71 replies to this topic

[ent]

My symptoms have been:

* spontaneous popups
* cannot run MBAM because mbam.exe doesn't exist
* after un- and re-installing MBAM, mbam.exe still doesn't exist
* get "error loading c:\windows\system32\dorugeba.dll" message on boot
* cannot boot to safe mode with networking -- get blue screen of death
* got one BSOD when running normally

Your help is appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:07 AM, on 11/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\PROGRA~1\RCrawler\RCrawler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\CapsUnlock\CapsUnlock.exe
C:\Program Files\FlashTray Pro\FlashTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\RootkiRevealer\RootkitRevealer.exe
C:\DOCUME~1\BILLEN~1\LOCALS~1\Temp\EVBYUMDVDYTQ.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Firefox\firefox.exe
C:\Documents and Settings\Bill Entwistle\Desktop\winlogin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [surezadil] Rundll32.exe "c:\windows\system32\dorugeba.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: Alarm.lnk = C:\Program Files\Alarm\Alarm.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: CapsUnlock.lnk = C:\Program Files\CapsUnlock\CapsUnlock.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: FlashTray.lnk = C:\Program Files\FlashTray Pro\FlashTray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Alarm.lnk = C:\Program Files\Alarm\Alarm.exe (User 'Default user')
O4 - .DEFAULT Startup: CapsUnlock.lnk = C:\Program Files\CapsUnlock\CapsUnlock.exe (User 'Default user')
O4 - .DEFAULT Startup: FlashTray.lnk = C:\Program Files\FlashTray Pro\FlashTray.exe (User 'Default user')
O4 - Startup: Alarm.lnk = C:\Program Files\Alarm\Alarm.exe
O4 - Startup: CapsUnlock.lnk = C:\Program Files\CapsUnlock\CapsUnlock.exe
O4 - Startup: FlashTray.lnk = C:\Program Files\FlashTray Pro\FlashTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.netflix.com
O15 - Trusted Zone: *.pandora.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177138576847
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177467272937
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
O20 - AppInit_DLLs: mijoroso.dll c:\windows\system32\dorugeba.dll
O21 - SSODL: pirovebob - {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll (file missing)
O23 - Service: 0258161238559076mcinstcleanup - - (no file)
O23 - Service: 0327391238561196mcinstcleanup - - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EVBYUMDVDYTQ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\BILLEN~1\LOCALS~1\Temp\EVBYUMDVDYTQ.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LW - Unknown owner - C:\DOCUME~1\BILLEN~1\LOCALS~1\Temp\LW.exe (file missing)
O23 - Service: mcmscsvc - Unknown owner - (no file)
O23 - Service: McNASvc - Unknown owner - (no file)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11932 bytes

[IndiGenus]

Hello ent and welcome to the forums here at MalwareBytes.

Looks like another Vundo infection, along with maybe some other stuff.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[ent]

I followed your instructions and Combofix did some things, then said that it needed to reboot, and upon restart I got the blue screen of death. Now I'm unable to boot up at all. I get the BSoD, no matter how I try to start (normal, last known good, safe, safe with networking, safe with command prompt). What now?

[IndiGenus]

Sorry to hear of your trouble. The Malware that you have on your system has done some serious damage. You were already getting some BSOD's before running combofix. Let's see if we can at least bring you back to that point.

Did you allow combofix to install the recovery console? Or do you know if it's installed? Also, do you have your original XP install disk?

[ent]

The recovery console was already installed. I forgot to mention that I tried to boot up with the recovery option and got the same result. Yes, I should have the install disk somewhere.

[IndiGenus]

Hi ent,

At the beginning of combofix's routine it backs up the current state of the registry. Hopefully this will get us back to the state you were in before you ran it.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:

exit

Hopefully Windows will now begin loading.

Let me know how this works and we'll go from there.

EDIT: for minor typo

[ent]

When I run the recovery console on startup, I get the blue screen before I see any options.

[IndiGenus]

If you have the XP CD I would like to try from that. If it BSOD's off the CD then that would point to a potential hardware issue.

1. Insert Windows Install disc to boot from CD.
2. Press any key on the keyboard when prompted.
3. Press R to load the Recovery Console.
4. Enter your password when prompted.
5. You must enter which Windows installation to log onto. Type 1 and press enter.
6. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

7. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

8. The erunt backups will begin copying.
9. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading (hopefully).

[ent]

I was able to boot from CD and run the recovery console. I found what appeared to be the backup in erdnt\Hiv-backup. There was no erdnt\subs. I ran the batch command and it said that it was copying files. But when I restart, I still the the blue screen.

While I was there, I ran a chkdsk /P and it reported that there were errors. I did not run chkdsk /F to fix them.

[ent]

(I meant to say "I still get the blue screen".)

[IndiGenus]

Nice job, sounds like you have some good PC background/skills there.

I would advise that you go ahead and run chkdsk with the /f switch to fix any bad sectors.

In the meantime I will check in with some other experts to find out if we have any other options here if that doesn't work.

[ent]

I've been a software engineer for 30+ years, so I've learned a few things.

I ran chkdsk /r and it ran for a long time, but didn't seem to find any errors. At least, it didn't report any and when it was done, it didn't list any bad sectors in the totals. I don't know if this means that it successfully fixed errors or it didn't find any.

I'm still getting the blue screen.

[IndiGenus]

Not sure how much this will help me but what is the BSOD message you get? If any? I'm thinking next thing to try would be a repair install to see if you can get back into the OS. Do you have backups for this PC?

Even if we can get back in it sounds like there was some damage done already and I'm not exactly sure what combofix did there. I'll see if I can get some experts to look in on it here but we don't have much information.

[ent]

I don't know how much detail you want, but I've transcribed the whole thing below. By the way, this is a Dell computer and there are scads of hardware diagnostics built in that I can get to by pressing F12 on boot. I've been running a variety of them and haven't found anything amiss yet.

Regarding backups, I happened to do one a few days ago.

-----

A problem has been detected and Windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps.

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F for hard drive corruption and then restart your computer.

Technical information:

*** STOP: 0x0000007B (0xF791F524,0xC0000034,0x00000000,0x00000000)

[ent]

I'm heading for bed now. Thanks for all your help.

[IndiGenus]

ent, on Nov 9 2009, 01:07 AM, said:

I'm heading for bed now. Thanks for all your help.

Me too....I'll check in with you tomorrow.

[ent]

Good morning.

I'm wondering about something that I noticed with the "erdnt" files. I see that there is a Users directory which has copies of some of the registry files. And I see that there is an ERDNT.INF and an ERDNT.CON, which appear to be different ways to restore system files. The latter is what you had me batch submit but it doesn't contain any references to the Users directory files. The former .inf file does have references to the Usr files. Could this be a possible reason for the failure to restore my system to its previous state of affairs, i.e., is it failing to restore the Usr files?

I suspect that this is a big red herring, but I thought I should ask.

[IndiGenus]

Good morning ent,

I have several thoughts going on here. I would really like to be able to at least get back to the point of booting to the OS here. Although I do think that even if we accomplish that the "long term" fix will be to rebuild the OS. As you have very recent backups (good for you) this shouldn't be too much of a problem.

It's up to you as to how far you want to take this. If I were dealing with someone of lesser background and ability I would be reluctant to try too much here, but it's pretty obvious you know your stuff.

The research I did on that BSOD code indicates it may be an issue with the boot sector, which then leads me to think the malware got to the boot sector.

One option would be to run MS boot sector utilities from the RC, but that is very risky and may just do us in.

Another thought is to run a live CD/DVD. I had one live repair I did several months back that was an unbootable PC (BSOD) where the DrWeb live CD was able to get us back into the OS. It ended up being Virut along with all kinds of other nasty stuff so I just rebuilt the OS, but at least I was able to get in and back up the data for the customer (they had no backups).

It appears the download for the DrWeb CD is not up at the moment, but I'll look into it.

Tell me what your thoughts are on this and how far you would like to take this.

[IndiGenus]

ent, on Nov 9 2009, 10:58 AM, said:

Good morning.

I'm wondering about something that I noticed with the "erdnt" files. I see that there is a Users directory which has copies of some of the registry files. And I see that there is an ERDNT.INF and an ERDNT.CON, which appear to be different ways to restore system files. The latter is what you had me batch submit but it doesn't contain any references to the Users directory files. The former .inf file does have references to the Usr files. Could this be a possible reason for the failure to restore my system to its previous state of affairs, i.e., is it failing to restore the Usr files?

I suspect that this is a big red herring, but I thought I should ask.

Sorry forgot to address this in my last post. Don't think that's it as my understanding is the cf routine pulls out whatever needs to be.

[ent]

I'm not really sure. I don't know what rebuilding the OS means. I would prefer to try to repair the system than resort to backups for a few reasons:

The C: drive is partitioned into several logical drives and they are not all backed up.

I've never had to restore anything, so I don't feel 100% confident in the reliability of the backup. If we reformat the hard drive and there's anything wrong with the backup or there are complications with getting it to restore, then I'm in trouble. My next newest backup is from months ago.

The backup is on an external drive which I had purchased two of, for added security by redundancy. When I pulled one of them out to do the recent backup, it was non-functional for no good reason. I had only used it in a few times. The other one is almost the same model, which has me a little concernced about its reliability.

You mentioned that you were going to talk to some experts. Did you do that? What did they suggest?