Author Topic: File Recovery Virus Problem  (Read 23152 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #15 on: September 02, 2012, 08:20:22 PM »
Download the following three programmes to your desktop :

 
1.  WiNTBootIc
2.  Windows Vista RC
3.  Farbar Recovery Scan Tool

Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot



Drag and drop the Windows Vista ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing



It will let you know when it is done
Then copy FRST to the same USB




Insert the USB into the sick computer and start the computer.  First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

 
When you reboot you will  see this.
Click repair my computer

 
Select your operating system

 
Select Command prompt

 
At the command prompt type the following  :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #16 on: September 02, 2012, 08:25:13 PM »
Ok, I guess I am a little confused.  The system won't boot up so therefore I can't get to the point to download the prior steps.  What do I do to get the system to boot up so I can do this?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #17 on: September 02, 2012, 08:33:37 PM »
If you do not have access to another computer then reboot the Computer
Immediately press and Hold F8
Is there the option repair my computer if so select startup repair

Are you able to access another computer to create the USB ?

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #18 on: September 02, 2012, 08:36:12 PM »
Yes I am using another computer...my apologies...I thought that I needed to download the items to the infected system. 

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #19 on: September 02, 2012, 08:43:04 PM »
No problem I have been there before  ;D

The programmes you are going to run will install the recovery console onto your computer.  And that is something everyone should have

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #20 on: September 02, 2012, 09:49:40 PM »
Ok, I created the bootable USB and inserted it in the infected system.  I got down to the "Select your operating system" instruction under System Recovery Options.  There is nothing listed to choose from in this window.  The message below it states that if it is not present  click Load Drivers and when I do that it states to insert the installation media for the device and click ok to select the driver.  I have stopped here.  Not sure if I should proceed?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #21 on: September 02, 2012, 09:56:40 PM »
What was the size of the partition you deleted in Gparted could you confirm that it was <1MB

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #22 on: September 02, 2012, 09:57:56 PM »
I do not remember the exact size but yes less than 1mb.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #23 on: September 02, 2012, 10:11:51 PM »
Click next please

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #24 on: September 02, 2012, 10:13:13 PM »
Ok, go ahead now and select command promt?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #25 on: September 02, 2012, 10:16:35 PM »
Yes please .. It looks as though the bootmanager was damaged, I may be able to repair it with this programme ..  Failing that I have another small one specifically designed for that 

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #26 on: September 02, 2012, 10:28:17 PM »
Just to make sure you know exactly what is going on here, in typing in the command window e:\frst64.exe.....the 64 part is not there.....the only file was frst.exe.  FRST.txt pasted below.

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 02-09-2012 03
Ran by SYSTEM at 02-09-2012 16:22:50
Running from E:\
   (X86) OS Language: English(US)
Attention: Could not load system hive.Attention: System hive is missing.

==================== Registry (Whitelisted) ===================

Attention: Software hive is missing.

HKLM\...\Winlogon: [Userinit] 

HKLM\...\Winlogon: [Shell]  [x ] ()
HKLM\...\InprocServer32: [Default-wbemess]  ATTENTION! ====> ZeroAccess
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess
HKLM\...\InprocServer32: [Default-shell32]  ATTENTION! ====> ZeroAccess
HKLM\...409d6c4515e9\InprocServer32: [Default-shell32]  ATTENTION! ====> ZeroAccess

========================== Services (Whitelisted) ========================


==================== Drivers (Whitelisted) ===================


==================== NetSvcs (Whitelisted) =================


============ One Month Created Files and Folders ==============


============ 3 Months Modified Files ========================


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION!
HKLM\...\exefile\open\command:  <===== ATTENTION!

==================== Restore Points  =========================


==================== Memory info ===========================

Percentage of memory in use: 29%
Total physical RAM: 893.44 MB
Available physical RAM: 634.25 MB
Total Pagefile: 748.75 MB
Available Pagefile: 627.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.94 MB

==================== Partitions ============================

2 Drive e: () (Removable) (Total:3.73 GB) (Free:3.57 GB) NTFS
3 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
4 Drive y: (TOSHIBA SYSTEM VOLUME) (Fixed) (Total:1.46 GB) (Free:1.33 GB) NTFS

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
  Disk 0    Online       149 GB   148 GB         
  Disk 1    Online      3824 MB      0 B         

Partitions of Disk 0:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           1500 MB  1024 KB

==================================================================================

Disk: 0
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1     Y   TOSHIBA SYS  NTFS   Partition   1500 MB  Healthy           

==================================================================================

Partitions of Disk 1:
===============

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary           3824 MB    24 KB

==================================================================================

Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     E                NTFS   Removable   3824 MB  Healthy           

==================================================================================
==================== End Of Log =============================

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #27 on: September 02, 2012, 11:21:45 PM »
Well I do not know how that happened as a wadge of system files have disappeared

Download the attached fixlist.txt to the same USB drive as FRST
Restart the computer as before to the recovery console
Run FRST and click Fix

A log will be generated on the USB drive

Then staying within the recovery console
Re-run FRST and copy the following into the search box and press search
(there is a semicolon between each file name)

explorer.exe;winlogon.exe;svchost.exe;services.exe;User32.dll;userinit.exe;volsnap.sys

A log will be saved on the USB

brmeau

  • Guest
Re: File Recovery Virus Problem
« Reply #28 on: September 03, 2012, 12:51:57 AM »
I just want to be sure that I am doing this correctly...sorry...I ran FRST and clicked Fix and it said that a log was generated on the USB drive.  Then, I kept the Farbar Recovery Scan Tool dialogue box on the screen and started inputing the "stated" fields into the search box.  It will not let me enter this entire string of characters as it seems to be too long for the allowed input field.  I can enter up to 'userinit.exe:' and it cuts me off before I can enter the remaining script.  I did not want to proceed without letting you know where I am at.

Thank you very much.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: File Recovery Virus Problem
« Reply #29 on: September 03, 2012, 03:58:49 PM »
OK could you run it in two batches and then post the logs for it