Page 3 of 13 FirstFirst 1234567 ... LastLast
Results 21 to 30 of 123

Thread: Virtumonde-New Thread-As Per request

  1. #21
    Security Expert Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,495

    Default

    Hi,

    Do you get any better results if you run these commands in recovery console:
    cd erdnt\hiv-backup
    batch erdnt.con
    exit
    Microsoft MVP Consumer Security 2008-2013
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  2. #22
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Still No Joy

    Hi Blade,
    Thank you for your continuing assistance! Not only does my computer appear to be highly infected, but you must feel like you're leading a blind man!

    From recovery console, I ran

    cd erdnt\hiv-backup
    batch erdnt.con
    exit
    SAME BLUE SCREEN


    I don't know if this will help you but...
    After the "exit", I'm automatically returned to the recovery console for the restart...

    If I wait for the 30 sec countdown timer, or choose Start Windows Normally, I immediately get the same blue screen which consistently displays the following... TECHNICAL INFO
    STOP: 0x0000007B (0xF79FA528, 0xC0000034, 0x00000000, 0x00000000)

    If I choose Start in Safe Mode, it first starts loading a bunch of drivers before the Blue Screen... I've watched this carefully many times now and the Blue Screen appears just after loading ".... C\Windows\system32\Mup.sys

    Is this info any help to you?

  3. #23
    Security Expert Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,495

    Default

    Hi,

    Error code indicates problem with hard drive controller loading. Please enter recovery console mode again and run following commands:
    cd\
    cd c:\qoobox\quarantine\c\windows\system32\drivers
    dir


    You should see a list of items there. Check if pciide.sys.vir file (or any with ide in its name) is listed there and let me know about the results.
    Microsoft MVP Consumer Security 2008-2013
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  4. #24
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default A new problem

    Now In trying to enter the Recovery Console... as I did before...

    After entering the #1 to select the only recovery console option...
    1: c\WINDOWS

    Instead of going to the C|WINDOWS>_ prompt

    I get "Type the administrator Password:__"
    Simply pressing enter displays...
    "The Password is Not Valid. Please retype the Password."

    I've never setup an administrator password on this computer and this is the first time I've been asked for a password to get to the recovery console command prompt.

    I still hope you can help!

  5. #25
    Security Expert Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,495

    Default

    I've never seen similar case with recovery console first not asking and then on other attempt asking for admin password. See if administrator or admin (with first letter capitalized or not) works.

    Do you have Windows XP Professional installation media around?
    Microsoft MVP Consumer Security 2008-2013
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  6. #26
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Password Required

    Hi Blade,
    Sorry for the delay in getting back to you. I had Sunday morning activities to attend. I did include you and my infected computer in my prayers.

    I tried the passwords.. "Administrator, administrator, Admin, & admin"
    All invalid!

    Do you think the second set of ERDNT commands...
    cd erdnt\hiv-backup
    batch erdnt.con
    exit

    ...might have set an administrator password? The password request appeared just after running these commands???

    Or perhaps, the infection (after a set period of time or actions) took admin control? I'm just guessing here.

    I do remember that way back in this process... before running any of the initial ERUNT OR HJT scans... when I could still boot to Windows XP SAFE mode... I was once asked... while starting up to SAFE MODE... "What user account to log on to": The choices were: ADMINISTRATOR or Tom McNeal (my name). This surprised me back then because I had never setup any Administrator Account or Passwords on this machine. AT that time I did try choosing Administrator and when prompted for a password... I simply pressed enter. This was invalid and so next selected my name as the User account and booted to safe mode.

    I'm sure I have the Windows XP CD (that came with this computer from DELL) but i will have to do some digging to find it. Does your question mean we will need to re-format the hard drive and re-install XP??? OR, do you have other ideas to try with the XP CD?

    I look forward to your reply.
    Tom

  7. #27
    Security Expert Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,495

    Default

    Hi Tom,

    Do you think the second set of ERDNT commands...
    cd erdnt\hiv-backup
    batch erdnt.con
    exit
    ...might have set an administrator password? The password request appeared just after running these commands???
    That's something I was wondering too. But both this and the backup we restored earlier should be similar ones.

    I'm sure I have the Windows XP CD (that came with this computer from DELL) but i will have to do some digging to find it. Does your question mean we will need to re-format the hard drive and re-install XP??? OR, do you have other ideas to try with the XP CD?
    I was thinking about running recovery console from XP Professional media. It might be possible to run that way without password prompt.
    Microsoft MVP Consumer Security 2008-2013
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  8. #28
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Win XP CD

    I am chatting now with DELL support about getting a WIN XP PRO replacement CD in case I cannot find the one that came with the computer.

  9. #29
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Xp cd

    That's something I was wondering too. But both this and the backup we restored earlier should be similar ones.

    The first ERUNT BACK UP Copied 9 Files before returning to the prompt for EXIT.

    The second time 10 Files were copied before the prompt for EXIT.

    Maybe there was an administartor entry in the 10th file copied.

    I was thinking about running recovery console from XP Professional media. It might be possible to run that way without password prompt.

    Would this need to be the same XP CD that came with this particular machine? Or will any Win XP Pro CD work for this.

  10. #30
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Update

    Hi Blade,

    I have found my original Dell licensed Windows XP Pro Reinstall CD but I am not sure if this will help us if we can't get into the Recovery Console anyway without entering a correct Administrator Password.

    Another problem might be that the original Dell XP install CD is XP Pro SP1. SP2 and then SP3 were later installed on the problem machine via Microsoft Updates. I remember reading in the ComboFix Instructions that it would install different versions of the Restore Console depending on whether it found SP1 or SP2 / SP3 on the machine.

    I do have another newer Dell machine and also found the XP Pro SP3 install CD for that machine too. But even so, don't you think we'll still have the same problem getting to the Recovery Console Command Prompt without the correct Administrator password. I should also note that this newer Dell machine uses the NTFS file system whereas I think the problem machine uses the FAT32 file system. I don't know if this would cause a problem?

    I do have another theory but cannot check it out until I can get into the Recovery Console or get to a command prompt some other way. Perhaps a Bootable CD? I'm thinking I may have specified a folder other than C:\Windows\erdnt for my ERUNT Registry backup. I think I may have specified c:\Windows\erdnt_A instead; thinking I may wish to create another backup later in C:\Windows\erdnt_B. But I can't remember for sure if I did this or not and cannot check without getting back in to the Recovery Console. If I did save my backup in C:\Windows\erdnt_A, and ran the restore mistakenly from C:\Windows\erdnt, could this have created the Password problem I'm having now?

    I've re-read the ERUNT instructions and emailed Lars Hederer to ask if he might know what's going on. I will let you know what he thinks if and when he replies.

    Any ideas or suggestions you may have will be much appreciated.
    Tom

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •