
2012-06-29 05:07 - 2012-06-29 19:29 - 1495368 ____A () G:\ \DCIM\107___06\IMG_2033.JPG

Open this card, and check out whether you can see the images.

With the SD cards and the External plugged into the same ports...

Also, use the following fixlist, run FRST and press: Fix

Code:

 
start
CMD: attrib /d /s -s -h J:\*.*
Folder: J:
end

Please post the fixlog.txt in order to get a final listing of J:

Also run USBFix once again.
Right-click the USBFix.exe file and select: Run as Administrator
Press: Listing

Please post the new UsbFix.txt (Listing Mode) in your reply.