Avast removed folders - I need help

Hi,
Yesterday I plugged in my external HD. It only has my photos on it from the last 6 years.
When I plugged it in Avast said that the folders where virus and deleted them. Now I cant access anything on my external HD. I think the files are still there since when I acces the drive it says that I have only used half of it. Still I cant see any of the files.
I hope that I can get some help with this, since I dont have a extra backup of my photos.
Thanx

The detection should be listed in the avast quarantine, plug in the external drive and then right click the quarantined file and restore.

Are you sure it is a false positive though ?

I have found the folder in the quarantine folder in avast and I have restored them, but now they are links and not folders???

What is a false positive???

Thanx

A false positive is a file that is wrongly detected as malware.

unplug your external HD

then follow instructions for MCShield found here. http://forum.avast.com/index.php?topic=133127.msg980328#msg980328

post the log here

malware removers are notified

What do I do with the false positives then?

After Avast had restored the files and they came up as links the files where removed by avast again.

Thanx

Here is the log file

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 2.7.4.23 / DB: 2013.8.25.1 / Windows 7 <<<

29-08-2013 12:11:50 > Drive F: - scan started (HDDRIVE2GO ~931 GB, FAT32 HDD )…

F:\RECYCLER\e621ca05.exe - Malware > Deleted. (13.08.29. 12.11 e621ca05.exe.30651; MD5: 8a4567b62f1b7ef067f208d447a4df28)

=> Malicious files : 1/1 deleted.


::::: Scan duration: 1sec ::::::::::::::::::


i see MCShield found and removed one file…
how does it look now?

it may take some time before the malware experts arrive, they are usually here after work hours european time zone
they may need adiitional logs from you, so check back later today

this was the file MCShield detected and removed
https://www.virustotal.com/en/file/223cf2fada3c74d9291d6e6d65061ddd6b1a8d28952e9d328f176aebb92d1c1c/analysis/

Worm:Win32/Dorkbot.I
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32%2FDorkbot.I

Worm:Win32/Dorkbot.I is a member of the [b]Win32/Dorkbot family; a family of IRC-based worms that spreads via removable drives,[/b] instant messaging programs, and social networks. Win32/Dorkbot.I may capture user names and passwords by monitoring network communication, and may block websites that are related to security updates. It may also launch a limited denial of service (DoS) attack.

The HD still looks the same, no directories or files show up when I plugg in the HD??

OK… go here, http://forum.avast.com/index.php?topic=53253.0 scroll Down to OTL attach OTL diagnostic log … not copy and paste

when done malware expert will be notified

Monitoring.

Here is the attachment.

Thanx

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}: C:\Program Files (x86)\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi [2013-05-02 21:21:44 | 000,037,909 | ---- | M] ()
O2 - BHO: (Wajam) - {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} - C:\Program Files (x86)\Wajam\IE\priam_bho.dll (Wajam)
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll (TechSmith Corporation)
O2 - BHO: (lucky leap) - {d77aa852-def3-43cb-a3f5-bd679de72f32} - C:\Program Files (x86)\lucky leap\luckyleapbho.dll (luckyleap)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitIEAddin64.dll (TechSmith Corporation)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll (TechSmith Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-2774669554-1835670337-2381682612-1001\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4:[b]64bit:[/b] - HKLM..\Run: []  File not found
O4 - HKU\S-1-5-21-2774669554-1835670337-2381682612-1001..\Run: [{603380FE-28B7-4EFA-A9B9-A94C1D46A6EA}] "C:\Users\Yoda\Desktop\MixedInKey_Version5\MixedInKey_Version5\MixedInKey_Version5.exe" /cmdloc "HKCU\Software\Mixed In Key LLC AiTemp\{603380FE-28B7-4EFA-A9B9-A94C1D46A6EA}" File not found
O4 - HKU\S-1-5-21-2774669554-1835670337-2381682612-1001..\Run: [Desktop iCalendar Lite.exe]  File not found
O33 - MountPoints2\{7662a6e8-2d6c-11e1-bccb-002318d5c991}\Shell - "" = AutoRun
O33 - MountPoints2\{7662a6e8-2d6c-11e1-bccb-002318d5c991}\Shell\AutoRun\command - "" = F:\AutoRun.exe
O33 - MountPoints2\{e60ee21c-2d53-11e1-9277-002318d5c991}\Shell - "" = AutoRun
O33 - MountPoints2\{e60ee21c-2d53-11e1-9277-002318d5c991}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{e60ee233-2d53-11e1-9277-002318d5c991}\Shell - "" = AutoRun
O33 - MountPoints2\{e60ee233-2d53-11e1-9277-002318d5c991}\Shell\AutoRun\command - "" = E:\AutoRun.exe
[2013-05-29 10:30:49 | 000,000,000 | ---D | C] -- C:\Users\Yoda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wajam
[2013-05-29 10:30:49 | 000,000,000 | ---D | C] -- C:\Users\Yoda\AppData\Local\Wajam
[2013-05-29 10:30:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Wajam

:files
C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

:Services
WajamUpdater

:commands
[CREATERESTOREPOINT]
[emptytemp]



[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

.

Set MCShield as shown.


http://fotkica.com/thumbs3/1_tmb_52998947_2013-08-31_190944.jpg

Connect the HD to the USB port.
Attach here log