Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Attention: cottonball, virus deleted all SD photos


15 Aug 2013   #1

Windows 7 Home Premium 64bit
 
 
Attention: cottonball, virus deleted all SD photos

Hey,

Having some of the same issues as from this time: ZeroAccess! Attention: cottonball.

This round, whatever is in my computer has deleted all the photos on my SD card :-/ I ran RogueKiller and came up with this report:

RKreport[0]_D_08152013_145201.txt

I think these viruses are coming infected USB drives. In the future, any recommendations for prevention software I can run to pre-scan USB drives for viruses? I'd love to never run into these problems again! :-)



Attached Files
File Type: txt RKreport[0]_D_08152013_145201.txt (3.2 KB, 14 views)
My System SpecsSystem Spec
.

15 Aug 2013   #2

Windows 7 Home Premium
 
 

Which AntiVirus program are you using?
Is it set to scan USB drives? Some programs do not do this by default.

Pressing on with RogueKiller...

Make sure you downloaded the latest version of the program. Several updates have been made to it recently:
RogueKiller download
Select the download that applies to your system (32-bit, or, 64-bit)

•Quit all programs
•Right-click the RogueKiller file and select: Run as Administrator
•Wait until the Prescan finishes
•Press: Scan
•When the scan is done, press the [Shortcut-Fix] button.

Please post the new RKreport (Mode: Delete) created on the Desktop in your reply.


Also download the Farbar Recovery Scan Tool
Select the version that applies to the system.

Save it to the Desktop.
  • Double-click the downloaded file to run it.
  • When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).
Please provide the FRST.txt in your reply.
My System SpecsSystem Spec
15 Aug 2013   #3

Windows 7 Home Premium 32 bit
 
 

For protecting your PC from infected pen drives, you may look into Panda USB Vaccine.

ANTIMALWARE: Panda USB Vaccine - Download FREE - PANDA SECURITY

Panda USB Vaccine Free Download - Remove Autorun.inf Virus

If you are going to use it, do make sure that you vaccinate your clean PC with it, before plugging in any USB pen drive. (You may devaccinate your PC after unplugging the pen drive, so that autorun is again enabled for the other devices on your PC, if you so desire.)

There are many other tools too.

The paid Autorun Virus Remover can protect your PC and also remove the autorun virus and seems to be more versatile but for a steep price.

Ninja Pendisk seems to be more popular. So I guess it is a positive point for it. ( I have no means to test or try any of these.) From what I have read and researched, I may consider only these three.

10 Tools to Protect Computer from Infected USB Flash Drives.
My System SpecsSystem Spec
.


15 Aug 2013   #4

Windows 7 Home Premium 64bit
 
 

I'm running Webroot Security Anywhere. It is set to scan USB drives, so I'm not entirely sure why it's not catching any!

@jumanji, thanks for those links, I went ahead and dloaded Panda USB Vaccine.

Here are the two reports:

FRST Report: FRST.txt

RKiller Report: RKreport_8_16.txt


My System SpecsSystem Spec
16 Aug 2013   #5

Windows 7 Home Premium
 
 

Are the files on the SD showing after using the Shortcut Fix?

This virus appears to be launched through the auturun.inf file when a USB device or SD card is connected to the computer. The virus adds a line to the autorun.inf file, creates shortcuts of folders, changes the attributes of folders to hidden and also may create a random named folder on the USB drive or SD card. Within this random named folder, the .exe file producing the shortcuts of your original folders is found.

If RogueKiller did not take care of the issue, please do the following:

Press the Windows Key and the R key at the same time.

In the Run prompt, type the following in the Open area, and press Enter: cmd

When the Command Prompt opens, copy/paste (with the mouse) the following, and press Enter

Code:
attrib -h -r -s /s /d X:\*.*
(Change the drive letter X to the letter corresponding to the SD Device.)
Press: Enter

Post back on whether the files are now visible.

If still no go, we'll check out the content of the SD card, and take action from there.
My System SpecsSystem Spec
16 Aug 2013   #6

Windows 7 Home Premium 64bit
 
 

This is all I see after running the code in the Command Prompt:

Name:  cmd_prompt.JPG
Views: 15
Size:  31.1 KB

I ran the same code from the Run prompt and it did uncover (or created?) some new files I hadn't seen before. Here's what I see now on the SD:

Attention: cottonball, virus deleted all SD photos-capture.jpg

Attention: cottonball, virus deleted all SD photos-capture_01.jpg

Still no images though!


My System SpecsSystem Spec
16 Aug 2013   #7

Windows 7 Home Premium
 
 

Let's see if we can overcome the "Access Denied" notice, and also get some info...

Please download the latest version of WinRAR archiver, a powerful tool to process RAR and ZIP files
Select the 32-bit or 64-bit version that applies to your system.
Save to the Desktop.
Note that this download is a trial version of the WinRAR archiver for use during a test period of 40 days.

Double-click the downloaded program to install...
At the WinRAR Setup, click: OK
On the last prompt, feel free to check any of the tabs, and, when finished, press: Done
Close out of WinRAR.

Next, please plug in the SD card and restart the computer in Safe Mode with Command Prompt as follows:

*As the computer starts, tap the F8 key on your keyboard repeatedly until you are presented with the Windows 7 Advanced Boot Options menu.
*Using the arrow keys, select: Safe Mode with Command Prompt
*Press the Enter key on the keyboard, and let the computer boot to the option selected.


At the Command Prompt, copy/paste (with the mouse) the following commands contained inside the code box, and press Enter:
(If J the actual letter of the drive.)

Code:
attrib -h -r -s /s /d J:\*.*
shutdown /r
Before shutting down, a prompt shows:
"You are about to be logged off.
Windows will shut down in less than one minute."

When the computer restarts, check the SD card once again, and post back on whether you can see the images.


If still no-go, tap the F8 key, and once again select: Safe Mode with Command Prompt
Press the Enter key on the keyboard, and let the computer boot to the option selected.

At the Command Prompt, copy/paste (with the mouse) the following commands contained inside the code box, and press Enter:
(If J the actual letter of the drive.)

Code:
J: 
attrib -s -h -a 
attrib -r -s -h autorun.inf
shutdown /r
Before shutting down, a prompt shows:
"You are about to be logged off.
Windows will shut down in less than one minute."


When the computer restarts, open WinRAR.exe and browse to the SD card using WinRAR’s explorer.

After locating the SD card, open it in WinRAR to show all the files, including those that are hidden.

Search for the file Autorun.inf, open it with Notepad, name it arfile, and save it to the Desktop.

Please post the content of the Notepad arfile in your reply.
My System SpecsSystem Spec
16 Aug 2013   #8

Windows 7 Home Premium 32 bit
 
 

Just to add to what cottonball has said about using WinRAR:

IMO, it is not necessary to run WinRAR in safe mode. You can run Windows in normal mode. ( If there is any reason why cottonball wants it to be run in Safe mode, I do not know. )

Boot into Windows. Keep the Shift key pressed for a while, while inserting the SD Card which is necessary to disable autorun temporarily for that event. Open WinRAR, navigate to your SD Card and explore. Open the autorun file in notepad and post its contents.

(You can also open other folders and see whether any one of those contains your data and post your findings.You may also post a screenshot of the SD Card's content as seen in WinRAR.)
My System SpecsSystem Spec
17 Aug 2013   #9

Windows 7 Home Premium
 
 

@jumanji,

Quote:
...it is not necessary to run WinRAR in safe mode...
Agree...just call it a "senior moment" (lapse in memory)!

Have not met my quota of those for this month.
My System SpecsSystem Spec
17 Aug 2013   #10

Windows 7 Home Premium 64bit
 
 

Hmm, still unable to access the autorun file with WinRAR. I'm getting this:

Name:  winrar_autorun.JPG
Views: 5
Size:  25.4 KB

The only file I'm able to open that's in Notepad is desktop. Here's what it shows:

Name:  winrar_desktop_notepad.JPG
Views: 5
Size:  20.2 KB


My System SpecsSystem Spec
Reply

 Attention: cottonball, virus deleted all SD photos




Thread Tools



Similar help and support threads for2: Attention: cottonball, virus deleted all SD photos
Thread Forum
Solved ZeroAccess! Attention: cottonball System Security
Unable to connect to internet, virus deleted my drivers Network & Sharing
Virus deleted windows firewall service System Security
WMP creates previously deleted W7 libraries (documents, music, photos) Music, Pictures & Video
Solved This virus doesn't want to be deleted... System Security
"Deleted" Facebook photos still not deleted: a followup Chillout Room
Deleted photos still left in WMP? Music, Pictures & Video

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 06:04 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33