Attention: cottonball, virus deleted all SD photos

The folders/files on J: are not malware:
\._.Trashes
\.Trashes
\.fseventsd
\.fseventsd.lnk

The above are files MAC OS X places on a drive. Apparently you plug (or have) that SD card to a MAC PC. What I know about MAC can be written on the nail of your smallest finger, and there will be some space left over. Whether you can delete them and have no a problem if you plug the card into a MAC again, I do not know.

\_disk_id.pod
Looks like programming for the camera that was written to the card.
If you remove it, your camera may give you some attitude.
You may want to ask the Canon folks about deleting the file. The file appears to be so small, it might not be worth the bother.

DCIM
Folder: Digital Camera IMages (deals with picture storage)

G:/ on the other hand only displays a handful of the original ones I had.

Might want to use the guidance that jumanji gave you, and attempt to recover the lost images on G:


Are you able to open the External drive without problems?

Last, please run RogueKiller once again, do a Scan, and post its RKreport.

If OK, and you do not have any more malware problems, we can wrap up , and will provide you some instructions on removing some of the programs we have used.

Hey coach, if this is the end of the line then woo!

Here's RKiller's report:

RKreport[0]_S_08312013_124256.txt

Am I healthy now?

Edit: Yes, i can see everything in my external. Still has that $RECYCLE.BIN file, though. Is that okay to delete?

Looking good!!

Let's wrap up and remove the following tools and their reports, which are no longer needed:

To remove the FRST Quarantine...
Remove any fixlist.txt from the Desktop.

Open Notepad (Start > All Programs > Accessories > Notepad)
Copy/paste all the contents of the quote box below to Notepad (do not copy the word 'Quote').
Save it on the Desktop as: fixlist.txt

start
DeleteQuarantine:
end

Run FRST from the Desktop again, press the Fix button once.
When done, you can delete the fixlog produced, any leftover fixlist, and the FRST icon from the Desktop (if still there).

To uninstall ComboFix, please do the following:

Click on the Start button
In the Search field above Start, type in (or copy/paste): combofix /uninstall
(Please note that there is a space between combofix and /uninstall.)
Press: Enter on your keyboard.

An Open File security warning appears, asking if you are sure you want to run ComboFix.
Click on the Run button to start the program.
ComboFix uninstalls itself from your computer and removes any backups and quarantined files.
When finished, a dialog box states that ComboFix is uninstalled.
You can now delete the ComboFix.exe program from your Desktop.

Next, remove the following tools and their reports:
RogueKiller
WinRar: uninstall from Control Panel > Programs and Features > Uninstall or Change a Program listing.
Unhide.exe
RKill
MiniRegTool64
USBFix
AdwCleaner: run the program, and press: Uninstall
Junkware Removal Tool
Microsoft Safety Scanner: uninstall from Control Panel > Programs and Features > Uninstall list
Malwarebytes Anti-Rootkit: uninstall from Control Panel > Programs and Features > Uninstall list
Security Check

Keep Malwarebytes Anti-Malware, and use it regularly.
Particularly, if you have connected a USB pendrive or SD card to someone else's computer, and you are connecting it back to your computer!

...external. Still has that $RECYCLE.BIN file, though. Is that okay to delete?

Windows places that folder on the drive. It is used to store deleted files for that specific volume, and emptied from the Recycle Bin.
Do not delete unless you are having issues with it.


Thanks for following all the instructions and providing all the reports!!

Good luck, ducat1base!!!

ducat1base,

The infections detected had an origin in removable media (USB pen drives, SD Cards, External drive).

You took action to disable the autorun feature, vaccinated the drives, and, your antivirus should be able to detect malware. However, it has not. Maybe its virus definitions were not kept updated, or the malware is relatively new, and the AV program has not caught up with it.

It should use heuristic analysis to detect new or unknown viruses that have not yet been identified. But, not all antiviruses can do this type of scan, and some are only able to detect known viruses.

I am not familiar with Webroot Security Anywhere Antivirus, but, from a Google search it appears there are heuristic detection modes that can be selected through its settings. You may want to look at those, and, in particular, any found that deal with USB devices. Also, you should also be able to find a Webroot support website where you can ask specific questions about this matter.


There is a program you can consider that checks for malware on removable drives automatically.
It is called Mc2Shield (not associated with McAfee):
MCShield ::Anti-Malware Tool::

Before you plug in a removable drive in your computer, at the program console, Scanner tab, click on: BulletProof
Then, plug in the drive, and the program automatically checks for malware and removes it.
You can repeat the steps for any drive you use.

A Mcshield report appears with the results of the removable drive scan.

You would need to experiment with this program to make sure it gets along with Webroot, though. Use it on an trial basis, and see how it goes.

Frequent runs of Malwarebytes Anti-Malware where you perform a Full Scan, and select the removable media should help, along with the Panda Vaccine, and the disabled autorun feature.

Glad to help.

Have a great week!!