Page 2 of 13 FirstFirst 12345612 ... LastLast
Results 11 to 20 of 123

Thread: Virtumonde-New Thread-As Per request

  1. #11
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    I mean this.

    Also, system restore and recovery console are not the same thing.
    Last edited by Blade81; 2009-11-21 at 02:28.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  2. #12
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Thanks Blade

    Thanks Blade,

    I will look at the link you provided and also try rebooting to last known good config. I can't do this right now as today is my wife's birthday and we're heading out to eat. I will get back on this again in a couple of hours and post what happens. I do appreciate your assistance.

  3. #13
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Can't restart Windows

    Hi Blade81,

    I do not have any good news.

    I cannot restart in NORMAL or SAFE MODE or to LAST KNOWN GOOD CONFIGURATION. RESULT = Same Blue screen

    If I restart with the F8 key, the select START NORMALLY, SAFE MODE or LAST GOOD CONFIG, and then select Microsoft Windows Recovery Mode, I come to a selection screen labeled Microsoft Windows XP Recovery Console which asks me "Which Windows installation would you like to log on to?"

    There is only one choice...
    1: C:\Windows

    Pressing #1 and then Enter I come to a black screen with a Dos Prompt...
    C:\WINDOWS>_

    Once there, I ran...
    1. chkdsk c: with no switch - RESULT= Volume appears good and was not checked
    2. chkdsk c: /p - RESULT = Chkdsk ran to 25% then slowly to about 50% the a bit faster to 75% and then quit and reported results. (The Drive is about 75% full)
    3 Then ran chkdsk c: /r - RESULT CHkdsk ran OK to about 50% then slowly to 75% and returned to 50% and again slowly to 75% and back to 50%. I then powered off.

    Still can not boot to any Windows XP mode except the Black Screen DOS Prompt when pressing F8 while restarting then selecting NORMAL, SAFE, or LAST KNOWN GOOD CONFIG, and then choosing Windows Recovery Console.

    Do you think I will ever be able to restart Windows XP again?
    Perhaps with...
    ...the ERUNT Registry Backup?
    ...the ComboFix Registry Backup?
    ...any other means?

    Or am I doomed to reformatting this hard drive and reinstalling everything?

    I look forward to your guidance and suggestions.
    TomZT

  4. #14
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    We'll try to restore things back. First I'd like to know if you have a flash memory to transfer c:\ComboFix.txt file (if it's present) from infected system?

    This can be done from by entering recovery console (like you did earlier) and entering following commands (press enter after each one), f: drive is usb drive letter here (it may be different in your system):
    set allowallpaths = true
    set allowallremovablemedia = true
    copy c:\combofix.txt f:\combofix.txt
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #15
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Recovery

    Hi Blade,

    I will try your suggestion... But first I have a couple of questions...

    What method should I use to get to the Recovery Console...
    F8 when Booting, then SAFE MODE, Then Recovery Console?
    F8 when Booting, then NORMAL MODE, Then Recovery Console?
    or, F8 when Booting, then LAST GOOD CONFIG MODE, Then Recover Console?

    I have several mapped network drives on this computer but I'm not sure what drive letters have been assigned to them. Is there any way I can, from the Recovery Console, determine the correct letter for the Flash Drive?

    I await your reply.
    Tom

  6. #16
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    When system reboots you should have two options to choose from (those will appear a couple of seconds):
    Microsoft Windows XP Recovery Console
    Windows XP Professional

    Choose recovery console. You could copy some dummy test file to your flash drive (create empty test.txt file with notepad for example) and then in recovery console, after entering those two set commands instructed in my previous post, use command dir <drive letter> e.g. dir f: and see what will list test.txt file.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #17
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Recovery

    I created a test.txt file on another machine and saved it to a flash drive. Then plugged the flash drive into the infected machine.

    Then entered the Recovery Console...
    C:\WINDOWS>_

    The first command: set allowallpaths = true (this worked fine)

    The second command: set allowallremoveablemedia = true (this did not - bad parameter). After using the DOS command (HELP - /?) feature, I modified your parameter slightly, and tried: set allowremovablemedia = true (this seemed to work fine).

    The ONLY GOOD NEWS SO FAR is, after the above commands, I discovered that Combofix did create a ComboFix.txt file; however the file was actually located in C:\ComboFix\combofix.txt (361 bytes) rather than in the C:\ (root directory).

    So then I entered your third command (modified slightly):
    copy c:\combofix\combofix.txt f:\combofix.txt (this did not work - NO floppy or CD in drive).

    Trying to find the correct drive letter for the Flash Drive, I tried...
    dir f: - (this did not work - No floppy or CD in drive) Then...
    dir g: - dir h: - dir h: - etc. - on through: dir z: (this did not work - All reported invalid path or file)

    So the ComboFix.txt file is in there, I just need to find out how to get it out! Any more suggestions?

  8. #18
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default More good news, I hope

    I remembered from my old DOS days the commands Print or LPrint.... Couldn't find any help on those commands but searching further in the DOS command help feature, I re-discovered that I could use the type command to display a text file on-screen. So I entered...

    type c:\combofix\combofix.txt

    Here (re-typed by hand) is the contents of the ComboFix.txt file...
    -------------------------------------------------------------------------
    ComboFix 09-11-20.01 - Tom McNeal 11-20-2009 16:06:51.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.360 [GMT -6:00]

    Running from: C:\Documnets and Settings\Tom McNeal\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    * Created a new restore point
    .
    -------------------------------------------------------------------------
    I sure hope this helps Blade!

  9. #19
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi Tom,

    Seems that ComboFix didn't get far there. Let's see if we can get your system bootable now.


    1. Restart your computer
    2. Enter to recovery console like earlier.
    3. At the C:\Windows prompt, type the following bolded text, and press Enter:

    cd erdnt\subs

    4. At the next prompt, type the following bolded text, and press Enter:

    batch erdnt.con

    5. The erunt backups will begin copying.
    6. At the next prompt, type the following bolded text, and press Enter:

    exit

    Windows will now begin loading. See if you're able to create a fresh DDS log now
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  10. #20
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default No Joy

    Hi Blade,

    I ran the ERUNT Registry Restore as described above...
    from c:\WINDOWS>_

    cd erdnt\subs
    batch erdnt.con
    (appeared to complete successfully - 9 files copied - returned to prompt)
    Then... exit

    Windows began loading and then displayed the same blue screen described in my previous posts.

    Tom

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •