Attention: cottonball, virus deleted all SD photos

Last try...go back to Safe Mode with Command Prompt as you did before

At the Command Prompt, proceed with the following commands:

Code:

j:
attrib -h -r -s autorun.inf
edit autorun.inf

The above should display the contents of the file.

To copy the info provided, right-click the small command prompt icon on the upper left side
From the menu, go to Edit > Select All
Next, go to Edit > Copy

Now, to close the Command Prompt, type in: exit

Open Notepad (Start > All Programs > Accessories > Notepad), and paste the contents of the copied info for autorun.inf in your reply.

^^ If the above does not work, the Panda USB Vaccine must have blocked the autorun.inf file, preventing it from being read, or modified. This cannot be reversed except with a format.
Can't do!

Pressing on with FRST...

Please open Notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the quote box below (Do not copy the word 'Quote')
Save it on the Desktop, and name it: fixlist.txt

start
HKCU\...\CurrentVersion\Windows: [Load] C:\Users\Owner\LOCALS~1\Temp\msofzw.cmd <===== ATTENTION!
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
end

This script is written specifically for ducat1base, and, only for use on this infected computer.
Running this on another computer may cause damage to the Operating System!!

Run FRST, and press the Fix button, just once, and wait.
The tool creates a report on the Desktop called: Fixlog.txt
Please post the Fixlog.txt in your reply.


Now, let's use unhide.exe to see if it can reveal what was hidden...

Download:
http://www.bleepingcomputer.com/download/unhide/
Save to the Desktop.

Double-click on the Unhide icon to run the program.
When done, the program displays an alert stating that your files are restored.

Reboot your computer for the settings to go into effect.

Check the SD card, and see if the images show now.

Next, please use RKill.exe to terminate any malware processes (if still present): http://www.bleepingcomputer.com/download/rkill/
Save to the Desktop.

If RKill.exe does not run, then download and try to run RKill.com:
http://www.bleepingcomputer.com/download/rkill/

You only need to get one of the versions of RKill to run.

There are additional versions:
RKill.scr: http://www.bleepingcomputer.com/download/rkill/

Also, RKill, renamed, can be downloaded from the following links:
iExplore.exe: http://www.bleepingcomputer.com/download/rkill/
uSeRiNiT.exe: http://www.bleepingcomputer.com/download/rkill/
WiNlOgOn.exe: http://www.bleepingcomputer.com/download/rkill/

If your AntiVirus warns you about this tool, ignore the warning, or temporarily disable your AntiVirus.

Right-click on the downloaded RKill file and select: Run as Administrator

A black DOS box briefly flashes and then disappear. This is normal and indicates the tool ran successfully.
After running the tool, do not reboot.

When the scan is done Notepad opens with the RKill report.

Please post the RKill report in your reply.


Without a reboot, please close all windows and browsers, and run RogueKiller again.
Right-click and select: Run as Administrator

At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished.)

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.


Follow up with Malwarebytes Anti-Malware:
Download: http://www.bleepingcomputer.com/down...-anti-malware/
Save to the Desktop

Make sure J: (the SD Card) is the only removable storage connected to the computer.
Right-click the downloaded MBAM file, and select: Run as Administrator

When the installation begins, follow the prompts in the setup process.
DO NOT make any changes to default settings and when the program has finished installing, make sure only the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware options are checked.
Uncheck: Enable free trial of Malwarebytes Anti-Malware PRO
Click on the Finish button.

If an update is found, the program automatically updates itself.
At the program console, on the Scanner tab, and select: Perform Full Scan
When the Select the Drives to scan appears, make sure all drives (except CD-Rom, DVD) are selected, and in particular, J:.

Next, click on the Scan button.

When the Malwarebytes scan is completed, click on: Show Results
When presented with a screen showing the malware detected, make sure everything is Checked, and click on: Remove Selected

When removal is completed, a report opens in Notepad.
Please copy/paste the entire contents of the MBAM report in your reply.


Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.

Note: Post above was edited!!

@jumanji,

If the SD drive was locked, I think a message with "The disk cannot be written to because...etc." would have shown up earlier in the game.


@ducat1base,

Did you reboot when MBAM was done?


There were a couple of entries for which 'Access is denied', or, there was an 'Error setting value', etc. showing in FRST and in RogueKiller.

Let's see if you got rid of those for sure.


Please run FRST once again, but, plug in the SD card (only J) before you do so.

Press the Scan button.
FRST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

Please provide the new FRST.txt in your reply.


Also run RogueKiller, and just do a Scan.


Are the images you are looking for in the SD card in a folder of their own, or, are they all over?

@jumanji,

My turn to take a beating...

Thought it was called a constructive comment!

ducat1base,

Do you have a Canon camera?

DCIM (Folder) = Digital Camera IMages (stores the pictures?)

MISC (Folder) = catch-all folder that stores anything that doesn't belong in the DCIM folder


Could you check out what is inside the DCIM folder?

If DCIM does not open, either by double-clicking, right-clicking and selecting Open, or, using WinRAR, please do the following:

Go to Start > All Programs > Accessories > Command Prompt
Right-click on the Command Prompt and select: Run As Administrator

At the blinking cursor of the Command Prompt, type in (or copy/paste with mouse) the following commands inside the code box,, and press Enter:

Code:

cd\
j:
dir /s
cd DCIM
dir /s

To copy the text contained/produced in the Command Prompt, click on the small command icon in the top left corner, and then choose:
Edit > Select All
Once again, Edit > Copy

Open Notepad, and paste the text to it.
Please post the text in your reply.

To close the Command Prompt, use the [X], or type in: exit