Attention: cottonball, virus deleted all SD photos

Page 3 of 10 FirstFirst 12345 ... LastLast

  1. Posts : 48
    Windows 7 Home Premium 64bit
    Thread Starter
       #21

    And from the Command Prompt:

    cmd.txt
      My Computer


  2. Posts : 2,470
    Windows 7 Home Premium
       #22

    ducat1base,

    You are still infected, and it changed its name. Let's see if we can nuke this from outside of Windows, but with access to the Registry.

    Please do the following...

    Since the computer boots, let's run the Farbar Recovery Scan Tool from the hard drive that contains your Operating System (normally C:\).
    (Doing this, since you may not have another computer.)

    Please print these instructions, and read them once, so you have an idea of what you are doing.
    Do follow them step by step.

    Here we go...

    FRST64.exe was previously saved to the Desktop

    Right-click Start, and select: Open Windows Explorer
    Look for drive C:\, or the drive that contains your Operating System (OS).
    Now, go to the Desktop, right-click FRST64.exe just once and hold it, then drag FRST64 right into C:

    ~~~~
    Next, remove the fixlist.txt previously on the Desktop. (To avoid confusion)
    Open Notepad once again (Start > All Programs > Accessories > Notepad)
    Copy the entire contents of the code box below to Notepad:

    Code:
    start
    HKCU\...\CurrentVersion\Windows: [Load] C:\Users\Owner\LOCALS~1\Temp\msuamr.cmd <===== ATTENTION!
    C:\Users\Owner\LOCALS~1\Temp\msuamr.cmd 
    end
    Name it: fixlist.txt
    Save it on C:, which is the same place where FRST64 is at!

    >>> Restart the computer.

    As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
    Use the arrow keys to select the Repair your Computer menu item.
    Select your language settings, and click: Next
    Select your User account and click: OK/Next (If you did not set a password, leave blank.)

    On the System Recovery Options menu you get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Scan your computer's memory for errors.
    Command Prompt

    Select: Command Prompt

    ~~~~
    In the Command Prompt window, at the bliking cursor type: notepad
    (Note: Make sure the NumLk key is not active. If it is, you are not able to type correctly at the Command Prompt. If NumLk is active, press the Fn key and then the NumLk to deactivate it.)
    Press: Enter

    In Notepad, under the File menu select: Open
    Double-click: Computer (on the left side), find the drive letter that has the Operating System, and remember what letter it has.
    (Note: Once in this special mode you booted into, the drive containing the Operating System (OS) may not be C:\ (or the particular drive that has your OS).
    You need to examine the drives carefully, and determine which one is the correct drive.)

    Click on the OS drive
    In Files of Type, select: All files
    Press: Open
    Confirm that FRST.exe is there!

    ~~~~
    Now, click the Command Prompt window.
    Type the following: ?:\frst64.exe, and press: Enter
    (Note: Replace the ? with the drive letter that contains the OS.)

    The tool starts and prepares to run. Follow the prompts.
    Click Yes to the disclaimer.

    ~~~~
    When the FRST console appears, press the Fix button, just once, and wait.
    The tool creates a report called: Fixlog.txt

    ~~~~
    Back at System Recovery Options, press: Restart

    ~~~~
    After the computer restarts, and you are back in Windows, do a search for: Fixlog.txt

    Please post the Fixlog.txt in your reply.


    Double-click on the Unhide program icon on the Desktop to run the program.
    When done, the program displays an alert stating that your files are restored.

    Post back on whether Unhide gave you this alert!

    Reboot your computer for the settings to go into effect.

    Check the SD card, and see if the images show.
    Last edited by cottonball; 18 Aug 2013 at 21:52.
      My Computer


  3. Posts : 48
    Windows 7 Home Premium 64bit
    Thread Starter
       #23

    Still no photos

    The fixlog...
    Fixlog.txt

    and Unhide:
    Attention: cottonball, virus deleted all SD photos-unhide.jpg
      My Computer


  4. Posts : 6,830
    Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
       #24

    Deleted post
    Last edited by VistaKing; 19 Aug 2013 at 14:21.
      My Computer


  5. Posts : 2,470
    Windows 7 Home Premium
       #25

    ducat1base,

    Before going any further, please do the following:

    Download MiniRegTool64.zip
    Unzip it.
    • Run the tool
    • Copy and paste the following into the edit box:

      HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows

    • Click the List Permissions button.
    • Press the Go button, and post the result in your reply.
    Also realized that you had FRST in the Downloads folder, and fixlist.txt on the Desktop.
    The fixlist and FRST64 must be located in the same directory!!

    As a result, when we tried the fix, got the following:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load: Error setting value

    Currently, FRST is in C:, so, the fixlist.txt must be tplaced here also.


    This time, just run FRST and press Fix without going to the Command Prompt, etc.

    The entry needs to be fixed oin Windows, outside the recovery mode.

    Make sure you use the following text for the fixlist:

    Code:
    start
    Unlock: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    HKCU\...\CurrentVersion\Windows: [Load] C:\Users\Owner\LOCALS~1\Temp\msuamr.cmd <===== ATTENTION!
    C:\Users\Owner\LOCALS~1\Temp\msuamr.cmd 
    end
    When done, please post the fixlog.txt in your reply.

    Last, but not least, right-click the J: drive (SD card) and select: Properties

    Please post an image of the Removable Disk J: Properties
    Last edited by cottonball; 19 Aug 2013 at 20:20.
      My Computer


  6. Posts : 467
    Linux Mint 15 "Olivia" x32
       #26

    forgive me if I'm being stupid here, i just sorta skimmed thru this post. Can't we, if the files were deleted as it appears to me, use an undelete program to recover the photos and then format the USB, since it seems it might contain a potential virus, wouldn't it remove the virus? Also, if we look into an undelete program, and they show up, we should know that they're no longer on the USB, correct? Or is the problem inside windows? even then we can still try an undelete program right?
      My Computer


  7. Posts : 2,470
    Windows 7 Home Premium
       #27

    redfang337,

    Thanks for the info. :)

    Can't we, if the files were deleted as it appears to me, use an undelete program to recover the photos
    What is your idea of an "Undelete program"?
    Just want to make sure we are on the same page.


    ...is the problem inside windows
    The problem appears to be inside Windows at this point, but there could also be a problem in the USB drive. The most logical place would be in the autorun file, but we can't open it.
      My Computer


  8. Posts : 2,470
    Windows 7 Home Premium
       #28

    ducat1base,

    After performing the actions in Post #25, please do the following:

    Please download UsbFix (free) - Download the latest version for Windows in english on Kioskea

    Go to the small green button with: Download Free Version (1MB)
    Right-click the downloaded file and select: Run as Administrator
    Connect your SD Card when requested.
    Press: Listing

    When done, the program closes on its own, and a report appears.

    Please post the USBFix Listing report in your reply.
      My Computer


  9. Posts : 467
    Linux Mint 15 "Olivia" x32
       #29

    why not recuva? scan the SD with portable recuva, recover the files to a specified folder on the desktop, then format the usb to get rid of the virus. Sounds like a simple fix to me, or am i missing something still?
      My Computer


  10. Posts : 2,470
    Windows 7 Home Premium
       #30

    @redfang337,

    Ah!! A data recovery program. When you mentioned "Undelete" program, was not sure of what you had in mind.

    At this point, IMO, the images are hidden by malware, and hopefully we will find out some more details about them when ducat1base posts back.

    If it is not the case, then, other options will need to be explored.
    However, the OP needs to remain on course until the malware is taken care of.
      My Computer


 
Page 3 of 10 FirstFirst 12345 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 08:10.
Find Us