O.T. deleted bookmark, can't sign-on to FF

I have a Dell XPS 8500, with Windows 7 Professional, SP1,
with Spywareblaster, Malwarebytes, Avast Professional,
Windows Defender and Windows firewall.

(1) TB HD
Intel (R) Core (TM) i7-33-3770 CPU @ 3.40 GHz 3.40 GHz
Ram 12.0 GB
System type : 64-bit operating system

I also have

I have a Dell Dimension 8200 with XP, SP3, with Spywareblaster,
Avast, Malwarebytes and Windows firewall.


Seagate Barracuda 7200 160 Gb HD
Intel (R) Pentium (R) 4 CPU 1.80 GHz
Ram 1.79 GHz, 1.00 GB of RAM
System type : 32-bit operating system

and (external hard drives)

Seagate Backup Plus 1(TB) 2.5 USB Portable HD

WD BLACK SERIES WD2003FZEX 2TB 7200
RPM 64MB Cache SATA 6.0Gb/s 3.5" Internal
Hard Drive

This concerns the 8500; I accidentally deleted one
of my bookmarks. I tried checking for it in other folders
but to no avail.

I didn't know if it would help but I tried two system restores
using different dates for each and both failed which raises
some concern.

Also I now cannot logon to FF:

http://i66.tinypic.com/msge9s.jpg


I have my rescue disk and the WD Black was recently backed up
so I how do I retrieve my bookmark?

Thanks,
Robert

It seems I can't open up my WD drive now.
I've tried several times and it doesn't
respond.

This isn't looking good

Robert

Mark Twain wrote:
It seems I can't open up my WD drive now.
I've tried several times and it doesn't
respond.

This isn't looking good

Robert


xpcom.dll is a file in the

C:\Program Files\Mozilla Firefox

directory.

There is no xpcom.dll in my Firefox version 42 directory.

Wikipedia says it is "Cross Platform Component Object Model",
and I suspect it is larger when used on some special applications.
For example, Thunderbird has more XPCOM files than Firefox does.

The bookmarks are stored in a different place
than the Firefox program directory.

C:\Documents and Settings\username\Application Data\Mozilla\Firefox\Profiles\5cv8laep.default\boo kmarkbackups
bookmarks-2015-10-30.json

Later versions of Firefox use a file extension of "jsonlz4"
which is a silly compression scheme. I have a decompressor here
for it using some C code and an lz4 library or something.
Your installation is more likely to look like this one.

C:\Users\username\AppData\Roaming\Mozilla\Firefox\ Profiles\vpyfp7p7.default\bookmarkbackups
bookmarks-2015-05-10_14_c8PG92lj-X7ddKH5p5SiKA==.jsonlz4

And those are bookmarkbackup files, not actual Bookmarks.
To make Bookmarks for protection purposes, you use
Export within the browser, and that converts the
poor choice they made for an internal representation,
into something that users can use. The jsonlz4 isn't
particularly intended for humans to read. I *hate*
software developers who do **** like that.

*******

For the WD Black 2TB drive:

1) Is it drive installed internally in the computer ?
If so, check that both the power and data cables
are connected. The BIOS has the ability to disable
a SATA port, but you are unlikely to have played
with that. If the power cable for the drive was
overloaded (also unlikely), you will hear some
whirring as the disk spins up and spins down,
over and over again. My guess is, you're hearing
no sound at all right now.

2) Is the drive installed in the Startech enclosure ?
The enclosure has a wall adapter and a power cable
leading to the enclosure. The enclosure has an On/OFF
switch (which disconnects +12V from the enclosure).

If the power adapter has a problem, switch off the enclosure
via the On/OFF switch. Unplug the adapter from the wall.
Wait 30 seconds. Plug the adapter back into the wall.
This procedure "clears" a latched overload. Switch on via
the On/OFF switch. On my ehclosure, there is a five second
delay before the LED lights up. And that usually indicated
the drive is spinning and ready to go.

Check that the USB cable is plugged in.

The modern enclosures are pretty good concerning
the order of doing things, and don't usually melt
down if you connect the cables in the wrong temporal
order. So I'm not too worried about that.

Many enclosure failures are caused by a bad wall
adapter which no longer produces +12V for you.

Play with it a bit and get back to me.

If you can get your hands on the .mrimg file from your
last backup, you don't need to (system) restore a damn thing.
Right-click the .mrimg file, the most recent one.
There will be a "Macrium" entry in the right-click menu.
It will offer to "mount the partitions" stored in the
..mrimg. You want to mount the C: drive partition.
It will be assigned a new drive letter. So the G: drive
might be your old OS image. You can navigate that mounted
G: image, in file explorer. Look in file explorer and see
if a new drive letter appeared. I think the Macrium mounter
even supports allowing the user to pick a drive letter.
You can't go wrong.

Now, navigate to

G:\Program Files (x86)\Mozilla Firefox

or similar. Compare the contents to

C:\Program Files (x86)\Mozilla Firefox

That will tell you whether something has gone
missing, got deleted when Firefox was installing
an update or whatever.

The program installation is separate from your bookmarks.
The folder

G:\Users\username\AppData\Roaming\Mozilla\Firefox\ Profiles\vpyfp7p7.default\bookmarkbackups

contains around five backup jsonlz4 files. You could
copy the whole bookmarkbackups folder from the G:
drive, to the same location on the C: drive. And
that would put your bookmarks back. (That is, it puts
back the internal representation.)

If instead, you are referring to an HTML file you
exported from Firefox, you can always do a fresh
export. Of course, Firefox isn't running right now,
so the Program Files folder needs to have its stuff
fixed first.

On Windows 7, this is likely to be tougher
than it sounds. The Program Files folder is probably
owned by "Trusted Installer". It might be simpler to
reinstall Firefox. But there are undoubtedly ways
for this to fail in a spectacular manner (because
at this point, I have no idea what just blew up).
If the folder is damaged, it might not uninstall
cleanly. And so on.

Paul

I did as you suggested and unplugged the adaptor
and then inserted it but it still doesn't recognize the
HD. I fear it may have crashed.

I do hear it clicking when I first power it up
but it doesn't respond.

http://i67.tinypic.com/282x5i.jpg

Also the safely remove icon is gone so I have
to switch User and go into the Administrators
Account the USB Safely Remove is still there
possibly as a leftover from System Restore?
In any case, I used it to safely remove the WD
hard drive.

http://i68.tinypic.com/dmth8w.jpg

Should I put the WD drive in the 8500 and see if
it boots or do you have further steps for me? The
thing is now I can't even access FF or any of my
bookmarks and have only the bare minimum in IE
because I don't use it.

So this is critical.

Thanks,
Robert

Mark Twain wrote:
I did as you suggested and unplugged the adaptor
and then inserted it but it still doesn't recognize the
HD. I fear it may have crashed.

I do hear it clicking when I first power it up
but it doesn't respond.

http://i67.tinypic.com/282x5i.jpg

Also the safely remove icon is gone so I have
to switch User and go into the Administrators
Account the USB Safely Remove is still there
possibly as a leftover from System Restore?
In any case, I used it to safely remove the WD
hard drive.

http://i68.tinypic.com/dmth8w.jpg

Should I put the WD drive in the 8500 and see if
it boots or do you have further steps for me? The
thing is now I can't even access FF or any of my
bookmarks and have only the bare minimum in IE
because I don't use it.

So this is critical.

Thanks,
Robert


Was there anything suspicious leading up to this ?

It almost suggests a Cryptolocker or file hiding malware
attack.

*******

Your WD Black 2TB appears to have lost or damaged the MBR.
I don't think it would state "Removable drive E:" unless
the drive was spinning.

You can remove the WD Black 2TB from the enclosure, and
boot it separately in the computer (because you set it up
so it could boot). Now, if that works, then the drive is OK.
If it doesn't boot, it's going to need an attempt at recovery.
Perhaps a program like TestDisk could do that (because it
rebuilds the MBR, based on any file system headers on the
partitions it can see).

You have two drives that boot on that computer. You have the
1TB drive (which currently is missing some part of Firefox).
You have the 2TB drive, which you've successfully booted in
the past.

So you should be able to get something booted.

You also have the Macrium CD as a boot item, so you
could also boot Macrium and see if it can view the
contents of the 2TB drive.

The idea behind the careful approach, is to see if
any software can see the drive, better than some
other software is at present.

*******

So what are my concerns at the moment, why isn't
there a strong theme in my answer ?

1) Evidence of malware ? Why did Firefox "disappear" ?
What is going on there ?

2) Simultaneous hardware failure ? Is the disk damaged,
is some data damaged, what is going on ?

Having the two of them potentially happening at the same
time, makes it hard to form a plan of action. If it's malware,
I'm wasting your time fiddling with the 2TB drive. If
it's a hardware failure, maybe you can lift yourself
by your bootstraps (use the remaining resources to
cobble together a working solution). But what do we start
with first ?

For example, if you had the Sality malware on the machine,
every disk ever connected to the machine could be compromised.
Including a backup drive. I don't consider my setup here
to be ready for Sality. I don't have a safe way of handling
my backup drive, without Sality getting onto it. Which would
probably be a "nuke and pave" moment for me.

Which do I deal with first ?

You could Safely Remove, disconnect and power off the
2TB drive for now. And use MBAM free on-demand scanner
to search for malware.

To work on the 2TB drive, yes, by all means it should
be plugged into the 8500. That eliminates the controller
chip in the enclosure as an issue. And it eliminates
a flaky wall adapter as the source of the problem.
But at the moment, we don't know what the malware
status of the computer is.

So after you've done a bit of work on the 1TB drive,
from a malware scanning perspective, you could work
on the 2TB drive.

You have a couple possible configurations.

1) Boot the 2TB drive by itself, when it is placed
in the 8500. Disconnect the 1TB drive when testing
the 2TB for the first time.

2) If the 2TB won't boot, then it really does have some
data structure damage. If we "trusted" the OS on the
1TB drive, we could boot the 1TB and run a program
like TestDisk. And have it scan the disk.

http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step

But the thing is, at the moment, you don't have a working
browser, so at the very least, you'll need to use
Internet Explorer, try to reach www.mozilla.com and
download the Firefox installer. And see if you can get
that working. There is no reason for Firefox to trash
the existing profile and bookmarks. Assuming they're
still on the machine.

It looks suspiciously like some sort of data hiding malware,
which is why I might do some scanning on the 1TB drive first.
It's probably "too late for safety now", as possibly
both the backup drive and C: are both damaged in whatever
way some malware sees fit.

I might also be using my Kaspersky Rescue CD, the one
that does malware signature scanning. But you can give
MBAM a try first, and see if there is even still a
copy of MBAM on the 1TB drive.

In situations where you *know* something dangerous was
acquired on the 1TB drive, you would:

1) Reboot and insert the Macrium CD.
2) Connect the 2TB drive to the machine.
3) Don't boot the 1TB so it can "see" the 2TB drive.
You would only boot the Macrium CD, as it is a
"clean" OS and can't harm anything.
4) Restore an OS from the 2TB backup collection,
to take the place of the infected OS on the 1TB drive.
5) Shutdown and disconnect the 2TB external drive.
Boot the 1TB drive and see if it is OK.

So the idea in that example, is to not allow the 1TB
drive to "see" the 2TB drive, while the OS on the 1TB
drive is running. In case there was malware. But your
2TB drive has been connected to the (potentially) infected
system. And this is a weakness in any case, which I
don't have a cure for. If I do backups here, if my machine
was infected and I connected my external to do a backup,
both the internal and the external could get malware
damage, such as a Cryptolocker attack.

(Cryptolocker encrypts files for ransom purposes. Once the
encryption step is finished, a prompt appears on
the screen asking for money. A file hiding malware
on the other hand, just uses the "hidden" file attribute,
to hide stuff. When they ask for money, it would
probably be in BitCoin currency, to hide their tracks.)

I guess my order of execution would be to try some
malware cleanup work on the 1TB first. As we may need
to use the 1TB OS, to try to run TestDisk. In an ideal
world, you'd have a Linux boot CD (since TestDisk runs
from there), and you would attempt to recover the 2TB
drive from Linux. But that wouldn't be a very convenient
environment to work from.

Bleepingcomputer has an "unhide" program, if you knew for
certain a hiding malware had attacked the machine. More
details are available here.

http://www.bleepingcomputer.com/foru...-program-does/

"revert many of the changes on your computer caused by
the FakeHDD family of rogue anti-spyware programs"

Hope that helps,
Paul

Mark Twain wrote:

I did as you suggested and unplugged the adaptor
and then inserted it but it still doesn't recognize the
HD. I fear it may have crashed.

I do hear it clicking when I first power it up
but it doesn't respond.

http://i67.tinypic.com/282x5i.jpg

Also the safely remove icon is gone so I have
to switch User and go into the Administrators
Account the USB Safely Remove is still there
possibly as a leftover from System Restore?
In any case, I used it to safely remove the WD
hard drive.

http://i68.tinypic.com/dmth8w.jpg

Should I put the WD drive in the 8500 and see if
it boots or do you have further steps for me? The
thing is now I can't even access FF or any of my
bookmarks and have only the bare minimum in IE
because I don't use it.

So this is critical.

Thanks,
Robert

It might be the infamous "click of death"

Try powering off the drive, unplug from usb and wait a minute.

Plug it back in. Does it click? Try it again. Does it click?

If it consistently "clicks" on startup it's probably a dead hard drive.

JT

Wow, you sure gave me allot of information
to swallow! I'll have to re-read it a few
times.

I did switch the HD's so that I'm now typing
this with the WD 2TB hard drive installed.

I thought I had done a recent backup for this
because remember I moved some data I had worked
on to a DVD because my Patriot Key had the
Rescue.ISO file on it but none of the files/
folders have been updated and I'm missing allot.

What lead up to this was that I was trying
to delete a folder and I thought the busy
circle had ended and it hadn't and it seems
to have moved the mouse to include the other
folder which I didn't want removed because by
the time the circle cleared the folder was
gone.

That when all this started from a missing
folder to FF disappearing to not completing two
system restore using different dates, to not
recognizing the WD drive,.. it just all happened
one after the other..

Robert

With all the information you've given I
think I'll wait and see what you want me
to do now since we've got the WD running
albeit a dated version but FF is up and
running and 85% of the bookmarks are there

However, I would like to retrieve the
missing bookmarks/data/documentation
if at all possible.

Thanks,
Robert

JT wrote:
Mark Twain wrote:

I did as you suggested and unplugged the adaptor
and then inserted it but it still doesn't recognize the
HD. I fear it may have crashed.

I do hear it clicking when I first power it up
but it doesn't respond.

http://i67.tinypic.com/282x5i.jpg

Also the safely remove icon is gone so I have
to switch User and go into the Administrators
Account the USB Safely Remove is still there
possibly as a leftover from System Restore?
In any case, I used it to safely remove the WD
hard drive.

http://i68.tinypic.com/dmth8w.jpg

Should I put the WD drive in the 8500 and see if
it boots or do you have further steps for me? The
thing is now I can't even access FF or any of my
bookmarks and have only the bare minimum in IE
because I don't use it.

So this is critical.

Thanks,
Robert

It might be the infamous "click of death"

Try powering off the drive, unplug from usb and wait a minute.

Plug it back in. Does it click? Try it again. Does it click?

If it consistently "clicks" on startup it's probably a dead hard drive.

JT

He is booted off it right now. The disk not only has
backups on it, it also has a cloned set of OS partitions,
just for situations like this. So the disk has gone
from "wants to be formatted" to fully working, all by
being moved out of the external enclosure it was in,
to being put back inside the PC.

Paul


Paul


Paul

Yes, the drive is working fine as it did when I first
tested it for booting. It's just not up to date and is
missing bootmarks, and data etc. Otherwise its fine and
very responsive and of course the clicking *L*

From re-reading your instructions is this what you
would like me to do:

* Put the 1TB back into the computer
* run Malwatebytes scan
* try downloading FF from www.mozilla.com
* Run Kaspersky CD

When you refer to the Macrium CD are you referring to
the Rescue CD? In any case, the OS of the 1TB is
outdated and I would loose all my books and image files
and data if I copied the OS from the 2TB to the 1TB would
I not? Is there no way to recover the bookmarks and data?

Also remember I still have the 8200 as a final backup should
we need it.

So waiting on what you would like me to do at this point.

Thanks,
Robert

At present I'm running all the scans
on the 2TB HD to make sure its not
infected with anything.

Robert

Mark Twain wrote:
With all the information you've given I
think I'll wait and see what you want me
to do now since we've got the WD running
albeit a dated version but FF is up and
running and 85% of the bookmarks are there

However, I would like to retrieve the
missing bookmarks/data/documentation
if at all possible.

Thanks,
Robert


But you attempted to do a couple System Restores
(which failed) on the C: drive in question. There
are sometimes opportunities to "undelete", but
only if you stop writing to the disk and prepare
for data recovery right away. Doing some System Restores,
could result in overwriting of deleted files.

The first question would be, when you were attempting
this "delete" operation, did the files just
go into the Trash ? Or did you use the Shift key,
signaling "immediate delete" ? (Which would not give
you a chance to move the files out of the Trash.)
My USB flash sticks here, if you delete on them,
the delete is immediate. Hard drives, on the other
hand, the Trash bin is an intermediate storage point.

"Possible way-stations for the fate of a file..."

file -- Trash bin -- empty trash, -- overwrite file area,
unlink file data clusters
pointer are lost

Since you have Agent Ransack on the 1TB drive, try
Agent Ransack, and ask it to find any copies of

jsonlz4

as that would be the bookmarksbackup format.

And at this point, I don't even know what form your
"bookmarks" are in. You say you deleted them, and you
have some sort of shortcut or something on your desktop.

If you can reinstall Firefox, I would fire up the browser
again and check to see if it exhibits a working set of
bookmarks or not. Maybe you didn't actually delete
the bookmarks or the bookmarkbackups.

Use your noodle to dream up some search-type operations.
Think about the file names you deleted, and use Agent
Ransack to find them. They might still be on the 1TB drive.

*******

There are two kinds of data recovery:

1) Programs that "scavenge" a drive, by reading every block
on the drive, and trying to piece together files. This
approach is doomed from the start, but most users are
desperate and will do anything when severe damage happens.

2) Undelete programs, that make use of the file system feature,
where emptying the Trash only removes the file pointer. The
data clusters are still there, and they can still be located.
This can fail if the data clusters are overwritten (user didn't
stop using the disk in time). I don't know how quickly the
$MFT would be overwritten, wiping out the file metadata.

There is an application you can use for scavenging a
drive. Photorec can recover files. But it would only
work reasonably completely, if the disk was perfectly
defragmented before the incident. It doesn't use file
system metadata, and just looks for chunks of files.
Which is a bold approach, but not guaranteed to give
anything more than hundreds of thousands of fragments.

http://www.cgsecurity.org/wiki/PhotoRec

The other kind of tool, would be an "undelete" tool.
When you accidentally empty the Trash bin, the pointers
to the files in there are removed. The data clusters
are still sitting there. So as of yet, nothing
is lost. However, if any write operations are attempted
on the disk, the file system looks for "reusable locations",
and at that point, the data clusters in question get overwritten.
And then undelete is no longer possible. That's why, when
you have a deletion accident, the first thing to do is shut
down the C: drive (assuming the stuff is on C, so no
system maintenance activity can overwrite anything.

http://www.techradar.com/us/news/sof...ftware-1141256

Undelete 360

There is a screenshot of the interface here.

http://www.pendriveapps.com/wp-conte...ndelete360.png

Link to the installer for the program.

http://www.undelete360.com/download.html

It's the item that says "1.94 MB" in fairly small print.

http://www.undelete360.com/files/undelete-360-setup.exe

Now, how it can tell "overwritten" versus "Very Good", is
it can examine the cluster list of the deleted file,
and see if any new files use those clusters. If the clusters
are in usage by another file, then the original file is
completely lost. If the clusters still are the sole property of
the file with the unlinked pointer, then the data is recoverable.

When a disk is not the OS drive, it's a lot "quieter" and
less overwrite damage is going to happen. So if you have
a second OS drive, you boot that, then run the "undelete"
tool against the drive that just had the accident.
And you store the recovered files, on a folder on
the *undamaged* disk. Don't do in-place recovery
on the damaged disk, as the write operations from the
recovered files, starts removing the file metadata of
the files you're trying to rescue.

Paul

I have no idea where the files went. I used
the delete key to delete the file. I checked
the trash bin but the folder wasn't there.

The last (360 option) sounds best it seems
but from the sound of it you don't want me
to put the 1TB back into the 8500 but perhaps
put it in the Star Tech case?

One another anomaly, the 8500 clock was off
by 3 hours.

Thanks,
Robert

Mark Twain wrote:
I have no idea where the files went. I used
the delete key to delete the file. I checked
the trash bin but the folder wasn't there.

The last (360 option) sounds best it seems
but from the sound of it you don't want me
to put the 1TB back into the 8500 but perhaps
put it in the Star Tech case?

One another anomaly, the 8500 clock was off
by 3 hours.

Thanks,
Robert


The clock being off, sometimes happens if you
boot Windows, then boot Linux, then boot Windows
again. Some combination of that has caused my
time to change. I think even Win2K (where the
DST doesn't work properly) has results in
the clock being off by one hour. For larger
displacements, the time zone could be wrong.

You could put both drives inside the 8500,
select the 2TB drive for booting (using the BIOS
boot order), and do the data recovery on the
1TB drive from there. Making sure, that if
the "360" program finds something, the files
are stored on the 2TB drive, until you are
happy that you've recovered everything you need.

Paul

Mark Twain wrote:
Yes, the drive is working fine as it did when I first
tested it for booting. It's just not up to date and is
missing bootmarks, and data etc. Otherwise its fine and
very responsive and of course the clicking *L*

From re-reading your instructions is this what you
would like me to do:

* Put the 1TB back into the computer
* run Malwatebytes scan
* try downloading FF from www.mozilla.com
* Run Kaspersky CD

When you refer to the Macrium CD are you referring to
the Rescue CD? In any case, the OS of the 1TB is
outdated and I would loose all my books and image files
and data if I copied the OS from the 2TB to the 1TB would
I not? Is there no way to recover the bookmarks and data?

Also remember I still have the 8200 as a final backup should
we need it.

So waiting on what you would like me to do at this point.

Thanks,
Robert


"So waiting on what you would
like me to do at this point."

Do you have a Macrium backup of the 1TB drive, which
is more recent than the OS cloned onto the 2TB drive ?

I cannot make resources appear out of thin air :-)
Either you have materials to work with, or you don't.

If you have absolutely nothing recent in terms of a
backup, they you're really relying on "360" to do the
job. Just try to avoid booting the 1TB drive, until
your recovery attempt is done. If the 1TB drive is treated
as a data drive, there will be less writing to it.

I'm assuming that malware isn't involved here, but
you sure have a lot of weird symptoms you're
throwing at me.

If you actually had a .mrimg of the 1TB which
has a relatively recent date stamp on it,
maybe that would be the best solution. But
at the moment, I have no way of knowing whether
any of your backups are good. You could, for example,
boot the 2TB, and run the copy of Macrium installed
in the OS there, and use that to put back an OS
image made of the 1TB drive. Or, you can also do
restores while the Macrium CD is booted. Your choice.

Boot 2TB

.mrimg on --- install over top of C: on the 1TB
2TB

HTH,
Paul