I mean this.
Also, system restore and recovery console are not the same thing.
I mean this.
Also, system restore and recovery console are not the same thing.
Last edited by Blade81; 2009-11-21 at 01:28.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Thanks Blade,
I will look at the link you provided and also try rebooting to last known good config. I can't do this right now as today is my wife's birthday and we're heading out to eat. I will get back on this again in a couple of hours and post what happens. I do appreciate your assistance.
Hi Blade81,
I do not have any good news.
I cannot restart in NORMAL or SAFE MODE or to LAST KNOWN GOOD CONFIGURATION. RESULT = Same Blue screen
If I restart with the F8 key, the select START NORMALLY, SAFE MODE or LAST GOOD CONFIG, and then select Microsoft Windows Recovery Mode, I come to a selection screen labeled Microsoft Windows XP Recovery Console which asks me "Which Windows installation would you like to log on to?"
There is only one choice...
1: C:\Windows
Pressing #1 and then Enter I come to a black screen with a Dos Prompt...
C:\WINDOWS>_
Once there, I ran...
1. chkdsk c: with no switch - RESULT= Volume appears good and was not checked
2. chkdsk c: /p - RESULT = Chkdsk ran to 25% then slowly to about 50% the a bit faster to 75% and then quit and reported results. (The Drive is about 75% full)
3 Then ran chkdsk c: /r - RESULT CHkdsk ran OK to about 50% then slowly to 75% and returned to 50% and again slowly to 75% and back to 50%. I then powered off.
Still can not boot to any Windows XP mode except the Black Screen DOS Prompt when pressing F8 while restarting then selecting NORMAL, SAFE, or LAST KNOWN GOOD CONFIG, and then choosing Windows Recovery Console.
Do you think I will ever be able to restart Windows XP again?
Perhaps with...
...the ERUNT Registry Backup?
...the ComboFix Registry Backup?
...any other means?
Or am I doomed to reformatting this hard drive and reinstalling everything?
I look forward to your guidance and suggestions.
TomZT
Hi,
We'll try to restore things back. First I'd like to know if you have a flash memory to transfer c:\ComboFix.txt file (if it's present) from infected system?
This can be done from by entering recovery console (like you did earlier) and entering following commands (press enter after each one), f: drive is usb drive letter here (it may be different in your system):
set allowallpaths = true
set allowallremovablemedia = true
copy c:\combofix.txt f:\combofix.txt
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Hi Blade,
I will try your suggestion... But first I have a couple of questions...
What method should I use to get to the Recovery Console...
F8 when Booting, then SAFE MODE, Then Recovery Console?
F8 when Booting, then NORMAL MODE, Then Recovery Console?
or, F8 when Booting, then LAST GOOD CONFIG MODE, Then Recover Console?
I have several mapped network drives on this computer but I'm not sure what drive letters have been assigned to them. Is there any way I can, from the Recovery Console, determine the correct letter for the Flash Drive?
I await your reply.
Tom
When system reboots you should have two options to choose from (those will appear a couple of seconds):
Microsoft Windows XP Recovery Console
Windows XP Professional
Choose recovery console. You could copy some dummy test file to your flash drive (create empty test.txt file with notepad for example) and then in recovery console, after entering those two set commands instructed in my previous post, use command dir <drive letter> e.g. dir f: and see what will list test.txt file.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
I created a test.txt file on another machine and saved it to a flash drive. Then plugged the flash drive into the infected machine.
Then entered the Recovery Console...
C:\WINDOWS>_
The first command: set allowallpaths = true (this worked fine)
The second command: set allowallremoveablemedia = true (this did not - bad parameter). After using the DOS command (HELP - /?) feature, I modified your parameter slightly, and tried: set allowremovablemedia = true (this seemed to work fine).
The ONLY GOOD NEWS SO FAR is, after the above commands, I discovered that Combofix did create a ComboFix.txt file; however the file was actually located in C:\ComboFix\combofix.txt (361 bytes) rather than in the C:\ (root directory).
So then I entered your third command (modified slightly):
copy c:\combofix\combofix.txt f:\combofix.txt (this did not work - NO floppy or CD in drive).
Trying to find the correct drive letter for the Flash Drive, I tried...
dir f: - (this did not work - No floppy or CD in drive) Then...
dir g: - dir h: - dir h: - etc. - on through: dir z: (this did not work - All reported invalid path or file)
So the ComboFix.txt file is in there, I just need to find out how to get it out! Any more suggestions?
I remembered from my old DOS days the commands Print or LPrint.... Couldn't find any help on those commands but searching further in the DOS command help feature, I re-discovered that I could use the type command to display a text file on-screen. So I entered...
type c:\combofix\combofix.txt
Here (re-typed by hand) is the contents of the ComboFix.txt file...
-------------------------------------------------------------------------
ComboFix 09-11-20.01 - Tom McNeal 11-20-2009 16:06:51.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.766.360 [GMT -6:00]
Running from: C:\Documnets and Settings\Tom McNeal\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
-------------------------------------------------------------------------
I sure hope this helps Blade!
Hi Tom,
Seems that ComboFix didn't get far there. Let's see if we can get your system bootable now.
1. Restart your computer
2. Enter to recovery console like earlier.
3. At the C:\Windows prompt, type the following bolded text, and press Enter:
cd erdnt\subs
4. At the next prompt, type the following bolded text, and press Enter:
batch erdnt.con
5. The erunt backups will begin copying.
6. At the next prompt, type the following bolded text, and press Enter:
exit
Windows will now begin loading. See if you're able to create a fresh DDS log now
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Hi Blade,
I ran the ERUNT Registry Restore as described above...
from c:\WINDOWS>_
cd erdnt\subs
batch erdnt.con
(appeared to complete successfully - 9 files copied - returned to prompt)
Then... exit
Windows began loading and then displayed the same blue screen described in my previous posts.
Tom