Page 5 of 13 FirstFirst 123456789 ... LastLast
Results 41 to 50 of 123

Thread: Virtumonde-New Thread-As Per request

  1. #41
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Ubcd

    Thanks Blade,

    I will prepare the boot CD and let you know when I am ready!

    Tom

  2. #42
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default UBCD Update

    Hi Blade,

    I am having some problems creating the UBCD (errors and warnings during the build). Apparently there are a few known snags and fixes needed when using a Dell XP CD as the build source. I'm getting some help over on the UBCD4WIN forum and will post back here when I get these problems straightened out. I hope you're enjoying the time off! <BG>

    Tom

  3. #43
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Ok. Do you have some friend with non-Dell Win XP Pro SP2 (or 3) media to borrow if creating with Dell version fails (better wait what they on UBCD forum say though)?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  4. #44
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Ubcd

    Good morning Blade,

    Yep! I can probably get my hands on a MS XP CD if I don't get the Dell CD to work. I thought it was worth fiddling around with a bit since the machine I'm trying to fix is a Dell too. I'll be back!

    Have a great day! I'm going to bed!
    Tom

  5. #45
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default Ubcd success

    Hello Blade!

    I finally have some good news to report. In fact I have GREAT news to report. I successfully created a UBCD Boot CD. After spending a lot of time and a lot of tries, I eventually gave up on using the DELL XP CD as the build source for the boot CD... too many problems in getting that to work. As you suggested, I borrowed a friend's MS XP CD to use as the source and the CD image file was created successfully on my first attempt. I don't know how familiar you are with the UBCD4WIN program but all I can say is "UBCD4WIN ROCKS!"

    I can now start the problem machine from the CD and can access MyComputer, get to all the folders and files on the hard drive, with no passwords, and no more Blue Screens. The boot disk also includes a number of Plugins which make available a number of built in tools and utilities like ERUNT, HJT. etc. For the first time in two weeks now, I really feel like we may get this computer cleaned up and running again without formatting the drive and starting from scratch.

    I also verified what I think probably caused the problem we had when we tried the ERUNT restore. As I mentioned in a previous post. I did in fact save my original ERUNT registry backup in a subfolder folder named 11_17_09_A, thinking I may want to try another backup later that day and save it in a folder like 11-17_09_B. So when we restored from C:Windows\erdnt\subs and then on the second try C:\Windows\erdnt\hiv-subs, we probably restored something other than my backup. I'm guessing we may have restored an ERUNT sample registry (with an Administrator Password) which normally would have been overwritten by my own backup had I put it in the right folder. Does this make sense?

    I am ready to proceed again with your guidance and do look forward to your next reply!

    Also, if you wouldn't mind... Can you explain why, when we first started out, we didn't begin by doing a regular Window System Restore to a point prior to the date of infection? I've been wondering about that all along.

    Tom

  6. #46
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Good to hear that you got the media created

    I also verified what I think probably caused the problem we had when we tried the ERUNT restore. As I mentioned in a previous post. I did in fact save my original ERUNT registry backup in a subfolder folder named 11_17_09_A, thinking I may want to try another backup later that day and save it in a folder like 11-17_09_B. So when we restored from C:Windows\erdnt\subs and then on the second try C:\Windows\erdnt\hiv-subs, we probably restored something other than my backup. I'm guessing we may have restored an ERUNT sample registry (with an Administrator Password) which normally would have been overwritten by my own backup had I put it in the right folder. Does this make sense?
    It's probably correct one. Anyway, we may give one of those another try if needed.

    Can you explain why, when we first started out, we didn't begin by doing a regular Window System Restore to a point prior to the date of infection?
    We didn't restore to older point cos those seldom work. Usually infection has rendered them useless and symptoms won't disappear.


    Now that you have access to hard drive contents could you check c:\qoobox\quarantine\c\windows\system32\drivers folder to see if there's pciide.sys.vir file there?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #47
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default vir files

    Hi Blade,

    Yep! I checked that folder for the file (pciide.sys.vir) and it is there.

    There is also another file there too (fad.sys.vir).

  8. #48
    Member
    Join Date
    Nov 2009
    Posts
    70

    Default More vir files

    Blade...

    In checking other c:\qooboxquarentine/...subfolders, I see quite a few files with the ."vir" extension.

    Tom

  9. #49
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Click start->run->type cmd.exe and enter to access command prompt. Then type following command there:
    Code:
    copy /y c:\qoobox\quarantine\c\windows\system32\drivers\pciide.sys.vir c:\windows\system32\drivers\pciide.sys
    Verify that output says 1 file(s) copied and if it does, reboot the system and see if it can start normally now.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  10. #50
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    In checking other c:\qooboxquarentine/...subfolders, I see quite a few files with the ."vir" extension.
    That's normal. There are real bad items deleted too
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •