Ran scan and removed malware files, now can't open pic files etc?

[katarina]

I ran the malewarebytes quick scan in order to get rid of windows 2008 antivirus. I ran the scan, trusted that all the selected items were bad, and removed them from my system (in retrospect, probably a bad idea but I wanted to get that fake program off my computer ASAP). Now I've found that my entire itunes library has been wiped out and I can't open any picture files on my computer (I'm sure there might be other things messed up, but that's all I've found so far). HOW CAN I GET MY PICTURES BACK?? I think it had to do with the scan and what I removed. The links for all my pictures in my picture folders are still there, but they won't allow me to open them. I click and nothing happens. I really want these pictures back, being as they are family/friend photos. Can anyone help me with this? Like I said, I believe this happened because of the malwarebytes anti-malware scan. Any help would be greatly, greatly appreciated!!!

-Katarina

[EliteKiller]

- In regards to the missing music/pictures you can open MBAM and restore from the quarantine as needed. Be careful that you don't restore the wrong item(s)

- If you run XP locate one of your pictures > right-click > open with > choose the program (eg. windows picture and fax viewer) > check the box for "always use the selected program to open...." > ok. If that fails go to start > run > sfc /scannow > ok

-- In Vista click start > default programs > set your default program > default settings by clicking 'choose defaults for this program' and check specific file type to open directly in windows photo gallery. Another option if that fails is go to start > all programs > accessories > right-click on command prompt and choose "run as administrator" > sfc /scannow > enter

[JeanInMontana]

This is strange, is MBAM the only thing you used? A system restore might work also. It could potentially reinfect you also, but you can then remove the rogue again.

[katarina]

- In regards to the missing music/pictures you can open MBAM and restore from the quarantine as needed. Be careful that you don't restore the wrong item(s)

What would be the right files to restore so I could view my pictures with Windows programs? I have really no clue what all of them mean. I looked at the log file and tried to figure it out, but Im very hesitant to restore any of the stuff I quarantined. Should I copy and paste my log file here?

[JeanInMontana]

What version of MBAM are you using? This is an old thread and MBAM has updated many times. Please post an MBAM log so we can see what your seeing.

[katarina]

What version of MBAM are you using? This is an old thread and MBAM has updated many times. Please post an MBAM log so we can see what your seeing.

I think it's version 1.26 that I'm using. I downloaded it in September. As for the log, this is what I have (I know it's quite long; many people use this computer so I guess it's more apt to get infected):

Memory Processes Infected: 9

Memory Modules Infected: 5

Registry Keys Infected: 3

Registry Values Infected: 18

Registry Data Items Infected: 11

Folders Infected: 14

Files Infected: 45

Memory Processes Infected:

C:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Agent) -> Unloaded process successfully.

C:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Agent) -> Unloaded process successfully.

C:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Agent) -> Unloaded process successfully.

C:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Agent) -> Unloaded process successfully.

C:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Agent) -> Unloaded process successfully.

C:\Program Files\Microsoft Security Adviser\mssadv.exe (Trojan.Clicker) -> Unloaded process successfully.

C:\Program Files\rhc7nvj0eet7\rhc7nvj0eet7.exe (Rogue.Multiple) -> Unloaded process successfully.

C:\WINDOWS\system32\lphc3nvj0eet7.exe (Trojan.FakeAlert) -> Unloaded process successfully.

C:\WINDOWS\system32\pphc3nvj0eet7.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\blphc3nvj0eet7.scr (Trojan.FakeAlert) -> Delete on reboot.

C:\Program Files\rhc7nvj0eet7\MFC71.dll (Rogue.Multiple) -> Delete on reboot.

C:\Program Files\rhc7nvj0eet7\MFC71ENU.DLL (Rogue.Multiple) -> Delete on reboot.

C:\Program Files\rhc7nvj0eet7\msvcp71.dll (Rogue.Multiple) -> Delete on reboot.

C:\Program Files\rhc7nvj0eet7\msvcr71.dll (Rogue.Multiple) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc7nvj0eet7 (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\rhc7nvj0eet7 (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhc7nvj0eet7 (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc3nvj0eet7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.36 85.255.112.83 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.36 85.255.112.83 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{38dd9320-1a1f-4d90-878a-9021b75b4585}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.36,85.255.112.83 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{38dd9320-1a1f-4d90-878a-9021b75b4585}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.36,85.255.112.83 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4c6f3dd2-8041-4ca5-9b04-72640d0cc1a4}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.36,85.255.112.83 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9c7f0bda-ac52-4d0a-aa20-62a477b3235a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.36,85.255.112.83 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{aede8cf2-556e-4eff-aa8b-d8a32f5ae752}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.36,85.255.112.83 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.36 85.255.112.83 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.36 85.255.112.83 -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Program Files\rhc7nvj0eet7 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Application Data\rhc7nvj0eet7 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Application Data\rhc7nvj0eet7\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Application Data\rhc7nvj0eet7\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Application Data\rhc7nvj0eet7\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Application Data\rhc7nvj0eet7\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Application Data\rhc7nvj0eet7\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Application Data\rhc7nvj0eet7\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Application Data\rhc7nvj0eet7\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Application Data\rhc7nvj0eet7\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Application Data\rhc7nvj0eet7\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Application Data\rhc7nvj0eet7\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\blphc3nvj0eet7.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Security Adviser\mssadv.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\msavsc.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\msctrl.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\msfw.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\msiemon.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\mssadv.dll (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Program Files\Mozilla Firefox\msscan.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\msavsc.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\msctrl.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\msfw.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\msiemon.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\mssadv.dll (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\msscan.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Local Settings\Temporary Internet Files\Content.IE5\03D7ME7T\monitor[1].gif (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Local Settings\Temporary Internet Files\Content.IE5\764JR505\progress[1].gif (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Local Settings\Temporary Internet Files\Content.IE5\Q5HIJY94\1117104619[1].jpg (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Security Adviser\msctrl2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft Security Adviser\mssadv_sp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Program Files\rhc7nvj0eet7\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7nvj0eet7\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7nvj0eet7\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7nvj0eet7\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7nvj0eet7\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7nvj0eet7\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7nvj0eet7\rhc7nvj0eet7.exe (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7nvj0eet7\rhc7nvj0eet7.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\rhc7nvj0eet7\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lphc3nvj0eet7.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\phc3nvj0eet7.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pphc3nvj0eet7.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kate.ACHERON\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

[Insomniac]

While I can't help with the infection/restoration of the missing files (don't know much at all about malware removal), I just had to ask why you don't have any of the important pictures/music backed up?

Both malware and hardware failure can cause you to lose files, so I strongly suggest that once you have gotten this problem sorted out that you buy a cheap external hard drive and use it to make backups of important files.

[Raid]

I think it's version 1.26 that I'm using. I downloaded it in September. As for the log, this is what I have (I know it's quite long; many people use this computer so I guess it's more apt to get infected):

Memory Processes Infected: 9

Memory Modules Infected: 5

Registry Keys Infected: 3

Registry Values Infected: 18

Registry Data Items Infected: 11

Folders Infected: 14

Files Infected: 45

Why did you post an incomplete log? And why haven't you updated both the program and it's database?

The logfile you posted doesn't show anything dealing with pictures. On the MBAM program you should see a Logs tab. Pressing that will bring up a collection of previous logs created by MBAM. Please select the one which corresponds to the time in which you lost your pictures and post that log. Thanks!

Also, how many files are in your Quarantine?

[exile360]

The issue with pictures not opening probably has to do with file association, as far as the other stuff goes I have no idea, but I would update to the newest version of MBAM and scan again if I were you.

[aka Frenchy ASP]

Try theses step;

1:If you still can see the link, then right click on it and you should see a target path. Browse to your path and verify if the files is still there.

2:Open your prefered pic application and then try to open it directly from the app with the path found from the target. If this work then follow step 5

If this fails

3:Open your explorer, right click on your C drive and then choose seach, now click on the back button and click Picture, music or video. Now check Picture and click search.

4:After the search is finish look to see if you find your pictures.

5:If they are there, double click on it. If they dont open then exile360 is right. You need to reassociate the extension with the app.

6:If they are not there, you will need to restore them from quarantine. If you can't then you will need a third application that will allow you to undelete theses files. Know this, as long as you don't start saving files on your computer your deleted files are still present and it is possible to bring them back.

[JeanInMontana]

You need to update MBAM and take this discussion to the proper forum.

Please follow these instructions here and begin your own topic in that forum.