New
#21
And from the Command Prompt:
cmd.txt
ducat1base,
You are still infected, and it changed its name. Let's see if we can nuke this from outside of Windows, but with access to the Registry.
Please do the following...
Since the computer boots, let's run the Farbar Recovery Scan Tool from the hard drive that contains your Operating System (normally C:\).
(Doing this, since you may not have another computer.)
Please print these instructions, and read them once, so you have an idea of what you are doing.
Do follow them step by step.
Here we go...
FRST64.exe was previously saved to the Desktop
Right-click Start, and select: Open Windows Explorer
Look for drive C:\, or the drive that contains your Operating System (OS).
Now, go to the Desktop, right-click FRST64.exe just once and hold it, then drag FRST64 right into C:
~~~~
Next, remove the fixlist.txt previously on the Desktop. (To avoid confusion)
Open Notepad once again (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below to Notepad:
Name it: fixlist.txtCode:start HKCU\...\CurrentVersion\Windows: [Load] C:\Users\Owner\LOCALS~1\Temp\msuamr.cmd <===== ATTENTION! C:\Users\Owner\LOCALS~1\Temp\msuamr.cmd end
Save it on C:, which is the same place where FRST64 is at!
>>> Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.
Use the arrow keys to select the Repair your Computer menu item.
Select your language settings, and click: Next
Select your User account and click: OK/Next (If you did not set a password, leave blank.)
On the System Recovery Options menu you get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
Select: Command Prompt
~~~~
In the Command Prompt window, at the bliking cursor type: notepad
(Note: Make sure the NumLk key is not active. If it is, you are not able to type correctly at the Command Prompt. If NumLk is active, press the Fn key and then the NumLk to deactivate it.)
Press: Enter
In Notepad, under the File menu select: Open
Double-click: Computer (on the left side), find the drive letter that has the Operating System, and remember what letter it has.
(Note: Once in this special mode you booted into, the drive containing the Operating System (OS) may not be C:\ (or the particular drive that has your OS).
You need to examine the drives carefully, and determine which one is the correct drive.)
Click on the OS drive
In Files of Type, select: All files
Press: Open
Confirm that FRST.exe is there!
~~~~
Now, click the Command Prompt window.
Type the following: ?:\frst64.exe, and press: Enter
(Note: Replace the ? with the drive letter that contains the OS.)
The tool starts and prepares to run. Follow the prompts.
Click Yes to the disclaimer.
~~~~
When the FRST console appears, press the Fix button, just once, and wait.
The tool creates a report called: Fixlog.txt
~~~~
Back at System Recovery Options, press: Restart
~~~~
After the computer restarts, and you are back in Windows, do a search for: Fixlog.txt
Please post the Fixlog.txt in your reply.
Double-click on the Unhide program icon on the Desktop to run the program.
When done, the program displays an alert stating that your files are restored.
Post back on whether Unhide gave you this alert!
Reboot your computer for the settings to go into effect.
Check the SD card, and see if the images show.
Last edited by cottonball; 18 Aug 2013 at 21:52.
Still no photos
The fixlog...
Fixlog.txt
and Unhide:
ducat1base,
Before going any further, please do the following:
Download MiniRegTool64.zip
Unzip it.
- Run the tool
- Copy and paste the following into the edit box:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Also realized that you had FRST in the Downloads folder, and fixlist.txt on the Desktop.
- Click the List Permissions button.
- Press the Go button, and post the result in your reply.
The fixlist and FRST64 must be located in the same directory!!
As a result, when we tried the fix, got the following:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load: Error setting value
Currently, FRST is in C:, so, the fixlist.txt must be tplaced here also.
This time, just run FRST and press Fix without going to the Command Prompt, etc.
The entry needs to be fixed oin Windows, outside the recovery mode.
Make sure you use the following text for the fixlist:
When done, please post the fixlog.txt in your reply.Code:start Unlock: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows HKCU\...\CurrentVersion\Windows: [Load] C:\Users\Owner\LOCALS~1\Temp\msuamr.cmd <===== ATTENTION! C:\Users\Owner\LOCALS~1\Temp\msuamr.cmd end
Last, but not least, right-click the J: drive (SD card) and select: Properties
Please post an image of the Removable Disk J: Properties
Last edited by cottonball; 19 Aug 2013 at 20:20.
forgive me if I'm being stupid here, i just sorta skimmed thru this post. Can't we, if the files were deleted as it appears to me, use an undelete program to recover the photos and then format the USB, since it seems it might contain a potential virus, wouldn't it remove the virus? Also, if we look into an undelete program, and they show up, we should know that they're no longer on the USB, correct? Or is the problem inside windows? even then we can still try an undelete program right?
redfang337,
Thanks for the info. :)
What is your idea of an "Undelete program"?Can't we, if the files were deleted as it appears to me, use an undelete program to recover the photos
Just want to make sure we are on the same page.
The problem appears to be inside Windows at this point, but there could also be a problem in the USB drive. The most logical place would be in the autorun file, but we can't open it....is the problem inside windows
ducat1base,
After performing the actions in Post #25, please do the following:
Please download UsbFix (free) - Download the latest version for Windows in english on Kioskea
Go to the small green button with: Download Free Version (1MB)
Right-click the downloaded file and select: Run as Administrator
Connect your SD Card when requested.
Press: Listing
When done, the program closes on its own, and a report appears.
Please post the USBFix Listing report in your reply.
why not recuva? scan the SD with portable recuva, recover the files to a specified folder on the desktop, then format the usb to get rid of the virus. Sounds like a simple fix to me, or am i missing something still?
@redfang337,
Ah!! A data recovery program. When you mentioned "Undelete" program, was not sure of what you had in mind.
At this point, IMO, the images are hidden by malware, and hopefully we will find out some more details about them when ducat1base posts back.
If it is not the case, then, other options will need to be explored.
However, the OP needs to remain on course until the malware is taken care of.