0

I noticed about 2 weeks ago that a bunch (not all) of my picture and video files are gone!! The folders I had them arranged in are still there, but there is nothing in them. I have been loosing my mind trying to figure out the problem. I have requested the assistance of 3 of my good computer buddies and nothing. I recently purchased DiskInternals Uneraser and it seems it found my old pictures from one folder, but not from the new path I had been using for about 3 months. I am extremely upset that all my data is lost FOREVER. Can anyone please help me to recover my files???? I already ran the please read before posting section and followed all directions. I don't know if this is a virus problem or what. PLEASE, PLEASE can anyone help me?????


Here are my requested logs:


Malwarebytes' Anti-Malware 1.28
Database version: 1155
Windows 5.1.2600 Service Pack 3

9/15/2008 2:23:25 PM
mbam-log-2008-09-15 (14-23-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 195651
Time elapsed: 1 hour(s), 18 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{5269d0c0-572b-445a-88ac-8c8843b6d42b} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{69c1ef64-a396-4490-8849-52af7f7ec6e5} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{95e554e1-04f3-4d9b-a4e9-881dc420882b} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f5f40e25-cf4d-434e-a6ae-ed625ae87cab} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88ebbe0b-5ff8-4b84-b043-71a216374a5b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mpfanvqg (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Janusware\ThumbsDb\ijl15.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP39\A0023575.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sherrie Metz\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sherrie Metz\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sherrie Metz\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.


ESET ONLINE SCANNER LOG:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3443 (20080915)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=5a27d035f3b9a94aa9f09cbe57e0d31f
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-09-15 08:12:51
# local_time=2008-09-15 04:12:51 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=352456
# found=0
# scan_time=5993

UNINSTALL LOG:

The only programs I did not recognize were the following:
Answer Works
Bonjour
Learn 2 Player

THANK YOU SO MUCH!!!

2
Contributors
7
Replies
8
Views
9 Years
Discussion Span
Last Post by gerbil
0

Hello, polop... I'm not going to take the time to examine each of the pests and their usual actions. I know of malwares which deliberately search for and delete jpg and vid files. Damage is done. I can give you another forensic tool [free] which will scan your disk thoroughly and find files [if they exist] even in deleted partitions. But not if they have been overwritten.... nothing can help then.
By the way... and I know that you have heard this advice before, but now there is a hammer behind it to drive it home... BACKUP!!! It's not as if it's a chore.... once you set it up it is automatic, in the background, no finger lifting required.
First thing to do when stuff vanishes is to check with cmd.exe's dir command, just in case it is a simple case of changed attributes.
Get TestDisk 6.9 ... It's not a simple tool to learn and run, but it works. If it doesn't find your missing files, then just accept that some lessons are hard. Beware!! that pgm can destroy your installation if you misuse it. So think before you press buttons... it does not ask for confirmations.

0

Thank you so much for responding. I will try what you said. As I am desperate to recover these files. If you think of anything else please let me know.

0

Regarding a backup program... it's not very helpful of me if I don't suggest one... after sorting through a selection this is the one I use [the freeware version].
http://www.2brightsparks.com/syncback/
Very easy to setup... and then it just works. Can't ask for more than that.
Its interface makes it easy to choose files, folders, to backup and also to remove unwanted backed-up material, schedule backups etc.

0

Thanks. I will try that for now on.

I just wanted to let you know I did purchase a file recovery program and it did find most of my missing pictures and videos.

I am a little hurt you were so quick to just suggest they are probably lost forever. I'm thinking it was not a virus that bad to just delete them if I was able to recover them. If that makes any sense. I would welcome any feedback to what may have happened or where they went if you might know.

I appreciate all your help in this matter. I am still hoping to find the last of the pictures as they are very important to me.

0

Heya, Polop, good stuff. But re your hurt, I was referring to file deletion; not sure I said or meant lost forever: "But not if they have been overwritten.... nothing can help then."
There is a great difference between deletion and erasure... deletion simply involves removing a file table entry and freeing up the file space on the disk; all the file still exists [until some other file is written into the freed space], it just does not have a pointer to it. The tool I suggested is pretty thorough, another good and quick one is Restoration.exe which has a distinct advantage in that it will dl to and run from a removable drive like a floppy with no installation required. Which means that there is less risk of new files overwriting deleted file space.
I was surprised when I first ran TestDisk for another task - it found a couple of partitions and some of their files that I had long since deleted or moved the boundaries thereof. A good tool just a bit dangerous, is all. Try it.

0

Heya, Polop, good stuff. But re your hurt, I was referring to file deletion; not sure I said or meant lost forever: "But not if they have been overwritten.... nothing can help then."
There is a great difference between deletion and erasure... deletion simply involves removing a file table entry and freeing up the file space on the disk; all the file still exists [until some other file is written into the freed space], it just does not have a pointer to it. The tool I suggested is pretty thorough, another good and quick one is Restoration.exe which has a distinct advantage in that it will dl to and run from a removable drive like a floppy with no installation required. Which means that there is less risk of new files overwriting deleted file space.
I was surprised when I first ran TestDisk for another task - it found a couple of partitions and some of their files that I had long since deleted or moved the boundaries thereof. A good tool just a bit dangerous, is all. Try it.

I am concerned that you say it is a bit dangerous. Why would that be??

0

Dangerous? Simply that it has capabilities that enable you to delete partition tables; change disk geometry, partition types... which are things you certainly do not want to do. You are making me uncomfortable.. so may I suggest that you ignore the TestDisk part and use the PhotoRec section instead?
"TestDisk doesn't need to be installed, you only need to extract the full windows subdirectory and run win\photorec_win.exe"
For the helpfile, which you should read, run doc\testdisk.html
Because doing that often is unwieldy I use batch commands of the form:

@ECHO OFF
Start /D"E:\Disk & System Tools\Disk Tools\testdisk-6.9\doc" testdisk.html

-saved as, say, 00TestdiskHelp.cmd. You would naturally replace my path E:\Disk & System Tools\Disk Tools with yours...
Another:
@ECHO OFF
Start /D"E:\Disk & System Tools\Disk Tools\testdisk-6.9\win" photorec_win.exe

-saved as, say, 00PhotoRec.cmd

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.