I looked into the system volume information to find out the date of the registry backup. The date on the files was 2/15/2010 at 2:33pm. This is after combofix was run. There doesn't seem to be a restore point prior to combofix. Does combofix store registry backup files anywhere else?
Hi jezzzzy.
From my first post to you.There is much data on this computer that I do not want to lose.
This is exactly why you are advised to back everything up before we start.Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
This is the last option for invoking the CF backups if you want to try.
Restart your computer
Before Windows loads, you will be prompted to choose which Operating System to start
Use the up and down arrow key to select Microsoft Windows Recovery Console
You must enter which Windows installation to log onto. Type 1 and press enter
At the C:\Windows prompt, type the following bolded text, and press Enter:
DISABLE CAERF
At the next prompt, type the following bolded text, and press Enter:
DISABLE RESTORE
At the next prompt, type the following bolded text, and press Enter:
CD C:\WINDOWS\CONFIG
At the next prompt, type the following bolded text, and press Enter:
REN LSASS.EXE LSASS.EXE.VIR
At the next prompt, type the following bolded text, and press Enter:
CD C:\WINDOWS\SYSTEM32\DRIVERS
At the next prompt, type the following bolded text, and press Enter:
REN RESTORE.SYS RESTORE.SYS.VIR
At the next prompt, type the following bolded text, and press Enter:
CD C:\WINDOWS\ERDNT
At the next prompt, type the following bolded text, and press Enter:
BATCH CFRECOVERY.BAT
At the next prompt, type the following bolded text, and press Enter:
BATCH CFUNDO.DAT (Ignore if there's any error messages)
At the next prompt, type the following bolded text, and press Enter:
CD C:\COMBOFIX
At the next prompt, type the following bolded text, and press Enter:
TYPE DREV.DAT
At the next prompt, type the following bolded text, and press Enter:
TYPE SVCTARGET.DAT
At the next prompt, type the following bolded text, and press Enter
TYPE NDIS_LOG.DAT
At the next prompt, type the following bolded text, and press Enter:
EXIT
Windows should now begin loading.
Hi jezzzzy.
Hows it going any progress?
Getting some errors on the commands you listed.
On the "Disable CAERF" command and the "Disable RESTORE" commands I get a message that says "The registry entry for the caerf (or restore) service cannot be located."
Neither LSASS.exe nor restore.sys files can be found. So I can't rename them.
When I run the BATCH CFRECOVERY.BAT command I get a response that the SET command is currently disabled.
Should I continue running the commands you listed?
Hi jezzzzy.
After consulting an expert it seems you have a curupt/damaged hdd controller infection.
Here is the link to the MS article How to recover from a corrupt registry.
Your only choice is to try that procedure to try and recover your data then reformat your computer.This procedure does not guarantee full recovery of the system to a previous state; however, you should be able to recover data when you use this procedure.
Sorry the news is not better
Let me know how things go.
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Thank you Cypher.
Microsoft MVP Reconnect 2018-
Windows Insider MVP 2016-2018
Microsoft Consumer Security MVP 2006-2016