jaclaz

Happy to hear about a happy ending. Virii "for USB sticks" are generally triggered by the stupid (I know no better English word to describe it ) feature of Windows XP (and later I think ) that tries to access "automagically" anything connected to the USB port and tries to Print, or Play or Open or whatever. The culprit is the autorun.inf file, which is executed by the above mentioned stupid feature. An Image file is not accessed the same way, so it is relatively safe. Scan files in the image and your anti-virus should get rid of the things allright. Since Windows cannot read properly your damaged stick, it shouldn't be a problem of reinfection. Thus answer to all your questions is NO. What you should do next would be to WIPE your stick (as opposed to re-formatting it) Get mksparse: http://www.acc.umu.se/~bosse/ unzip it in the usual directory C:\DSFOK (I presume that the C:\ volume has a NTFS filesystem, otherwise use a NTFS one) Create a new sparse file the size you got from dsfo originally: mksparse C:\dsfok\USB_empty.img 1035206656 The file, being sparse will occupy only a bunch of Kbytes instead of it's full size, and it will be full to the brim of 00's. If the temporary occupation of about 1 Gb by the file is not a problem, you can use fsz that is already in the DSFOK you have. Now, use dsfi to completely overwrite your stick: dsfi \\.\PHYSICALDRIVE1 0 0 C:\dsfok\USB_empty.img Remove and re-insert stick. Now, use RMPREPUSB.EXE (advised): http://www.boot-land.net/forums/index.php?showtopic=7739 to format your stick. (this will create a "properly formatted" stick including a MBR, i.e. HD-like, if you use XP Disk Management it will format the stick as super-floppy, unless you use a filter driver, that I guess it's out of the scope of this thread) Using the re-known "HP utility" will work as well, though it will create "better-than-the-current-lousy-one" , but still unbalanced CHS/LBA partition table, which is more likely to cause problems in the future. Remove and re-insert stick. Then, get ninja pendisk : http://nunobrito.eu/ninja/ http://www.boot-land.net/forums/?showtopic=4350 http://nunobrito.eu/ninja/forum/ and use it. BTW, and just as a general advice for the future, a not-so-well-known "trick" on FAT16 and FAT32 filesystems, in order to increase the possibilities of recovering files is to avoid if possible to put files in the ROOT, but rather use Directories or sub-directories to store them. jaclaz

Just for the record, you can use a USB stick with the Parted Magic ISO. See here: http://partedmagic.com/documentation/124-g...so-booting.html jaclaz

Yep. You did not make properly the [Geometry] change. Re-check settings in the [Geometry] section: Cylinders=1 Heads=64 Sectors=32 Sector Size=512 and you will get the 987/18/25. jaclaz

OK , here it is: Delete any testdisk.log you may have in testdisk directory. Start testdisk mounting the image, as follows: testdisk_win /log C:\dsfok\usb_full.img Following italics is what you will see/will have to choose and bold is what you have to type, underlined comments/hints: [Proceed] <ENTER> [intel] <ENTER> [Geometry] <ENTER> [Cylinders] <ENTER> 1 <ENTER> [Heads] <ENTER> 64 <ENTER> [OK] <ENTER> [Options]<ENTER> use arrow keys and <ENTER> to switch settings: Expert Mode:Yes Cylinder Boundary:No Allow partial last cylinder: Yes Dump:No [Ok] <ENTER> [Advanced] <ENTER> 1*FAT16 >32M 0 1 1 987 18 25 2021945 <--you should see this, if not something was made wrong before [boot] <ENTER> [Rebuild BS] <ENTER> FaT1 Location....:1 <ENTER> Fat2 Location....:248 <ENTER> Number of FATS...:2 <ENTER> Cluster size.....:32 <ENTER> <ENTER> here you can browse the FAT contents and (optionally) copy some files from the image - NO NEED to copy them, however, we will attempt retrieving them later q <ENTER> [Write] <ENTER> Write FAT boot Sector, Confirm? (Y/N) Y [Quit] <ENTER> [Quit] <ENTER> [Analyze] <ENTER> [backup] <ENTER> Should Testdisk....Vista...? N [Continue] <ENTER> L [Load] <ENTER> [Write] <ENTER> Write partition table, confirm? (Y/N) Y [Ok] <ENTER> [Quit] <ENTER> [Quit] <ENTER> ***END of testdisk session*** You don't actually need to reboot, since you were working on an image instead of a "real" device. Now, mount USB_full.img with IMDISK and you should be able to copy out of it the files normally with Explorer to a new directory on your hard disk. It is possible that you will be able to recover 100% of files, and as well it is possible that some will be corrupted, no way to know in advance. Let me know how it goes. If you don't feel confident in the procedure, make a copy of USB_full.img and try at first on the copy. jaclaz P.S.: If you think the procedure is a bit too complex, I can post your USB_550.img "corrected" and show you how to "merge" it with USB_full.img, but then you won't have any fun at it.

Got it. Good news. It seems like manually adapting Geometry it is possible to access the FAT(s). It's a rather complex procedure, tomorrow I will post a step-by-step of what you should do. jaclaz

If I am getting this correctly, there is not much logic (no offence intended ) into your line of reasoning. Symantec Endpoint Protection: finds a "tracking cookie" it doesn't show it's filename/where it is it isn't able to "Quarantine" it isn't able to "Leave Alone" (whatever it means) You make a complex unattended CD full of third party apps (at least from the HijackThis log) and then you put the blame on nlite? I would try doing a "normal" nlite CD, NOT UNATTENDED, WITHOUT adding ANY other software: if the problem is still there, THEN it may be nlite's fault. In any case this behaviour should be reported to Symantec, as it anyway doesn't look "right". jaclaz

I am afraid that things are more complex than expected. It seems like there is anyway some corrupted values in USB_100.IMG and probably also in USB_full.img. Forget about IMDISK for the moment. A test that you can make: run: dsfo C:\dsfok\USB_full.img 0 51200 C:\dsfok\USB_100_new.img then: FC /B C:\dsfok\USB_100_new.img C:\dsfok\USB_100.img It should give "no differences found". Please report if it instead FC finds differences. It is still possible that testdisk can do something, but using it's advanced features will be required, something that you cannot do - at least for the moment. You should provide me with some more sectors, it seems like the FAT (at least FAT#1) is gone beserk. I need the whole set of FAT's. According to the bootsector the filesystem has 247 sectors per FAT. Thus I need: 32 - hidden sectors 1 - FAT16 bootsector 247 - First FAT 247 - Second FAT (32+1+247+247)=527 sectors, rounded to 550, thus 550x512=281,600 bytes Run this: dsfo C:\dsfok\USB_full.img 0 281600 C:\dsfok\USB_550.img Zip the USB_550.img to USB_550.zip and attach it. jaclaz

It was a caution. IMDISK is a virtual drive which works at filesystem level (i.e. it mounts only a partition not the whole physical drive). Thus when you give it a physicaldrive image (with MBR and hidden sectors) it tries to determine by reading the MBR where the partition starts. Usually it gets the right values, the suggested 32 was in case it did not. If you look at the screenshot, you can see how you have in third line from top (Image file offset) a value of 0 bytes. This should be either 32 blocks or 16384 bytes (32*512=16384). Do not bother for the moment for the other settings. From the screenshot, the image was successfully mounted as drive G:, BUT since you see the N/A, no filesystem was recognized. Try unmounting it and re-mounting supplying the given value. See screenshot: If we are lucky, you should see in the other IMDISK window instead of the N/A, FAT or FAT16 (cannot remember). It is possible that while dsfo copied apparently properly the first 100 sectors, a malfunctioning occurred when you made the "full" image. Try (without actually mounting it) to start the mounting with IMDISK of the USB_100.img, you should have exactly the same situation as the above screenshot. If the same does not happen with the "full" image, it means that at leastr it's first sectors are not "good" (just as it was no good the first sector you copied with HDhacker. jaclaz

Just in case, VBEMP/UNIVBE should be compatible with your chip: http://www.geocities.com/bearwindows/vbemp.htm http://www.boot-land.net/forums/index.php?...c=2325&st=0 jaclaz

Got it. The sectors as saved by dsfo seem MUCH better than the first ones, BOTH MBR and Bootsector appear to be valid. It is possible that the stick is really suffering from some intermittent malfunctioning. Try getting IMDISK: http://www.ltr-data.se/opencode.html and try mounting the USB_full.img if IMDISK does not auto-detect the number of hidden sectors, supply 32 as the number of hidden sectors (skipped blocks) Hopefully you should be able to find your data in the image mounted as a volume. If everything is at it should be, we may try wiping the stick with 00's and re-apply to it the saved image. If anything appears not as it should on the mounted image, next step would be running TESTDISK on the image. jaclaz

And here also, you will be told: a. that since someone must be there to insert the floppy it isn't actually "unattended", and in any case "unattended" means that once started, you can leave. b. that you need to press F6 if you want to load drivers from floppy (can't it be the same one that inserts the floppy?) F6 also happens in the first few seconds of the install It doesn't look like you are making any progress. An alternative is: http://mindstorms.lego.com/NXTLog/projectd...iewcomments=all it can be greatly simplified for pressing just F6. B) jaclaz

If your USB is Physicaldrive #1, then the line is: dsfo \\.\PHYSICALDRIVE1 0 0 C:\dsfok\USB_full.img but for example if you have one of those multi-card readers, or a virtual disk device installed, this won't be always true. Do the following: get beeblebrox: http://students.cs.byu.edu/~codyb/ try accessing Physicaldrive1 with it (the drop down menu top left). If you see the same data I posted before: Entry|Type|Boot|bCyl|bHead|bSect|eCyl|eHead|eSect|Start Sector|Num Sectors| #0|06|80|0|1|1|255|61|0|32|1.966.137| then 1 is the right number. jaclaz

There are a number of problems in the files you sent. Basically: the MBR code is only partially there the MBR "Magic Number" Signature is not there the MBR DATA is - to say the least - "queer": Entry|Type|Boot|bCyl|bHead|bSect|eCyl|eHead|eSect|Start Sector|Num Sectors|Size in bytes #0|06|80|0|1|1|255|61|0|32|1.966.137|1.006.662.144 both files are identical (which is normal, since the MBR is not recognized Physicaldrive=Logicaldrive) Next steps: get the dsfok toolkit: http://members.ozemail.com.au/~nulifetv/freezip/freeware/ unzip in a new directory, say C:\dsfok Open a command prompt and navigate to that directory. You want to make a full image of the stick, so you will need roughly 1 Gb free on your hard disk. Now, you must be sure that you get the "right" physicaldrive number (if you have just one hard disk, it will be "0", and the USB stick will be "1") Run following command: this will create a byte to byte copy of the stick, the program will print on screen something like: Jolt down (and post) the bolded part (actual size of the stick). This way you have a full copy of the stick and we can start working on it without fear of making anything irreparable. Run again dsfo as follows: This is a copy of the first 100 sectors of the stick, 51200 bytes in size, that you should compress in a .zip and attach to your next post. The partition data refers to a 06 i.e. CHS FAT16 partition, starting at sector 33 or sector 64, the first 100 sectors should be enough to see if there are traces of it. (bootsector and start of FAT tables). jaclaz

From what you posted (second screenshot), it seems to me that you have a "direct" partition i.e. the stick is formattted as super-floppy with no MBR/partition table. Which usually happens with "brand new" sticks, that are however: formatted as FAT32 have 0/0/1 as start sector From the other screenshot, on the contrary it seems like you you have a single partition FAT16 starting from sector 33 (which would carry as a consequence that you have 32 hidden sectrs and thus a MBR). It also tells me that you used some formatting utility/method to re-partition/re-format the stick. Only you can now how the stick was before partitioned/formatted, please post as much information on how the stick it was before (when working) as you can remember. Also you should read this: http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step Try the deeper search, and next time, instead of the screenshots, post testdisk.log (of course you should ALWAYS create a Log at the beginning of each seesion with Testdisk) Cannot say how much you are familiar with PC/filesystems and more precisely with command lines app, but before starting with the "difficult things" do the following: Get HD hacker: http://dimio.altervista.org/eng/ and: save first 1 sector of PhysicalDrive to a file named MBR.bin save first sector of LogicalDrive to a file called BS.bin make sure to select theright drive! Compress the two files in a .zip archive and post it as an attachment, I'll have a look at them. jaclaz

When you double click on a drive letter, a mechanism inside Windows called filesystem recognizer, tries to identify the filesystem and load the appropriate driver (NTFS.SYS, FASTFAT.SYS, etc.). Possibly "something" misrepresents the filesystem and thus, since no known filesystem is recognized, Windows "assumes" that it is an unformatted partition and prompts for formatting it. It may be something as trivial as a a missing "55AA" signature in the bootsectors up to a serious case of data /filesystem structure corruption. You may want to try first TESTDISK: http://www.cgsecurity.org/wiki/TestDisk to check if the error is solvable by correcting a few values in MBR or bootsector or use PHOTOREC: http://www.cgsecurity.org/wiki/PhotoRec to attempt recovering the data "directly". jaclaz

The problem you detail is on ANOTHER "level" (i.e. filesystem level). Which "data recovery" tool did you try using? How does it react to CHKDISK? Have you checked TESTDISK : http://www.cgsecurity.org/wiki/TestDisk How/when did the problem develop? jaclaz

Something you may want to try: Roadkil's Unstoppable Copier http://www.roadkil.net/program.php?ProgramID=29 jaclaz

Isn't the sticky right here: http://www.msfn.org/board/index.php?showforum=82 http://www.msfn.org/board/index.php?showtopic=94398&hl= of your liking? jaclaz

Just for the record: http://news.cnet.com/8301-13860_3-9861474-56.html jaclaz

See if these are (at least part) of what you are looking for: http://www.msfn.org/board/index.php?showto...122723&st=3 jaclaz

There are also straight to cross-over converters, example: http://www.usbfirewire.com/Parts/rr-et-crossoveradapter.html jaclaz

Some details are given here: http://europa.eu/rapid/pressReleasesAction...;guiLanguage=en Apart Media Saturn Holding that is in "plain text", who are A, B, C, D, E ? Names should be: http://www.reuters.com/article/technologyN...E5491Q820090510 NEC HP DELL LENOVO ??? Let's try coupling them: HP=B NEC=C DELL=D ? or DELL=A? http://www.msnbc.msn.com/id/23076019/ then LENOVO either A or D What else? Who is E? jaclaz

Please don't tell me that you used nlite on target (the WinsetupfromUSB) instead that on source (a copy of your original CD). Just in case, the general idea is: have an original CD source, copy it to a foder on your hard disk, (source for nlite) nlite it, (slipstreaming Service packs as needed/wanted) use WinsetupfromUSB on the result of the above (modified source) to put it on the USB stick (target) jaclaz

Of course you need a "cross-over cable" if you are not using a hub, as opposed to a "normal" "straight cable": http://www.ertyu.org/steven_nikkel/ethernetcables.html jaclaz

Well, the decision of the EU commission is new, on 13th May 2009, of course the claim is not. Until then, AMD said that Intel used unfair commercial practices, now the EU has judged this allegation to be true. jaclaz