If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
I have a Dell XPS 8500, with Windows 7 Professional, SP1,
with Spywareblaster, Malwarebytes, Avast Professional, Windows Defender and Windows firewall. (1) TB HD Intel (R) Core (TM) i7-33-3770 CPU @ 3.40 GHz 3.40 GHz Ram 12.0 GB System type : 64-bit operating system I also have I have a Dell Dimension 8200 with XP, SP3, with Spywareblaster, Avast, Malwarebytes and Windows firewall. Seagate Barracuda 7200 160 Gb HD Intel (R) Pentium (R) 4 CPU 1.80 GHz Ram 1.79 GHz, 1.00 GB of RAM System type : 32-bit operating system and (external hard drives) Seagate Backup Plus 1(TB) 2.5 USB Portable HD WD BLACK SERIES WD2003FZEX 2TB 7200 RPM 64MB Cache SATA 6.0Gb/s 3.5" Internal Hard Drive This concerns the 8500; I accidentally deleted one of my bookmarks. I tried checking for it in other folders but to no avail. I didn't know if it would help but I tried two system restores using different dates for each and both failed which raises some concern. Also I now cannot logon to FF: http://i66.tinypic.com/msge9s.jpg I have my rescue disk and the WD Black was recently backed up so I how do I retrieve my bookmark? Thanks, Robert |
Ads |
#2
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
It seems I can't open up my WD drive now.
I've tried several times and it doesn't respond. This isn't looking good Robert |
#3
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
Mark Twain wrote:
It seems I can't open up my WD drive now. I've tried several times and it doesn't respond. This isn't looking good Robert xpcom.dll is a file in the C:\Program Files\Mozilla Firefox directory. There is no xpcom.dll in my Firefox version 42 directory. Wikipedia says it is "Cross Platform Component Object Model", and I suspect it is larger when used on some special applications. For example, Thunderbird has more XPCOM files than Firefox does. The bookmarks are stored in a different place than the Firefox program directory. C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\5cv8laep.default\boo kmarkbackups bookmarks-2015-10-30.json Later versions of Firefox use a file extension of "jsonlz4" which is a silly compression scheme. I have a decompressor here for it using some C code and an lz4 library or something. Your installation is more likely to look like this one. C:\Users\username\AppData\Roaming\Mozilla\Firefox\ Profiles\vpyfp7p7.default\bookmarkbackups bookmarks-2015-05-10_14_c8PG92lj-X7ddKH5p5SiKA==.jsonlz4 And those are bookmarkbackup files, not actual Bookmarks. To make Bookmarks for protection purposes, you use Export within the browser, and that converts the poor choice they made for an internal representation, into something that users can use. The jsonlz4 isn't particularly intended for humans to read. I *hate* software developers who do **** like that. ******* For the WD Black 2TB drive: 1) Is it drive installed internally in the computer ? If so, check that both the power and data cables are connected. The BIOS has the ability to disable a SATA port, but you are unlikely to have played with that. If the power cable for the drive was overloaded (also unlikely), you will hear some whirring as the disk spins up and spins down, over and over again. My guess is, you're hearing no sound at all right now. 2) Is the drive installed in the Startech enclosure ? The enclosure has a wall adapter and a power cable leading to the enclosure. The enclosure has an On/OFF switch (which disconnects +12V from the enclosure). If the power adapter has a problem, switch off the enclosure via the On/OFF switch. Unplug the adapter from the wall. Wait 30 seconds. Plug the adapter back into the wall. This procedure "clears" a latched overload. Switch on via the On/OFF switch. On my ehclosure, there is a five second delay before the LED lights up. And that usually indicated the drive is spinning and ready to go. Check that the USB cable is plugged in. The modern enclosures are pretty good concerning the order of doing things, and don't usually melt down if you connect the cables in the wrong temporal order. So I'm not too worried about that. Many enclosure failures are caused by a bad wall adapter which no longer produces +12V for you. Play with it a bit and get back to me. If you can get your hands on the .mrimg file from your last backup, you don't need to (system) restore a damn thing. Right-click the .mrimg file, the most recent one. There will be a "Macrium" entry in the right-click menu. It will offer to "mount the partitions" stored in the ..mrimg. You want to mount the C: drive partition. It will be assigned a new drive letter. So the G: drive might be your old OS image. You can navigate that mounted G: image, in file explorer. Look in file explorer and see if a new drive letter appeared. I think the Macrium mounter even supports allowing the user to pick a drive letter. You can't go wrong. Now, navigate to G:\Program Files (x86)\Mozilla Firefox or similar. Compare the contents to C:\Program Files (x86)\Mozilla Firefox That will tell you whether something has gone missing, got deleted when Firefox was installing an update or whatever. The program installation is separate from your bookmarks. The folder G:\Users\username\AppData\Roaming\Mozilla\Firefox\ Profiles\vpyfp7p7.default\bookmarkbackups contains around five backup jsonlz4 files. You could copy the whole bookmarkbackups folder from the G: drive, to the same location on the C: drive. And that would put your bookmarks back. (That is, it puts back the internal representation.) If instead, you are referring to an HTML file you exported from Firefox, you can always do a fresh export. Of course, Firefox isn't running right now, so the Program Files folder needs to have its stuff fixed first. On Windows 7, this is likely to be tougher than it sounds. The Program Files folder is probably owned by "Trusted Installer". It might be simpler to reinstall Firefox. But there are undoubtedly ways for this to fail in a spectacular manner (because at this point, I have no idea what just blew up). If the folder is damaged, it might not uninstall cleanly. And so on. Paul |
#4
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
I did as you suggested and unplugged the adaptor
and then inserted it but it still doesn't recognize the HD. I fear it may have crashed. I do hear it clicking when I first power it up but it doesn't respond. http://i67.tinypic.com/282x5i.jpg Also the safely remove icon is gone so I have to switch User and go into the Administrators Account the USB Safely Remove is still there possibly as a leftover from System Restore? In any case, I used it to safely remove the WD hard drive. http://i68.tinypic.com/dmth8w.jpg Should I put the WD drive in the 8500 and see if it boots or do you have further steps for me? The thing is now I can't even access FF or any of my bookmarks and have only the bare minimum in IE because I don't use it. So this is critical. Thanks, Robert |
#5
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
Mark Twain wrote:
I did as you suggested and unplugged the adaptor and then inserted it but it still doesn't recognize the HD. I fear it may have crashed. I do hear it clicking when I first power it up but it doesn't respond. http://i67.tinypic.com/282x5i.jpg Also the safely remove icon is gone so I have to switch User and go into the Administrators Account the USB Safely Remove is still there possibly as a leftover from System Restore? In any case, I used it to safely remove the WD hard drive. http://i68.tinypic.com/dmth8w.jpg Should I put the WD drive in the 8500 and see if it boots or do you have further steps for me? The thing is now I can't even access FF or any of my bookmarks and have only the bare minimum in IE because I don't use it. So this is critical. Thanks, Robert Was there anything suspicious leading up to this ? It almost suggests a Cryptolocker or file hiding malware attack. ******* Your WD Black 2TB appears to have lost or damaged the MBR. I don't think it would state "Removable drive E:" unless the drive was spinning. You can remove the WD Black 2TB from the enclosure, and boot it separately in the computer (because you set it up so it could boot). Now, if that works, then the drive is OK. If it doesn't boot, it's going to need an attempt at recovery. Perhaps a program like TestDisk could do that (because it rebuilds the MBR, based on any file system headers on the partitions it can see). You have two drives that boot on that computer. You have the 1TB drive (which currently is missing some part of Firefox). You have the 2TB drive, which you've successfully booted in the past. So you should be able to get something booted. You also have the Macrium CD as a boot item, so you could also boot Macrium and see if it can view the contents of the 2TB drive. The idea behind the careful approach, is to see if any software can see the drive, better than some other software is at present. ******* So what are my concerns at the moment, why isn't there a strong theme in my answer ? 1) Evidence of malware ? Why did Firefox "disappear" ? What is going on there ? 2) Simultaneous hardware failure ? Is the disk damaged, is some data damaged, what is going on ? Having the two of them potentially happening at the same time, makes it hard to form a plan of action. If it's malware, I'm wasting your time fiddling with the 2TB drive. If it's a hardware failure, maybe you can lift yourself by your bootstraps (use the remaining resources to cobble together a working solution). But what do we start with first ? For example, if you had the Sality malware on the machine, every disk ever connected to the machine could be compromised. Including a backup drive. I don't consider my setup here to be ready for Sality. I don't have a safe way of handling my backup drive, without Sality getting onto it. Which would probably be a "nuke and pave" moment for me. Which do I deal with first ? You could Safely Remove, disconnect and power off the 2TB drive for now. And use MBAM free on-demand scanner to search for malware. To work on the 2TB drive, yes, by all means it should be plugged into the 8500. That eliminates the controller chip in the enclosure as an issue. And it eliminates a flaky wall adapter as the source of the problem. But at the moment, we don't know what the malware status of the computer is. So after you've done a bit of work on the 1TB drive, from a malware scanning perspective, you could work on the 2TB drive. You have a couple possible configurations. 1) Boot the 2TB drive by itself, when it is placed in the 8500. Disconnect the 1TB drive when testing the 2TB for the first time. 2) If the 2TB won't boot, then it really does have some data structure damage. If we "trusted" the OS on the 1TB drive, we could boot the 1TB and run a program like TestDisk. And have it scan the disk. http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step But the thing is, at the moment, you don't have a working browser, so at the very least, you'll need to use Internet Explorer, try to reach www.mozilla.com and download the Firefox installer. And see if you can get that working. There is no reason for Firefox to trash the existing profile and bookmarks. Assuming they're still on the machine. It looks suspiciously like some sort of data hiding malware, which is why I might do some scanning on the 1TB drive first. It's probably "too late for safety now", as possibly both the backup drive and C: are both damaged in whatever way some malware sees fit. I might also be using my Kaspersky Rescue CD, the one that does malware signature scanning. But you can give MBAM a try first, and see if there is even still a copy of MBAM on the 1TB drive. In situations where you *know* something dangerous was acquired on the 1TB drive, you would: 1) Reboot and insert the Macrium CD. 2) Connect the 2TB drive to the machine. 3) Don't boot the 1TB so it can "see" the 2TB drive. You would only boot the Macrium CD, as it is a "clean" OS and can't harm anything. 4) Restore an OS from the 2TB backup collection, to take the place of the infected OS on the 1TB drive. 5) Shutdown and disconnect the 2TB external drive. Boot the 1TB drive and see if it is OK. So the idea in that example, is to not allow the 1TB drive to "see" the 2TB drive, while the OS on the 1TB drive is running. In case there was malware. But your 2TB drive has been connected to the (potentially) infected system. And this is a weakness in any case, which I don't have a cure for. If I do backups here, if my machine was infected and I connected my external to do a backup, both the internal and the external could get malware damage, such as a Cryptolocker attack. (Cryptolocker encrypts files for ransom purposes. Once the encryption step is finished, a prompt appears on the screen asking for money. A file hiding malware on the other hand, just uses the "hidden" file attribute, to hide stuff. When they ask for money, it would probably be in BitCoin currency, to hide their tracks.) I guess my order of execution would be to try some malware cleanup work on the 1TB first. As we may need to use the 1TB OS, to try to run TestDisk. In an ideal world, you'd have a Linux boot CD (since TestDisk runs from there), and you would attempt to recover the 2TB drive from Linux. But that wouldn't be a very convenient environment to work from. Bleepingcomputer has an "unhide" program, if you knew for certain a hiding malware had attacked the machine. More details are available here. http://www.bleepingcomputer.com/foru...-program-does/ "revert many of the changes on your computer caused by the FakeHDD family of rogue anti-spyware programs" Hope that helps, Paul |
#6
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
Mark Twain wrote:
I did as you suggested and unplugged the adaptor and then inserted it but it still doesn't recognize the HD. I fear it may have crashed. I do hear it clicking when I first power it up but it doesn't respond. http://i67.tinypic.com/282x5i.jpg Also the safely remove icon is gone so I have to switch User and go into the Administrators Account the USB Safely Remove is still there possibly as a leftover from System Restore? In any case, I used it to safely remove the WD hard drive. http://i68.tinypic.com/dmth8w.jpg Should I put the WD drive in the 8500 and see if it boots or do you have further steps for me? The thing is now I can't even access FF or any of my bookmarks and have only the bare minimum in IE because I don't use it. So this is critical. Thanks, Robert It might be the infamous "click of death" Try powering off the drive, unplug from usb and wait a minute. Plug it back in. Does it click? Try it again. Does it click? If it consistently "clicks" on startup it's probably a dead hard drive. JT |
#7
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
Wow, you sure gave me allot of information
to swallow! I'll have to re-read it a few times. I did switch the HD's so that I'm now typing this with the WD 2TB hard drive installed. I thought I had done a recent backup for this because remember I moved some data I had worked on to a DVD because my Patriot Key had the Rescue.ISO file on it but none of the files/ folders have been updated and I'm missing allot. What lead up to this was that I was trying to delete a folder and I thought the busy circle had ended and it hadn't and it seems to have moved the mouse to include the other folder which I didn't want removed because by the time the circle cleared the folder was gone. That when all this started from a missing folder to FF disappearing to not completing two system restore using different dates, to not recognizing the WD drive,.. it just all happened one after the other.. Robert |
#8
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
With all the information you've given I
think I'll wait and see what you want me to do now since we've got the WD running albeit a dated version but FF is up and running and 85% of the bookmarks are there However, I would like to retrieve the missing bookmarks/data/documentation if at all possible. Thanks, Robert |
#9
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
JT wrote:
Mark Twain wrote: I did as you suggested and unplugged the adaptor and then inserted it but it still doesn't recognize the HD. I fear it may have crashed. I do hear it clicking when I first power it up but it doesn't respond. http://i67.tinypic.com/282x5i.jpg Also the safely remove icon is gone so I have to switch User and go into the Administrators Account the USB Safely Remove is still there possibly as a leftover from System Restore? In any case, I used it to safely remove the WD hard drive. http://i68.tinypic.com/dmth8w.jpg Should I put the WD drive in the 8500 and see if it boots or do you have further steps for me? The thing is now I can't even access FF or any of my bookmarks and have only the bare minimum in IE because I don't use it. So this is critical. Thanks, Robert It might be the infamous "click of death" Try powering off the drive, unplug from usb and wait a minute. Plug it back in. Does it click? Try it again. Does it click? If it consistently "clicks" on startup it's probably a dead hard drive. JT He is booted off it right now. The disk not only has backups on it, it also has a cloned set of OS partitions, just for situations like this. So the disk has gone from "wants to be formatted" to fully working, all by being moved out of the external enclosure it was in, to being put back inside the PC. Paul Paul Paul |
#10
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
Yes, the drive is working fine as it did when I first
tested it for booting. It's just not up to date and is missing bootmarks, and data etc. Otherwise its fine and very responsive and of course the clicking *L* From re-reading your instructions is this what you would like me to do: * Put the 1TB back into the computer * run Malwatebytes scan * try downloading FF from www.mozilla.com * Run Kaspersky CD When you refer to the Macrium CD are you referring to the Rescue CD? In any case, the OS of the 1TB is outdated and I would loose all my books and image files and data if I copied the OS from the 2TB to the 1TB would I not? Is there no way to recover the bookmarks and data? Also remember I still have the 8200 as a final backup should we need it. So waiting on what you would like me to do at this point. Thanks, Robert |
#11
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
At present I'm running all the scans
on the 2TB HD to make sure its not infected with anything. Robert |
#12
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
Mark Twain wrote:
With all the information you've given I think I'll wait and see what you want me to do now since we've got the WD running albeit a dated version but FF is up and running and 85% of the bookmarks are there However, I would like to retrieve the missing bookmarks/data/documentation if at all possible. Thanks, Robert But you attempted to do a couple System Restores (which failed) on the C: drive in question. There are sometimes opportunities to "undelete", but only if you stop writing to the disk and prepare for data recovery right away. Doing some System Restores, could result in overwriting of deleted files. The first question would be, when you were attempting this "delete" operation, did the files just go into the Trash ? Or did you use the Shift key, signaling "immediate delete" ? (Which would not give you a chance to move the files out of the Trash.) My USB flash sticks here, if you delete on them, the delete is immediate. Hard drives, on the other hand, the Trash bin is an intermediate storage point. "Possible way-stations for the fate of a file..." file -- Trash bin -- empty trash, -- overwrite file area, unlink file data clusters pointer are lost Since you have Agent Ransack on the 1TB drive, try Agent Ransack, and ask it to find any copies of jsonlz4 as that would be the bookmarksbackup format. And at this point, I don't even know what form your "bookmarks" are in. You say you deleted them, and you have some sort of shortcut or something on your desktop. If you can reinstall Firefox, I would fire up the browser again and check to see if it exhibits a working set of bookmarks or not. Maybe you didn't actually delete the bookmarks or the bookmarkbackups. Use your noodle to dream up some search-type operations. Think about the file names you deleted, and use Agent Ransack to find them. They might still be on the 1TB drive. ******* There are two kinds of data recovery: 1) Programs that "scavenge" a drive, by reading every block on the drive, and trying to piece together files. This approach is doomed from the start, but most users are desperate and will do anything when severe damage happens. 2) Undelete programs, that make use of the file system feature, where emptying the Trash only removes the file pointer. The data clusters are still there, and they can still be located. This can fail if the data clusters are overwritten (user didn't stop using the disk in time). I don't know how quickly the $MFT would be overwritten, wiping out the file metadata. There is an application you can use for scavenging a drive. Photorec can recover files. But it would only work reasonably completely, if the disk was perfectly defragmented before the incident. It doesn't use file system metadata, and just looks for chunks of files. Which is a bold approach, but not guaranteed to give anything more than hundreds of thousands of fragments. http://www.cgsecurity.org/wiki/PhotoRec The other kind of tool, would be an "undelete" tool. When you accidentally empty the Trash bin, the pointers to the files in there are removed. The data clusters are still sitting there. So as of yet, nothing is lost. However, if any write operations are attempted on the disk, the file system looks for "reusable locations", and at that point, the data clusters in question get overwritten. And then undelete is no longer possible. That's why, when you have a deletion accident, the first thing to do is shut down the C: drive (assuming the stuff is on C, so no system maintenance activity can overwrite anything. http://www.techradar.com/us/news/sof...ftware-1141256 Undelete 360 There is a screenshot of the interface here. http://www.pendriveapps.com/wp-conte...ndelete360.png Link to the installer for the program. http://www.undelete360.com/download.html It's the item that says "1.94 MB" in fairly small print. http://www.undelete360.com/files/undelete-360-setup.exe Now, how it can tell "overwritten" versus "Very Good", is it can examine the cluster list of the deleted file, and see if any new files use those clusters. If the clusters are in usage by another file, then the original file is completely lost. If the clusters still are the sole property of the file with the unlinked pointer, then the data is recoverable. When a disk is not the OS drive, it's a lot "quieter" and less overwrite damage is going to happen. So if you have a second OS drive, you boot that, then run the "undelete" tool against the drive that just had the accident. And you store the recovered files, on a folder on the *undamaged* disk. Don't do in-place recovery on the damaged disk, as the write operations from the recovered files, starts removing the file metadata of the files you're trying to rescue. Paul |
#13
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
I have no idea where the files went. I used
the delete key to delete the file. I checked the trash bin but the folder wasn't there. The last (360 option) sounds best it seems but from the sound of it you don't want me to put the 1TB back into the 8500 but perhaps put it in the Star Tech case? One another anomaly, the 8500 clock was off by 3 hours. Thanks, Robert |
#14
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
Mark Twain wrote:
I have no idea where the files went. I used the delete key to delete the file. I checked the trash bin but the folder wasn't there. The last (360 option) sounds best it seems but from the sound of it you don't want me to put the 1TB back into the 8500 but perhaps put it in the Star Tech case? One another anomaly, the 8500 clock was off by 3 hours. Thanks, Robert The clock being off, sometimes happens if you boot Windows, then boot Linux, then boot Windows again. Some combination of that has caused my time to change. I think even Win2K (where the DST doesn't work properly) has results in the clock being off by one hour. For larger displacements, the time zone could be wrong. You could put both drives inside the 8500, select the 2TB drive for booting (using the BIOS boot order), and do the data recovery on the 1TB drive from there. Making sure, that if the "360" program finds something, the files are stored on the 2TB drive, until you are happy that you've recovered everything you need. Paul |
#15
|
|||
|
|||
O.T. deleted bookmark, can't sign-on to FF
Mark Twain wrote:
Yes, the drive is working fine as it did when I first tested it for booting. It's just not up to date and is missing bootmarks, and data etc. Otherwise its fine and very responsive and of course the clicking *L* From re-reading your instructions is this what you would like me to do: * Put the 1TB back into the computer * run Malwatebytes scan * try downloading FF from www.mozilla.com * Run Kaspersky CD When you refer to the Macrium CD are you referring to the Rescue CD? In any case, the OS of the 1TB is outdated and I would loose all my books and image files and data if I copied the OS from the 2TB to the 1TB would I not? Is there no way to recover the bookmarks and data? Also remember I still have the 8200 as a final backup should we need it. So waiting on what you would like me to do at this point. Thanks, Robert "So waiting on what you would like me to do at this point." Do you have a Macrium backup of the 1TB drive, which is more recent than the OS cloned onto the 2TB drive ? I cannot make resources appear out of thin air :-) Either you have materials to work with, or you don't. If you have absolutely nothing recent in terms of a backup, they you're really relying on "360" to do the job. Just try to avoid booting the 1TB drive, until your recovery attempt is done. If the 1TB drive is treated as a data drive, there will be less writing to it. I'm assuming that malware isn't involved here, but you sure have a lot of weird symptoms you're throwing at me. If you actually had a .mrimg of the 1TB which has a relatively recent date stamp on it, maybe that would be the best solution. But at the moment, I have no way of knowing whether any of your backups are good. You could, for example, boot the 2TB, and run the copy of Macrium installed in the OS there, and use that to put back an OS image made of the 1TB drive. Or, you can also do restores while the Macrium CD is booted. Your choice. Boot 2TB .mrimg on --- install over top of C: on the 1TB 2TB HTH, Paul |
Thread Tools | |
Display Modes | |
|
|