Avast WEBforum
Other => Viruses and worms => Topic started by: brmeau on September 02, 2012, 02:33:00 AM
-
I have been infected with the File Recovery Virus and it has locked me out of internet explorer as well as taken control of my desktop screen/programs. I have found a recent article with removal guidelines for this virus but wanted to go through this channel first since I am unfamiliar with the individual who wrote the "removal guide" for this virus. The following link is what I found...http://pcinfected.com/file-recovery-removal-guide/.
I would appreciate any help or suggestions. Thank you.
-
follow this guide: http://forum.avast.com/index.php?topic=53253.0
attach all logs here..
-
Use RogueKiller as the first programme and do not empty any temporary files yet
-
All of my desktop icons/system tray are missing from the system. The only folders that appear on the desktop are Recycle Bin and the folder for this "File Recovery" virus. I have booted up in safe mode with networking but can't figure out how to access internet to be able to download your fixes. Any way to access internet on this system?
-
From the blank desktop press the windows key + R
This should open a run Dialogue
Type in Iexplorer.exe
And IE should open
-
Tried and it says that windows can't find iexplorer.exe.
-
Still could not access iexplorer but was able to access internet by listing program files and choosing AOL to gain internet access.
Proceeding with prior instructions now.
-
RogueKiller logs attached.
-
OTL logs attached. MBAM pasted below. I downloaded aswMBR twice but the file would not run.
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.09.02.03
Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
PL :: HARKINS-PC [administrator]
9/2/2012 8:05:09 AM
mbam-log-2012-09-02 (08-05-09).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202159
Time elapsed: 8 minute(s), 29 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 28
HKCR\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoods.funmoodsHlpr.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoods.funmoodsHlpr (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\esrv.funmoodsESrvc (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\escort.escortIEPane.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\escort.escortIEPane (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoods.dskBnd.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoods.dskBnd (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\funmoodsApp.appCore (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\f (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\Typelib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCR\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} (PUP.Funmoods) -> Quarantined and deleted successfully.
HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh (PUP.Funmoods) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\funmoods (PUP.Funmoods) -> Quarantined and deleted successfully.
Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: Funmoods Toolbar -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 2
C:\Program Files\Funmoods\1.5.23.22 (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\bh (PUP.Funmoods) -> Quarantined and deleted successfully.
Files Detected: 14
C:\Program Files\Funmoods\1.5.23.22\bh\escort.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\funmoodssrv.exe (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\escorTlbr.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\escortApp.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\escortEng.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\ProgramData\ACqX9RnkWbItFO.exe (Trojan.Killav) -> Quarantined and deleted successfully.
C:\ProgramData\KbTTesIdWitxJO.exe (Trojan.Killav) -> Quarantined and deleted successfully.
C:\Users\PL\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Users\PL\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbjciahceamgodcoidkjpchnokgfpphh_0.localstorage (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Users\PL\AppData\Local\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Users\PL\Local Settings\Application Data\funmoods.crx (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\escortShld.dll (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\FavIcon.ico (PUP.Funmoods) -> Quarantined and deleted successfully.
C:\Program Files\Funmoods\1.5.23.22\uninstall.exe (PUP.Funmoods) -> Quarantined and deleted successfully.
(end)
-
OK you should have the desktop and icons back now. While I look at the logs :
RogueKiller is showing a bad partition which we will need to kill next
I need you to download:
gparted-live-0.10.0-3.iso (http://sourceforge.net/projects/gparted/files/latest/download?source=files) (115.1 MB)
Create a bootable CD, for Gparted from the ISO image.
You can use ImgBurn (http://download.imgburn.com/SetupImgBurn_2.5.6.0.exe) do this.
Now boot off of the newly created Gparted CD.
You should be here... Press ENTER
(https://dl.dropbox.com/u/73555776/Gpart-Start.GIF)
By default, "do not touch keymap" is highlighted.
(https://dl.dropbox.com/u/73555776/Gpart-keyselect.GIF)
Leave this setting alone and just press ENTER.
(https://dl.dropbox.com/u/73555776/Gpart-continue.GIF)
Choose your language and press ENTER. English is default [33]
At the mode prompt enter 0, press ENTER
You will now be taken to the main GUI screen below
(https://dl.dropbox.com/u/73555776/Gpart-partitions.GIF)
According to your logs, the partition that you want to delete is <1 MB
Right click this partition and select delete .
(https://dl.dropbox.com/u/73555776/GPart-delete.GIF)
The Partition has gone
Now select Apply
Now you should be here:
(https://dl.dropbox.com/u/73555776/Areyousure.GIF)
Select Apply after double checking that the right partition was deleted
Is "boot" next to your OS drive?
If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags
(https://dl.dropbox.com/u/73555776/GPart-flags.GIF)
In the menu that pops up, place a checkmark in boot like the picture below, then close :
(https://dl.dropbox.com/u/73555776/GPart-bootflag.GIF)
Under File select Quit
(https://dl.dropbox.com/u/73555776/Gpart-quit.GIF)
You will see this small Popup
(https://dl.dropbox.com/u/73555776/Gpart-reboot.GIF)
Choose reboot and then press OK.
-
I have gone through the process booting by cd and got down to exit after managing files....the next box that you choose to reboot does not appear and the computer is locked up at the main vmware player screen.
Not sure what to do?
-
Could you click exit .. If you achieved the close part after managing flags then that part should now be complete
Otherwise reboot the computer
Then in normal windows try aswMBR
-
I clicked Quit under the Gparted tab just as the diagram showed and then the next box that was supposed to come up for Exit/Reboot never appeared and the system froze at the main window. I have removed the bootable cd and tried a reboot but getting error message that BOOTMGR is missing and to restart but keeps going back to this point.
-
OK reboot from Gparted disc
Then follow the steps as before :
From the manage flags portion
-
I tried again...same as in Reply #12. The exit/Reboot window is not coming up and the system is frozen at the main gparted screen.
-
Download the following three programmes to your desktop :
1. WiNTBootIc (https://dl.dropbox.com/u/73555776/WiNToBootic.exe)
2. Windows Vista RC (http://www.forum.probz.net/index.php?/files/file/21-windows-vista-recovery-environment-iso/)
3. Farbar Recovery Scan Tool (http://download.bleepingcomputer.com/farbar/FRST.exe)
Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot
(http://dl.dropbox.com/u/73555776/wintoboot.JPG)
Drag and drop the Windows Vista ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It
You will see it progressing
(http://dl.dropbox.com/u/73555776/usb%20progress.JPG)
It will let you know when it is done
Then copy FRST to the same USB
(http://dl.dropbox.com/u/73555776/frstwintoboot.JPG)
Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here (http://pcsupport.about.com/od/fixtheproblem/ss/bootorderchange.htm)
When you reboot you will see this.
Click repair my computer
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg)
Select your operating system
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg)
Select Command prompt
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg)
At the command prompt type the following :
notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
-
Ok, I guess I am a little confused. The system won't boot up so therefore I can't get to the point to download the prior steps. What do I do to get the system to boot up so I can do this?
-
If you do not have access to another computer then reboot the Computer
Immediately press and Hold F8
Is there the option repair my computer if so select startup repair
Are you able to access another computer to create the USB ?
-
Yes I am using another computer...my apologies...I thought that I needed to download the items to the infected system.
-
No problem I have been there before ;D
The programmes you are going to run will install the recovery console onto your computer. And that is something everyone should have
-
Ok, I created the bootable USB and inserted it in the infected system. I got down to the "Select your operating system" instruction under System Recovery Options. There is nothing listed to choose from in this window. The message below it states that if it is not present click Load Drivers and when I do that it states to insert the installation media for the device and click ok to select the driver. I have stopped here. Not sure if I should proceed?
-
What was the size of the partition you deleted in Gparted could you confirm that it was <1MB
-
I do not remember the exact size but yes less than 1mb.
-
Click next please
-
Ok, go ahead now and select command promt?
-
Yes please .. It looks as though the bootmanager was damaged, I may be able to repair it with this programme .. Failing that I have another small one specifically designed for that
-
Just to make sure you know exactly what is going on here, in typing in the command window e:\frst64.exe.....the 64 part is not there.....the only file was frst.exe. FRST.txt pasted below.
Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 02-09-2012 03
Ran by SYSTEM at 02-09-2012 16:22:50
Running from E:\
(X86) OS Language: English(US)
Attention: Could not load system hive.Attention: System hive is missing.
==================== Registry (Whitelisted) ===================
Attention: Software hive is missing.
HKLM\...\Winlogon: [Userinit]
HKLM\...\Winlogon: [Shell] [x ] ()
HKLM\...\InprocServer32: [Default-wbemess] ATTENTION! ====> ZeroAccess
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] ATTENTION! ====> ZeroAccess
HKLM\...\InprocServer32: [Default-shell32] ATTENTION! ====> ZeroAccess
HKLM\...409d6c4515e9\InprocServer32: [Default-shell32] ATTENTION! ====> ZeroAccess
========================== Services (Whitelisted) ========================
==================== Drivers (Whitelisted) ===================
==================== NetSvcs (Whitelisted) =================
============ One Month Created Files and Folders ==============
============ 3 Months Modified Files ========================
==================== Known DLLs (Whitelisted) =================
==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!
==================== Restore Points =========================
==================== Memory info ===========================
Percentage of memory in use: 29%
Total physical RAM: 893.44 MB
Available physical RAM: 634.25 MB
Total Pagefile: 748.75 MB
Available Pagefile: 627.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.94 MB
==================== Partitions ============================
2 Drive e: () (Removable) (Total:3.73 GB) (Free:3.57 GB) NTFS
3 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
4 Drive y: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.33 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 148 GB
Disk 1 Online 3824 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1500 MB 1024 KB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y TOSHIBA SYS NTFS Partition 1500 MB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3824 MB 24 KB
==================================================================================
Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E NTFS Removable 3824 MB Healthy
==================================================================================
==================== End Of Log =============================
-
Well I do not know how that happened as a wadge of system files have disappeared
Download the attached fixlist.txt to the same USB drive as FRST
Restart the computer as before to the recovery console
Run FRST and click Fix
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif)
A log will be generated on the USB drive
Then staying within the recovery console
Re-run FRST and copy the following into the search box and press search
(there is a semicolon between each file name)
explorer.exe;winlogon.exe;svchost.exe;services.exe;User32.dll;userinit.exe;volsnap.sys
A log will be saved on the USB
-
I just want to be sure that I am doing this correctly...sorry...I ran FRST and clicked Fix and it said that a log was generated on the USB drive. Then, I kept the Farbar Recovery Scan Tool dialogue box on the screen and started inputing the "stated" fields into the search box. It will not let me enter this entire string of characters as it seems to be too long for the allowed input field. I can enter up to 'userinit.exe:' and it cuts me off before I can enter the remaining script. I did not want to proceed without letting you know where I am at.
Thank you very much.
-
OK could you run it in two batches and then post the logs for it
-
Thank you!
Logs attached.
This search.txt contains explorer.exe;winlogon.exe;svchost.exe;services.exe
-
This search log is User32.dll;userinit.exe;volsnap.sys
-
OK this is not looking good..
From the command prompt on the recovery console type the following :
CHKDSK C: /R
-
States: Cannot open volume for direct access.
-
It looks as though we may have to backup the data and reinstall
I have not yet been able to figure out why this has happend. As in the last two days three of these have run with no problem at all
-
I will say that I am concerned about the data on this system. I do greatly appreciate everything that you are doing to help me out. Several months ago I had a different virus problem on my other system and you worked me through it. I am still very greatful to this day...I at least owe you a good dinner! If there are steps that you can suggest or lead me through I am listening! Thank you very much.
-
OK yet another disc to burn.. This should give you access to all your data via a windows XP desktop
- Download OTLPENet.exe (http://oldtimer.geekstogo.com/OTLPENet.exe) to your desktop
- Ensure that you have a blank CD in the drive
- Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
- Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)
- As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
- Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
-
I now see the Reatogo desktop.
-
OK you should be able to recover all files using windows explorer and copying to a USB/CD
I have been discussing this problem and there is an option that involves reinstating backup registry copies, as long as windows was making them.
This will mean running the recovery console again and from the command prompt:
1. Type the following commands into the DOS command prompt. Each one of these statements copies the original registry files to the current registry directory.
copy C:\windows\system32\config\regback\system c:\windows\system32\config\system
copy C:\windows\system32\config\regback\software c:\windows\system32\config\software
copy C:\windows\system32\config\regback\security c:\windows\system32\config\security
copy C:\windows\system32\config\regback\sam c:\windows\system32\config\sam
copy C:\windows\system32\config\regback\default c:\windows\system32\config\default
2. Press the "Y" key after each copied file. This confirms that you want to overwrite the existing registry files.
-
Ok, I have clicked on the windows icon and have gone into My Documents and My Computer but do not see any data files. Should they be appearing right there while in this mode? I was going to copy all of my files off before I performed your next step.
-
So in the windows explorer you can access your documents and settings but there is nothing there ?
-
Well, when I pull up My Documents there are subfolders for My Music, My Pictures, My Videos and desktop.ini. The reason I questioned if I was looking in the right place under this boot mode is that all of the above mentioned folders have a creation date for today's date. I do not see a single thing that would be any of my data.
-
Did you open windows explorer and go to the C drive and look at the folders there ?
-
I am in Windows Explorer. When I first go in it pulls up "My Documents"...the before mentioned subfolders appear with the creation date of 9/3/2012.
Then, I clicked on My Computer and then chose the local drive. There is a subfolder for "Recycler" and "System Volume Information" with a creation date of today, 9/3/2012. There is a subfolder named "Sources" dated 5/26/2007. There is a file named BOOT.SDI dated 9/18/2006. There is another file named WinREPartition.ini dated 5/26/2007.
That is all that I see.
-
So it is not showing your other drive i.e C
-
Under My Computer it has a section for Hard Disk Drives. The first listed says "RAMDisk(B:) Local Disk. The second listed says "TOSHIBASYSTE... Local Disk. I will assume that this second one should be drive C: although it does not state it specifically. When I choose this Toshiba one it only shows the folders/files as before. No data, music, or pictures that I had saved appear anywhere.
-
OK from the command prompt type the following and we will see if windows can copy the registry files across
sfc /scannow /offbootdir=C:\ /offwindir=C:\windows
-
I typed what I thought the script was. Are there any spaces? I inputed it with no spaces...if that is the case then I got the following:
'sfc' is not recognized as an internal or external command, operable program or batch file.
-
sfc /scannow /offbootdir=C:\ /offwindir=C:\windows
I have exaggerated the spaces. each gap is one space
-
I received the exact same error message with the spaces now.
Just to be sure, in the command mode, I am at X:\Programs\MBRFix>
This is where it defaulted to when I selected it.
-
At X type CD.. to tak you to the root and try from there .... I am beavering away on other sites at the moment looking for a resolution
-
I went down to root X:\> and received the exact same error message that 'sfc' is not recognized.........
-
From the Reatogo desktop could you run OTLPE
- Double-click on the OTLPE icon.
- Select the Windows folder of the infected drive if it asks for a location
- When asked "Do you wish to load the remote registry", select Yes
- When asked "Do you wish to load remote user profile(s) for scanning", select Yes
- Ensure the box "Automatically Load All Remaining Users" is checked and press OK
- OTL should now start.
- Press Run Scan to start the scan.
- When finished, the file will be saved in drive C:\OTL.txt
- Copy this file to your USB drive if you do not have internet connection on this system.
- Right click the file and select send to : select the USB drive.
- Confirm that it has copied to the USB drive by selecting it
- You can backup any files that you wish from this OS
- Please post the contents of the C:\OTL.txt file in your reply.
-
Hello..
Only got to step 2...select the windows folder of the infected drive...
I chose/clicked the one labeled "Toshiba System Volume (C:) and hit enter...a RunScanner Error message appeared saying "Target is not windows 2000 or later. I press ok and it takes me back to Reatogo desktop.
-
That would suggest the MFT is corrupted
It looks like we may need to do a parallel install of windows .. Do you have the CD..
At the moment I am just checking out an ISO download of windows to confirm it is legitimate
-
I have 2 cd's that came with the system. One is titled Toshiba Recovery and Applications/Drivers Windows Vista Home Premium 32-bit. The other cd is titled Windows Anytime Upgrade.
I am coming to the conclusion that all of my data is gone forever, is that true?
Again, thank you for your help.
-
Unfortunately that appears to be the case
I am not sure if the Toshiba disc will allow you to install windows without disturbing the documents and settings. As there are some that will just reinstall the windows compnents
-
here is what I did. Just needed to out smart the idiots who write these things...
The virus disables alot of functions in your profile, so I logged on as a "Guest". The virus did not affect the Guest profile, just like it does not affect the safe mode profile. As a guest i did a system restore to a point where i know i did not have the virus. Took about 30 minutes to restore. rebooted and entered my normal profile. Virus gone.
I'm still going to research to see if i still have it in my computer, but for now, the virus is not active.
Hope this works for you, it did for me.
Armando