Jump to content

Infected; MBAM Being Deleted


ent

Recommended Posts

My symptoms have been:

* spontaneous popups

* cannot run MBAM because mbam.exe doesn't exist

* after un- and re-installing MBAM, mbam.exe still doesn't exist

* get "error loading c:\windows\system32\dorugeba.dll" message on boot

* cannot boot to safe mode with networking -- get blue screen of death

* got one BSOD when running normally

Your help is appreciated!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:04:07 AM, on 11/8/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe

C:\PROGRA~1\RCrawler\RCrawler.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

C:\Program Files\CapsUnlock\CapsUnlock.exe

C:\Program Files\FlashTray Pro\FlashTray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\RootkiRevealer\RootkitRevealer.exe

C:\DOCUME~1\BILLEN~1\LOCALS~1\Temp\EVBYUMDVDYTQ.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Firefox\firefox.exe

C:\Documents and Settings\Bill Entwistle\Desktop\winlogin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070418

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

F2 - REG:system.ini: Shell=Explorer.exe logon.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [surezadil] Rundll32.exe "c:\windows\system32\dorugeba.dll",a

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - S-1-5-18 Startup: Alarm.lnk = C:\Program Files\Alarm\Alarm.exe (User 'SYSTEM')

O4 - S-1-5-18 Startup: CapsUnlock.lnk = C:\Program Files\CapsUnlock\CapsUnlock.exe (User 'SYSTEM')

O4 - S-1-5-18 Startup: FlashTray.lnk = C:\Program Files\FlashTray Pro\FlashTray.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Alarm.lnk = C:\Program Files\Alarm\Alarm.exe (User 'Default user')

O4 - .DEFAULT Startup: CapsUnlock.lnk = C:\Program Files\CapsUnlock\CapsUnlock.exe (User 'Default user')

O4 - .DEFAULT Startup: FlashTray.lnk = C:\Program Files\FlashTray Pro\FlashTray.exe (User 'Default user')

O4 - Startup: Alarm.lnk = C:\Program Files\Alarm\Alarm.exe

O4 - Startup: CapsUnlock.lnk = C:\Program Files\CapsUnlock\CapsUnlock.exe

O4 - Startup: FlashTray.lnk = C:\Program Files\FlashTray Pro\FlashTray.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.netflix.com

O15 - Trusted Zone: *.pandora.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177138576847

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177467272937

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

O20 - AppInit_DLLs: mijoroso.dll c:\windows\system32\dorugeba.dll

O21 - SSODL: pirovebob - {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll (file missing)

O22 - SharedTaskScheduler: gahurihor - {04d7d960-4f27-46d5-93ed-16ca2147be51} - c:\windows\system32\dorugeba.dll (file missing)

O23 - Service: 0258161238559076mcinstcleanup - - (no file)

O23 - Service: 0327391238561196mcinstcleanup - - (no file)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: EVBYUMDVDYTQ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\BILLEN~1\LOCALS~1\Temp\EVBYUMDVDYTQ.exe

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LW - Unknown owner - C:\DOCUME~1\BILLEN~1\LOCALS~1\Temp\LW.exe (file missing)

O23 - Service: mcmscsvc - Unknown owner - (no file)

O23 - Service: McNASvc - Unknown owner - (no file)

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--

End of file - 11932 bytes

Link to post
Share on other sites

  • Replies 71
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Hello ent and welcome to the forums here at MalwareBytes.

Looks like another Vundo infection, along with maybe some other stuff.

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Link to post
Share on other sites

I followed your instructions and Combofix did some things, then said that it needed to reboot, and upon restart I got the blue screen of death. Now I'm unable to boot up at all. I get the BSoD, no matter how I try to start (normal, last known good, safe, safe with networking, safe with command prompt). What now?

Link to post
Share on other sites

Sorry to hear of your trouble. The Malware that you have on your system has done some serious damage. You were already getting some BSOD's before running combofix. Let's see if we can at least bring you back to that point.

Did you allow combofix to install the recovery console? Or do you know if it's installed? Also, do you have your original XP install disk?

Link to post
Share on other sites

Hi ent,

At the beginning of combofix's routine it backs up the current state of the registry. Hopefully this will get us back to the state you were in before you ran it.

1. Restart your computer

2. Before Windows loads, you will be prompted to choose which Operating System to start

3. Use the up and down arrow key to select Microsoft Windows Recovery Console

4. You must enter which Windows installation to log onto. Type 1 and press enter.

5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.

8. At the next prompt, type the following bolded text, and press Enter:

exit

Hopefully Windows will now begin loading.

Let me know how this works and we'll go from there.

EDIT: for minor typo

Link to post
Share on other sites

If you have the XP CD I would like to try from that. If it BSOD's off the CD then that would point to a potential hardware issue.

1. Insert Windows Install disc to boot from CD.

2. Press any key on the keyboard when prompted.

3. Press R to load the Recovery Console.

4. Enter your password when prompted.

5. You must enter which Windows installation to log onto. Type 1 and press enter.

6. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs

7. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

8. The erunt backups will begin copying.

9. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading (hopefully).

Link to post
Share on other sites

I was able to boot from CD and run the recovery console. I found what appeared to be the backup in erdnt\Hiv-backup. There was no erdnt\subs. I ran the batch command and it said that it was copying files. But when I restart, I still the the blue screen.

While I was there, I ran a chkdsk /P and it reported that there were errors. I did not run chkdsk /F to fix them.

Link to post
Share on other sites

Nice job, sounds like you have some good PC background/skills there.

I would advise that you go ahead and run chkdsk with the /f switch to fix any bad sectors.

In the meantime I will check in with some other experts to find out if we have any other options here if that doesn't work.

Link to post
Share on other sites

I've been a software engineer for 30+ years, so I've learned a few things.

I ran chkdsk /r and it ran for a long time, but didn't seem to find any errors. At least, it didn't report any and when it was done, it didn't list any bad sectors in the totals. I don't know if this means that it successfully fixed errors or it didn't find any.

I'm still getting the blue screen.

Link to post
Share on other sites

Not sure how much this will help me but what is the BSOD message you get? If any? I'm thinking next thing to try would be a repair install to see if you can get back into the OS. Do you have backups for this PC?

Even if we can get back in it sounds like there was some damage done already and I'm not exactly sure what combofix did there. I'll see if I can get some experts to look in on it here but we don't have much information.

Link to post
Share on other sites

I don't know how much detail you want, but I've transcribed the whole thing below. By the way, this is a Dell computer and there are scads of hardware diagnostics built in that I can get to by pressing F12 on boot. I've been running a variety of them and haven't found anything amiss yet.

Regarding backups, I happened to do one a few days ago.

-----

A problem has been detected and Windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps.

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F for hard drive corruption and then restart your computer.

Technical information:

*** STOP: 0x0000007B (0xF791F524,0xC0000034,0x00000000,0x00000000)

Link to post
Share on other sites

Good morning.

I'm wondering about something that I noticed with the "erdnt" files. I see that there is a Users directory which has copies of some of the registry files. And I see that there is an ERDNT.INF and an ERDNT.CON, which appear to be different ways to restore system files. The latter is what you had me batch submit but it doesn't contain any references to the Users directory files. The former .inf file does have references to the Usr files. Could this be a possible reason for the failure to restore my system to its previous state of affairs, i.e., is it failing to restore the Usr files?

I suspect that this is a big red herring, but I thought I should ask.

Link to post
Share on other sites

Good morning ent,

I have several thoughts going on here. I would really like to be able to at least get back to the point of booting to the OS here. Although I do think that even if we accomplish that the "long term" fix will be to rebuild the OS. As you have very recent backups (good for you) this shouldn't be too much of a problem.

It's up to you as to how far you want to take this. If I were dealing with someone of lesser background and ability I would be reluctant to try too much here, but it's pretty obvious you know your stuff.

The research I did on that BSOD code indicates it may be an issue with the boot sector, which then leads me to think the malware got to the boot sector.

One option would be to run MS boot sector utilities from the RC, but that is very risky and may just do us in.

Another thought is to run a live CD/DVD. I had one live repair I did several months back that was an unbootable PC (BSOD) where the DrWeb live CD was able to get us back into the OS. It ended up being Virut along with all kinds of other nasty stuff so I just rebuilt the OS, but at least I was able to get in and back up the data for the customer (they had no backups).

It appears the download for the DrWeb CD is not up at the moment, but I'll look into it.

Tell me what your thoughts are on this and how far you would like to take this.

Link to post
Share on other sites

Good morning.

I'm wondering about something that I noticed with the "erdnt" files. I see that there is a Users directory which has copies of some of the registry files. And I see that there is an ERDNT.INF and an ERDNT.CON, which appear to be different ways to restore system files. The latter is what you had me batch submit but it doesn't contain any references to the Users directory files. The former .inf file does have references to the Usr files. Could this be a possible reason for the failure to restore my system to its previous state of affairs, i.e., is it failing to restore the Usr files?

I suspect that this is a big red herring, but I thought I should ask.

Sorry forgot to address this in my last post. Don't think that's it as my understanding is the cf routine pulls out whatever needs to be.

Link to post
Share on other sites

I'm not really sure. I don't know what rebuilding the OS means. I would prefer to try to repair the system than resort to backups for a few reasons:

The C: drive is partitioned into several logical drives and they are not all backed up.

I've never had to restore anything, so I don't feel 100% confident in the reliability of the backup. If we reformat the hard drive and there's anything wrong with the backup or there are complications with getting it to restore, then I'm in trouble. My next newest backup is from months ago.

The backup is on an external drive which I had purchased two of, for added security by redundancy. When I pulled one of them out to do the recent backup, it was non-functional for no good reason. I had only used it in a few times. The other one is almost the same model, which has me a little concernced about its reliability.

You mentioned that you were going to talk to some experts. Did you do that? What did they suggest?

Link to post
Share on other sites

Rebuilding the OS is a full reformat/re-install, which you would like to avoid.

We can try fixing this. I have not had any advice at this point as there are still some tricks up my sleeve.

I assume you have the ability (PC and resources) to create CD/DVD's? If so....

I would love to try the DrWeb CD as I've had good results with it, but the download is not available right now.

Next option would be to try the Kaspersky live CD. Here is an article I had previously used to download and run it. In my case it didn't solve the issue, but it's certainly worth a try.

http://www.techmixer.com/kaspersky-rescue-...2009-using-dos/

Link to post
Share on other sites

I was able to download and burn the Dr.Web LiveCD software to a CD. What do you suggest I try first?

Great. Ya, was just about to post to you that I had the wrong link for the DrWeb scanner. ;) Glad you found the right one.

I would advise you to go ahead and run it, letting it fix what's found. Also, take note of what it finds. Not everything in detail, but just some names, ect....

Hopefully this will get us back in.

Link to post
Share on other sites

I tried the Dr.Web LiveCD on my sick computer with no luck. When I booted from the CD, I got the Dr.Web main menu (default/safe mode/HDD/memory test).

When I chose default mode, I got the green screen of death -- the Dr.Web logo on a bright green background. There was nothing else on the screen and nothing seemed to be happening. I gave it ten minutes or so.

When I chose the safe mode, it loaded a bunch of stuff, went through what looked like a Linux startup, identified some resources, and finally displayed a "Starting Dr.Web Update..." message. But nothing happened after that. I gave it 15 minutes or so. My CD drive was making some periodic whirring sounds and the light was on continuously.

Does it take these options a really long time to initialize, or is it not working?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.