Cypher
Visiting Fellow
Thats what we were trying do do restore the registry to before CF was run.
But everything we tried failed. Did you try doing a repair install?
Malware/Virus won't stay gone
- Thread starter jezzzzy
- Start date
But everything we tried failed. Did you try doing a repair install?
I looked into the system volume information to find out the date of the registry backup. The date on the files was 2/15/2010 at 2:33pm. This is after combofix was run. There doesn't seem to be a restore point prior to combofix. Does combofix store registry backup files anywhere else?
Cypher
Visiting Fellow
Hi jezzzzy.
This is the last option for invoking the CF backups if you want to try.
Restart your computer
Before Windows loads, you will be prompted to choose which Operating System to start
Use the up and down arrow key to select Microsoft Windows Recovery Console
You must enter which Windows installation to log onto. Type 1 and press enter
At the C:\Windows prompt, type the following bolded text, and press Enter:
DISABLE CAERF
At the next prompt, type the following bolded text, and press Enter:
DISABLE RESTORE
At the next prompt, type the following bolded text, and press Enter:
CD C:\WINDOWS\CONFIG
At the next prompt, type the following bolded text, and press Enter:
REN LSASS.EXE LSASS.EXE.VIR
At the next prompt, type the following bolded text, and press Enter:
CD C:\WINDOWS\SYSTEM32\DRIVERS
At the next prompt, type the following bolded text, and press Enter:
REN RESTORE.SYS RESTORE.SYS.VIR
At the next prompt, type the following bolded text, and press Enter:
CD C:\WINDOWS\ERDNT
At the next prompt, type the following bolded text, and press Enter:
BATCH CFRECOVERY.BAT
At the next prompt, type the following bolded text, and press Enter:
BATCH CFUNDO.DAT (Ignore if there's any error messages)
At the next prompt, type the following bolded text, and press Enter:
CD C:\COMBOFIX
At the next prompt, type the following bolded text, and press Enter:
TYPE DREV.DAT
At the next prompt, type the following bolded text, and press Enter:
TYPE SVCTARGET.DAT
At the next prompt, type the following bolded text, and press Enter
TYPE NDIS_LOG.DAT
At the next prompt, type the following bolded text, and press Enter:
EXIT
Windows should now begin loading.
From my first post to you.
This is exactly why you are advised to back everything up before we start.
This is the last option for invoking the CF backups if you want to try.
Restart your computer
Before Windows loads, you will be prompted to choose which Operating System to start
Use the up and down arrow key to select Microsoft Windows Recovery Console
You must enter which Windows installation to log onto. Type 1 and press enter
At the C:\Windows prompt, type the following bolded text, and press Enter:
DISABLE CAERF
At the next prompt, type the following bolded text, and press Enter:
DISABLE RESTORE
At the next prompt, type the following bolded text, and press Enter:
CD C:\WINDOWS\CONFIG
At the next prompt, type the following bolded text, and press Enter:
REN LSASS.EXE LSASS.EXE.VIR
At the next prompt, type the following bolded text, and press Enter:
CD C:\WINDOWS\SYSTEM32\DRIVERS
At the next prompt, type the following bolded text, and press Enter:
REN RESTORE.SYS RESTORE.SYS.VIR
At the next prompt, type the following bolded text, and press Enter:
CD C:\WINDOWS\ERDNT
At the next prompt, type the following bolded text, and press Enter:
BATCH CFRECOVERY.BAT
At the next prompt, type the following bolded text, and press Enter:
BATCH CFUNDO.DAT (Ignore if there's any error messages)
At the next prompt, type the following bolded text, and press Enter:
CD C:\COMBOFIX
At the next prompt, type the following bolded text, and press Enter:
TYPE DREV.DAT
At the next prompt, type the following bolded text, and press Enter:
TYPE SVCTARGET.DAT
At the next prompt, type the following bolded text, and press Enter
TYPE NDIS_LOG.DAT
At the next prompt, type the following bolded text, and press Enter:
EXIT
Windows should now begin loading.
Getting some errors on the commands you listed.
On the "Disable CAERF" command and the "Disable RESTORE" commands I get a message that says "The registry entry for the caerf (or restore) service cannot be located."
Neither LSASS.exe nor restore.sys files can be found. So I can't rename them.
When I run the BATCH CFRECOVERY.BAT command I get a response that the SET command is currently disabled.
Should I continue running the commands you listed?
On the "Disable CAERF" command and the "Disable RESTORE" commands I get a message that says "The registry entry for the caerf (or restore) service cannot be located."
Neither LSASS.exe nor restore.sys files can be found. So I can't rename them.
When I run the BATCH CFRECOVERY.BAT command I get a response that the SET command is currently disabled.
Should I continue running the commands you listed?
Cypher
Visiting Fellow
Hi jezzzzy.
After consulting an expert it seems you have a curupt/damaged hdd controller infection.
Here is the link to the MS article How to recover from a corrupt registry.
Sorry the news is not better :sad:
Let me know how things go.
After consulting an expert it seems you have a curupt/damaged hdd controller infection.
Here is the link to the MS article How to recover from a corrupt registry.
Your only choice is to try that procedure to try and recover your data then reformat your computer.
Sorry the news is not better :sad:
Let me know how things go.
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
