Virtumonde

Yes, that should work too.

Please try this:

1. Insert Windows Install disc to boot from CD.
2. Press any key on the keyboard when prompted.
3. Press R to load the Recovery Console.
4. Enter your password when prompted.
5. You must enter which Windows installation to log onto. Type 1 and press enter.
6. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

7. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

8. The erunt backups will begin copying.
9. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.
 
In that case situation doesn't look good.

Out of curiosity, is SP3 final version (according to HijackThis log it looks RC2 to me which can explain problems) and did combofix suggest to install recovery console when you ran it?
 
I'm pretty sure I had the final version of SP3, though I'm not completely 100% sure. Also, ComboFix did NOT suggest that I install recovery console. I found this strange considering the report it produced said I didn't have it installed.
 
Yes, according to your HijackThis log SP3 is Release Candidate 2 which might explain why ComboFix didn't suggest to install RC.

Please attempt to boot from CD next.
 
Ok so I tried a system recovery using a SP2 cd and now I'm back to where I was with the first BSOD STOP. Same error. Maybe if I use an SP3 cd lol.
 
I mean that change boot order from BIOS in a way that cd/dvd drive is first, insert CD and reboot.

Tell me if you are able to boot that way.
 
Using the Windows CD? I can do that using the Kubuntu CD, but not with the Windows CD. The Windows CD takes me to Windows Setup, which is what I've been doing all this time (trying to use system restore and repair console).
 
I see.

Let's then try this.

Using kubuntu CD please backup these hives (in c:\windows\system32\config; copy them to some other folder which you can find easily later if needed):

security
system
software
sam
default

Then copy same hives from C:\Windows\repair to c:\windows\system32\config folder and choose yes if asked for overwrite.

Try to reboot without any CD and let me know how it went.
 
The computer looked like it was going to start but then restarted. I think it's still getting the BSOD but is restarting instead of showing it due to settings reset. I noticed something interesting though. The BSOD produced by my computer is the same BSOD used by some programs to force reboot when trying to remove Vundo/Virtumonde. Perhaps the ComboFix restart flag is still in effect?
 
HOWEVER, it seems that somehow my sam file got deleted and moving the backup sam over seems to have fixed this as the recovery console now asks for a password. I can log in. I'm going to try what you suggested to do earlier in the recovery console.
 
Ugh. Still getting Access is denied when I try to batch erdnt.con. I'm going to examine the contents of erdnt.con in Kubuntu and see if it's something I can do manually.
 
Actually it is not 100% same as backup isn't the same. That one restores registry backup taken by ComboFix and we restored registry backup taken by Windows.

So can you now log in normally to windows or just to recovery console?
 
I do a bit research next.

In the meanwhile I suggest that you backup most important files etc. via Kubuntu just in case that we can't restore ability to boot.
 
You must log in or register to reply here.
Back
Top