Attention: cottonball, virus deleted all SD photos

cottonball · 20 Aug 2013

ducat1base,

At this point we are beating a dead horse, and any attempt to continue working with the SD card is futile.

So, please remove the SD card or any USB pen drive from the laptop, and let's work on making sure the laptop is clean. Once that happens, there may be other options in the data recovery area, and someone like jumanji can guide you through it.

So, please press on, close all windows and browsers, and run RogueKiller again.
Right-click and select: Run as Administrator

At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished.)

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the new RKreport.txt (Mode: Scan) in your reply.

Next, follow up with Malwarebytes Anti-Malware
Right-click the program and select: Run as Administrator

If an update is found, the program automatically updates itself.
At the program console, on the Scanner tab, and select: Perform Full Scan

Next, click on the Scan button.

When the Malwarebytes scan is completed, click on: Show Results
When presented with a screen showing the malware detected, make sure everything is Checked, and click on: Remove Selected

When removal is completed, a report opens in Notepad.

Please copy/paste the entire contents of the MBAM report in your reply.

Note: If MBAM encounters a file that is difficult to remove, you are asked to reboot the computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) prevents MBAM from removing all the malware.

ducat1base · 21 Aug 2013

Going to the source sounds good to me. Here's what I have from RKiller..

RKreport[0]_S_08212013_094545.txt

And from MBAM:

Malwarebytes Anti-Malware 1.75.0.1300
Malwarebytes : Free anti-malware download

Database version: v2013.08.17.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16660
Owner :: OWNER-HP [administrator]

8/21/2013 9:46:24 AM
mbam-log-2013-08-21 (09-46-24).txt

Scan type: Full scan (C:\|D:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 395853
Time elapsed: 1 hour(s), 32 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|2264 (Trojan.Bot.RV) -> Data: C:\PROGRA~3\LOCALS~1\Temp\msqjiol.com -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\ProgramData\Local Settings\Temp\msqjiol.com (Trojan.Bot.RV) -> Quarantined and deleted successfully.
C:\FRST\Quarantine\msuamr.cmd (Trojan.Bot.RV) -> Quarantined and deleted successfully.
C:\Temp\TrustedInstaller.exe (Trojan.Bot.RV) -> Quarantined and deleted successfully.

(end)

cottonball · 21 Aug 2013

Did you reboot afete running Malwarebytes?

Let's press on with the following...

The Farbar Recovery Scan Tool was updated to deal with this malware and its Registry loading points, which are locked by permissions.

So, since FRST is now in C:, please delete it from there, download a new copy, and save it to the Desktop.

Farbar Recovery Scan Tool Download

Select the version that applies to the system.
Save it to the Desktop!!!!

Double-click the downloaded file to run it.
When the tool opens click Yes to disclaimer.
Press the Scan button.
FWhen done, RST64 makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).

Please provide the FSRT.txt report in your reply.

ducat1base · 21 Aug 2013

Yes, I rebooted the computer after running MBAM.

I went ahead and deleted FRST and downloaded the new version to the Desktop. Here are the scan results...

FRST.txt

Addition.txt

jumanji · 21 Aug 2013

I still see 1.8GB removable drive J in the Addition.txt.

Haven't you removed all USB drives and SD card as instructed by cottonball?

cottonball · 21 Aug 2013

This is what we see:

Drive J: () (Removable) (Total:1.83 GB) (Free:1.83 GB) FAT

Make sure any SD card or USB pen drive is not plugged into the laptop.

Next, run RogueKiller once again, and this time press:

When done, please post its new RKreport (Mode: Delete).

There are toolbars and 'stuff' showing that also need to go, but we will deal with those later.

cottonball · 21 Aug 2013

Was at a place where I could not use my computer. Tablets are not my favorite.

To get rid of toolbars and other 'stuff'...

Download AdwCleaner:

http://www.bleepingcomputer.com/download/adwcleaner/

Save the program to the Desktop
Close all open programs and internet browsers.
Right-click on adwcleaner.exe and select: Run As Administrator
At the program console, click on: Delete
When the program is done, the computer is rebooted automatically, and a text file opens after the restart.

Please post the AdwCleaner report in your reply.

Also use the Junkware Removal Tool Download
Save to the Desktop.

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications.
These programs may interfere with the running of JRT.
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

Right-click JRT.exe and select: Run as Administrator
The tool opens and starts scanning the system. Please be patient as this can take a while...

When done, a report, JRT.txt is saved on the Desktop.

Please post the contents of JRT.txt in your reply.

Last, but not least, please download ComboFix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Save ComboFix.exe to the Desktop

Disable your AntiVirus and AntiSpyware applications as they will interfere with ComboFix.
Info: http://www.techsupportforum.com/secu...lications.html

Double click combofix.exe and follow the prompts.

When finished, it produces a log.

Please include the C:\ComboFix.txt in your reply.

NOTE: If you encounter a message "Illegal operation attempted on registry key that has been marked for deletion" and no programs run, please reboot to resolve the error.

ducat1base · 22 Aug 2013

Okay, here are the reports from running the scans...

RKiller (sans SD card)
RKreport[0]_D_08222013_103819.txt

AdWare
AdwCleaner[S0].txt
AdwCleaner[R0].txt

JRT

JRT.txt

ComboFix

ComboFix.txt

cottonball · 22 Aug 2013

Good!

Let's hope ComboFix took care of some stubborn entries.

Please run RogueKiller once again, and this time press: Scan

When done, please post its new RKreport (Mode: Scan).

Note: Sans SD card ot any other USB pen or external drive!

Let's also get a second check, with Microsoft Safety Scanner.

Download:
http://www.microsoft.com/security/sc...s/default.aspx

Under the Download Now blue button, click: Select your version, which is 32-bit
Save to the Desktop

At the program console, select: Quick Scan
(Depending on whether it finds malware, and what it finds, you may be prompted to run a Full Scan. If so, please do.)

When done, search for the msert.log file, and post its results.

ducat1base · 22 Aug 2013

Ah, I just noticed a nub of my mouse's USB. I didn't even notice it until now.

Here's RKiller's report:
RKreport[0]_S_08232013_094336.txt

I scanned the computer using MSS and it came back saying no viruses were found. But I can't seem to locate the msert.log file now. I did a search from the Start menu but the only the only thing it's finding is the .exe file. Am I missing something?