TechSpot

Having continual problems with Google redirect virus

Inactive
By vukker
May 10, 2010
  1. vukker

    vukker TS Rookie Topic Starter Posts: 37

    mmk downloaded fresh OTLPE.iso but I did it from the link in your previous post which is the same place I got it from before is that ok or should i be getting it from somewhere else? heres the systemlook log of the new download

    Cheers,
    Vuk
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 47,710   +268

    Let me try. It'll take couple of minutes. Hold on.
     
  3. Broni

    Broni Malware Annihilator Posts: 47,710   +268

    OK. It looks like, file size and MD5 number has changed, so your download is fine.
    I went back to your original boot error and now, I know why you can boot from OTLPE CD, but double clicking on OTLPE doesn't work.
    System hive is either missing or corrupted.
    Let me prepare next step for you. Hold on...
     
  4. Broni

    Broni Malware Annihilator Posts: 47,710   +268

    We'll have to replace the registry hives with a set of those present in the C:\System Volume Information folder, (if Restore Points are available).

    Be very careful with following next set of steps:

    We need to create a batch file and save it into a flash drive to move information from the sick computer to a working computer. This batch is to list all directories in C:\system volume information, which is useful for finding the backed up registry!.

    Important note: Ensure that you Save it on the flash drive. Do NOT save this file on the working computer. You can accidentally run the file in the computer and damage its registry. This file will be ran in the non working computer after following the next set of instructions.

    Using your clean working computer do the following:

    1. Go to Start -> Run, and type notepad into the box.
    2. Click OK.
    3. Copy and paste the following code into Notepad:

    Code:
    Ren C:\windows\system32\config\system system.123
    Dir "C:\System Volume Information" /s >C:\log.txt
    Ren C:\windows\system32\config\system.123 system
    Del %0
    
    4. Go to File -> Saveas then enter: ren.bat (save it as all files (*.*))
    5. Then.. Save it on the flash drive. Do NOT save this file on the working computer.
    6. After that insert the flash drive into the infected computer before booting the system.
    7. Once booted with OTLPE CD, go to Start My Computer then go to your flash drive and copy the batch file to the desktop then double click it to run it.
    8. Then go to C:\log.txt copy and paste it back here as a reply to this post.

    Note: You may have to copy and paste the log into the flash drive so you can post it back here.
     
  5. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Volume in drive C has no label.
    Volume Serial Number is 54BF-ACF3

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}

    05/17/2010 08:12 AM 454 drivetable.txt
    05/14/2010 09:29 PM <DIR> RP1
    05/16/2010 09:59 AM <DIR> RP2
    05/17/2010 02:22 AM <DIR> RP3
    05/17/2010 08:12 AM 24 _driver.cfg
    05/16/2010 09:59 AM 23,268 _filelst.cfg
    3 File(s) 23,746 bytes

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1

    05/14/2010 09:29 PM <DIR> .
    05/14/2010 09:29 PM <DIR> ..
    05/13/2010 09:40 AM 1,143,079 A0000001.mfl
    05/13/2010 11:07 AM 2,022,798 A0000002.mfl
    05/06/2010 07:12 PM 521 A0000003.ini
    05/13/2010 08:58 PM 521 A0000004.ini
    05/13/2010 08:58 PM 521 A0000005.ini
    08/10/2004 03:02 PM 1,476 A0000006.lnk
    05/13/2010 08:40 PM 1,095 A0001004.ini
    05/13/2010 08:40 PM 4,334 A0001005.ini
    05/13/2010 08:40 PM 120 A0001006.ini
    05/13/2010 08:41 PM 2,415 A0001007.ini
    05/13/2010 11:22 AM 4,096 A0001008.dir
    05/13/2010 11:22 AM 4,096 A0001009.dir
    05/13/2010 11:25 AM 4,096 A0001010.dir
    05/13/2010 11:25 AM 4,096 A0001011.dir
    05/13/2010 08:34 PM 4,096 A0001012.dir
    05/13/2010 08:37 PM 4,096 A0001013.dir
    05/13/2010 08:37 PM 4,096 A0001014.dir
    05/13/2010 08:37 PM 4,096 A0001015.dir
    05/13/2010 08:38 PM 4,096 A0001016.dir
    05/13/2010 08:55 PM 4,096 A0001017.dir
    05/13/2010 08:55 PM 4,096 A0001018.dir
    05/13/2010 09:01 PM 4,096 A0001019.dir
    05/13/2010 11:22 AM 4,096 A0001020.dir
    05/13/2010 11:22 AM 4,096 A0001021.dir
    05/13/2010 08:46 PM 1,066,320 A0001022.exe
    07/10/2007 06:14 PM 195,848 A0001023.exe
    06/13/2007 03:25 PM 225,792 A0001024.dll
    07/10/2007 06:14 PM 1,468,680 A0001025.dll
    11/08/2007 09:18 PM 256 A0001026.ini
    07/10/2007 06:14 PM 214,280 A0001027.dll
    07/10/2007 06:14 PM 210,184 A0001028.dll
    06/25/2007 02:24 PM 321,536 A0001029.dll
    05/13/2010 08:46 PM 170 A0001030.ini
    05/13/2010 08:58 PM 1,499,602 A0001031.mfl
    04/26/2010 09:30 AM 3,045 A0001032.old
    04/26/2010 09:52 AM 5,380 A0001033.old
    05/13/2010 12:59 PM 222 A0001034.ULG
    04/13/2010 10:04 PM 2,074 A0001035.ULG
    06/19/2008 08:30 PM 598 A0001036.cfg
    05/13/2010 02:54 PM 1,328 A0001037.ini
    04/25/2010 11:14 PM 99 A0001038.old
    04/25/2010 11:14 PM 243 A0001039.old
    05/13/2010 11:21 PM 4,334 A0001043.ini
    05/13/2010 11:21 PM 1,095 A0001044.ini
    05/13/2010 11:21 PM 120 A0001045.ini
    05/14/2010 02:24 AM 2,415 A0001046.ini
    05/14/2010 12:15 AM 1,522,315 A0001047.mfl
    05/14/2010 02:23 AM 1,066,320 A0001048.exe
    07/10/2007 06:14 PM 195,848 A0001049.exe
    06/13/2007 03:25 PM 225,792 A0001050.dll
    07/10/2007 06:14 PM 1,468,680 A0001051.dll
    11/08/2007 09:18 PM 256 A0001052.ini
    07/10/2007 06:14 PM 214,280 A0001053.dll
    07/10/2007 06:14 PM 210,184 A0001054.dll
    06/25/2007 02:24 PM 321,536 A0001055.dll
    05/19/2008 04:18 PM 238,856 A0001056.dll
    08/21/2006 03:15 PM 6,725 A0001057.ini
    05/14/2010 02:23 AM 170 A0001058.ini
    05/14/2010 03:00 AM 3,047 A0001059.old
    04/26/2010 09:54 AM 99 A0001060.old
    04/26/2010 09:54 AM 111 A0001061.old
    05/14/2010 03:03 AM 87,226 A0001062.old
    05/13/2010 11:50 PM 4,096 A0001063.dir
    05/14/2010 12:10 AM 4,096 A0001064.dir
    05/14/2010 12:11 AM 4,096 A0001065.dir
    05/14/2010 12:15 AM 4,096 A0001066.dir
    05/14/2010 12:16 AM 4,096 A0001067.dir
    05/14/2010 12:17 AM 4,096 A0001068.dir
    05/14/2010 12:35 AM 4,096 A0001069.dir
    05/14/2010 01:06 AM 4,096 A0001070.dir
    05/13/2010 11:24 PM 4,096 A0001071.dir
    05/13/2010 10:32 AM 4,096 A0001072.dir
    05/13/2010 11:21 AM 702 A0001073.lnk
    05/13/2010 11:21 AM 419 A0001074.lnk
    05/13/2010 11:15 AM 437 A0001075.LNK
    05/13/2010 09:47 AM 602 A0001076.LNK
    05/14/2010 02:24 AM 1,328 A0001077.ini
    05/13/2010 09:47 AM 1,032 A0001078.lnk
    05/13/2010 09:47 AM 932 A0001079.LNK
    05/13/2010 09:53 PM 18,398 change.log.1
    05/14/2010 03:04 AM 404,910 change.log.2
    05/14/2010 04:42 PM 1,048,376 change.log.3
    05/14/2010 09:28 PM 667,368 change.log.4
    05/14/2010 09:29 PM 134 drivetable.txt
    05/14/2010 10:21 PM 8 RestorePointSize
    05/13/2010 08:57 PM 536 rp.log
    05/13/2010 08:57 PM <DIR> snapshot
    86 File(s) 16,205,432 bytes

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\snapshot

    05/13/2010 08:57 PM <DIR> .
    05/13/2010 08:57 PM <DIR> ..
    12/25/2007 03:38 PM 23,600 ComDb.Dat
    05/13/2010 08:57 PM 26 domain.txt
    05/13/2010 08:57 PM <DIR> Repository
    05/13/2010 08:57 PM 24,576 _REGISTRY_MACHINE_SAM
    05/13/2010 08:57 PM 53,248 _REGISTRY_MACHINE_SECURITY
    05/13/2010 08:57 PM 44,105,728 _REGISTRY_MACHINE_SOFTWARE
    05/13/2010 08:57 PM 8,130,560 _REGISTRY_MACHINE_SYSTEM
    05/13/2010 08:57 PM 1,572,864 _REGISTRY_USER_.DEFAULT
    12/08/2007 02:39 AM 262,144 _REGISTRY_USER_NTUSER_S-1-5-18
    05/13/2010 08:57 PM 237,568 _REGISTRY_USER_NTUSER_S-1-5-19
    05/13/2010 08:57 PM 233,472 _REGISTRY_USER_NTUSER_S-1-5-20
    05/13/2010 08:57 PM 7,839,744 _REGISTRY_USER_NTUSER_S-1-5-21-3533347811-4231963961-3829418293-1006
    05/13/2010 08:57 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
    05/13/2010 08:57 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
    05/13/2010 08:57 PM 241,664 _REGISTRY_USER_USRCLASS_S-1-5-21-3533347811-4231963961-3829418293-1006
    14 File(s) 62,741,578 bytes

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\snapshot\Repository

    05/13/2010 08:57 PM <DIR> .
    05/13/2010 08:57 PM <DIR> ..
    05/13/2010 08:40 PM 20 $WinMgmt.CFG
    05/13/2010 08:57 PM <DIR> FS
    1 File(s) 20 bytes

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\snapshot\Repository\FS

    05/13/2010 08:57 PM <DIR> .
    05/13/2010 08:57 PM <DIR> ..
    05/13/2010 08:41 PM 1,187,840 INDEX.BTR
    05/13/2010 08:41 PM 604 INDEX.MAP
    05/13/2010 08:41 PM 4 MAPPING.VER
    05/13/2010 08:41 PM 3,616 MAPPING1.MAP
    05/13/2010 08:41 PM 3,616 MAPPING2.MAP
    05/13/2010 08:41 PM 6,111,232 OBJECTS.DATA
    05/13/2010 08:41 PM 3,012 OBJECTS.MAP
    7 File(s) 7,309,924 bytes

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2

    05/16/2010 09:59 AM <DIR> .
    05/16/2010 09:59 AM <DIR> ..
    05/14/2010 09:28 PM 23,218 A0001080.old
    05/14/2010 08:38 PM 3,050 A0001081.old
    04/14/2010 02:44 PM 234 A0001082.ULG
    06/19/2008 08:30 PM 598 A0001083.cfg
    05/14/2010 09:10 PM 1,066,320 A0001084.exe
    07/10/2007 06:14 PM 195,848 A0001085.exe
    06/13/2007 03:25 PM 225,792 A0001086.dll
    07/10/2007 06:14 PM 1,468,680 A0001087.dll
    11/08/2007 09:18 PM 256 A0001088.ini
    07/10/2007 06:14 PM 214,280 A0001089.dll
    07/10/2007 06:14 PM 210,184 A0001090.dll
    06/25/2007 02:24 PM 321,536 A0001091.dll
    05/14/2010 09:10 PM 170 A0001092.ini
    05/14/2010 03:10 PM 2,415 A0001093.ini
    05/14/2010 03:09 PM 1,328 A0001094.ini
    05/07/2010 12:00 PM 468 A0001095.ini
    05/14/2010 08:54 AM 4,334 A0002043.ini
    05/14/2010 08:54 AM 1,095 A0002044.ini
    05/14/2010 08:54 AM 120 A0002045.ini
    05/14/2010 12:08 PM 1,653,780 A0002046.mfl
    05/15/2010 12:11 AM 2,415 A0002047.ini
    05/15/2010 12:13 PM 1,066,320 A0002048.exe
    07/10/2007 06:14 PM 195,848 A0002049.exe
    06/13/2007 03:25 PM 225,792 A0002050.dll
    07/10/2007 06:14 PM 1,468,680 A0002051.dll
    11/08/2007 09:18 PM 256 A0002052.ini
    07/10/2007 06:14 PM 214,280 A0002053.dll
    07/10/2007 06:14 PM 210,184 A0002054.dll
    06/25/2007 02:24 PM 321,536 A0002055.dll
    05/15/2010 12:13 PM 170 A0002056.ini
    05/15/2010 12:11 AM 1,328 A0002057.ini
    06/19/2008 08:30 PM 598 A0002058.cfg
    05/15/2010 06:54 AM 1,048,382 change.log.1
    05/15/2010 04:35 PM 1,048,414 change.log.2
    05/15/2010 06:04 PM 155,900 change.log.3
    05/16/2010 09:48 AM 62,890 change.log.4
    05/16/2010 09:59 AM 454 drivetable.txt
    05/16/2010 12:35 PM 8 RestorePointSize
    05/14/2010 09:29 PM 536 rp.log
    05/14/2010 09:29 PM <DIR> snapshot
    39 File(s) 11,417,697 bytes

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\snapshot

    05/14/2010 09:29 PM <DIR> .
    05/14/2010 09:29 PM <DIR> ..
    12/25/2007 03:38 PM 23,600 ComDb.Dat
    05/14/2010 09:29 PM 26 domain.txt
    05/14/2010 09:29 PM <DIR> Repository
    05/14/2010 09:29 PM 24,576 _REGISTRY_MACHINE_SAM
    05/14/2010 09:29 PM 53,248 _REGISTRY_MACHINE_SECURITY
    05/14/2010 09:29 PM 44,105,728 _REGISTRY_MACHINE_SOFTWARE
    05/14/2010 09:29 PM 8,130,560 _REGISTRY_MACHINE_SYSTEM
    05/14/2010 09:29 PM 1,572,864 _REGISTRY_USER_.DEFAULT
    12/08/2007 02:39 AM 262,144 _REGISTRY_USER_NTUSER_S-1-5-18
    05/14/2010 09:29 PM 237,568 _REGISTRY_USER_NTUSER_S-1-5-19
    05/14/2010 09:29 PM 233,472 _REGISTRY_USER_NTUSER_S-1-5-20
    05/14/2010 09:29 PM 7,860,224 _REGISTRY_USER_NTUSER_S-1-5-21-3533347811-4231963961-3829418293-1006
    05/14/2010 09:29 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
    05/14/2010 09:29 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
    05/14/2010 09:29 PM 241,664 _REGISTRY_USER_USRCLASS_S-1-5-21-3533347811-4231963961-3829418293-1006
    14 File(s) 62,762,058 bytes

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\snapshot\Repository

    05/14/2010 09:29 PM <DIR> .
    05/14/2010 09:29 PM <DIR> ..
    05/14/2010 08:54 AM 20 $WinMgmt.CFG
    05/14/2010 09:29 PM <DIR> FS
    1 File(s) 20 bytes

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\snapshot\Repository\FS

    05/14/2010 09:29 PM <DIR> .
    05/14/2010 09:29 PM <DIR> ..
    05/14/2010 09:08 PM 1,187,840 INDEX.BTR
    05/14/2010 09:08 PM 604 INDEX.MAP
    05/14/2010 09:08 PM 4 MAPPING.VER
    05/14/2010 08:08 PM 3,616 MAPPING1.MAP
    05/14/2010 09:08 PM 3,616 MAPPING2.MAP
    05/14/2010 09:08 PM 6,111,232 OBJECTS.DATA
    05/14/2010 09:08 PM 3,012 OBJECTS.MAP
    7 File(s) 7,309,924 bytes

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3

    05/17/2010 02:22 AM <DIR> .
    05/17/2010 02:22 AM <DIR> ..
    05/16/2010 08:17 AM 1,066,320 A0002194.exe
    07/10/2007 06:14 PM 195,848 A0002195.exe
    06/13/2007 03:25 PM 225,792 A0002196.dll
    07/10/2007 06:14 PM 1,468,680 A0002197.dll
    11/08/2007 09:18 PM 256 A0002198.ini
    07/10/2007 06:14 PM 214,280 A0002199.dll
    07/10/2007 06:14 PM 210,184 A0002200.dll
    06/25/2007 02:24 PM 321,536 A0002201.dll
    05/19/2008 04:18 PM 238,856 A0002202.dll
    08/21/2006 03:15 PM 6,725 A0002203.ini
    05/16/2010 08:17 AM 170 A0002204.ini
    05/11/2010 12:16 PM 2,485 A0002292.lnk
    05/14/2010 09:11 PM 702 A0002293.lnk
    05/14/2010 09:11 PM 419 A0002294.lnk
    05/14/2010 09:09 PM 4,096 A0002295.dir
    05/14/2010 09:10 PM 4,096 A0002296.dir
    05/14/2010 09:10 PM 4,096 A0002297.dir
    05/14/2010 09:10 PM 4,096 A0002298.dir
    05/14/2010 09:11 PM 4,096 A0002299.dir
    05/14/2010 09:11 PM 4,096 A0002300.dir
    05/15/2010 05:12 PM 4,096 A0002301.dir
    05/15/2010 05:12 PM 4,096 A0002302.dir
    05/15/2010 05:12 PM 4,096 A0002303.dir
    05/15/2010 05:12 PM 4,096 A0002304.dir
    05/14/2010 09:09 PM 4,096 A0002305.dir
    05/15/2010 06:16 PM 4,096 A0002306.dir
    05/15/2010 06:16 PM 4,096 A0002307.dir
    05/15/2010 06:16 PM 4,096 A0002308.dir
    05/14/2010 08:59 PM 1,032 A0002309.lnk
    05/14/2010 09:09 PM 4,096 A0002527.dir
    05/13/2010 08:33 PM 0 A0002614.VDB
    05/16/2010 08:18 AM 2,415 A0002615.ini
    05/15/2010 08:13 PM 1,653,780 A0002616.mfl
    05/08/2010 11:23 AM 803 A0002617.ini
    05/08/2010 11:26 AM 1,713 A0002618.ini
    04/15/2010 02:05 PM 452 A0002619.ULG
    05/16/2010 08:18 AM 1,328 A0002620.ini
    05/08/2010 12:13 PM 20,423 A0002621.ini
    05/17/2010 08:12 AM 636,520 change.log
    05/16/2010 09:59 AM 8 RestorePointSize
    05/16/2010 09:59 AM 536 rp.log
    05/16/2010 09:59 AM <DIR> snapshot
    41 File(s) 6,332,703 bytes

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot

    05/16/2010 09:59 AM <DIR> .
    05/16/2010 09:59 AM <DIR> ..
    12/25/2007 03:38 PM 23,600 ComDb.Dat
    05/16/2010 09:59 AM 26 domain.txt
    05/16/2010 09:59 AM <DIR> Repository
    05/16/2010 09:59 AM 24,576 _REGISTRY_MACHINE_SAM
    05/16/2010 09:59 AM 53,248 _REGISTRY_MACHINE_SECURITY
    05/16/2010 09:59 AM 44,105,728 _REGISTRY_MACHINE_SOFTWARE
    05/16/2010 09:59 AM 8,130,560 _REGISTRY_MACHINE_SYSTEM
    05/16/2010 09:59 AM 1,572,864 _REGISTRY_USER_.DEFAULT
    12/08/2007 02:39 AM 262,144 _REGISTRY_USER_NTUSER_S-1-5-18
    05/16/2010 09:59 AM 237,568 _REGISTRY_USER_NTUSER_S-1-5-19
    05/16/2010 09:59 AM 233,472 _REGISTRY_USER_NTUSER_S-1-5-20
    05/16/2010 09:59 AM 7,876,608 _REGISTRY_USER_NTUSER_S-1-5-21-3533347811-4231963961-3829418293-1006
    05/16/2010 09:59 AM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
    05/16/2010 09:59 AM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
    05/16/2010 09:59 AM 241,664 _REGISTRY_USER_USRCLASS_S-1-5-21-3533347811-4231963961-3829418293-1006
    14 File(s) 62,778,442 bytes

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\Repository

    05/16/2010 09:59 AM <DIR> .
    05/16/2010 09:59 AM <DIR> ..
    05/15/2010 06:14 PM 20 $WinMgmt.CFG
    05/16/2010 09:59 AM <DIR> FS
    1 File(s) 20 bytes

    Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\Repository\FS

    05/16/2010 09:59 AM <DIR> .
    05/16/2010 09:59 AM <DIR> ..
    05/16/2010 09:22 AM 1,187,840 INDEX.BTR
    05/16/2010 09:22 AM 604 INDEX.MAP
    05/16/2010 09:23 AM 4 MAPPING.VER
    05/15/2010 10:16 PM 3,616 MAPPING1.MAP
    05/16/2010 09:22 AM 3,616 MAPPING2.MAP
    05/16/2010 09:22 AM 6,111,232 OBJECTS.DATA
    05/16/2010 09:22 AM 3,012 OBJECTS.MAP
    7 File(s) 7,309,924 bytes

    Total Files Listed:
    235 File(s) 244,191,488 bytes
    36 Dir(s) 22,671,134,720 bytes free
     
  6. Broni

    Broni Malware Annihilator Posts: 47,710   +268

    OK. Restore points are there :)
    Now, give me few minutes to prepare next step for you...
     
  7. Broni

    Broni Malware Annihilator Posts: 47,710   +268

    Using your clean working computer do the following:

    1. Go to Start -> Run, and type notepad into the box.
    2. Click OK.
    3. Copy and paste the following code into Notepad:

    Code:
    Ren C:\windows\system32\config\SYSTEM SYSTEM.123
    Ren C:\windows\system32\config\SAM SAM.123
    Ren C:\windows\system32\config\SECURITY SECURITY.123
    Ren C:\windows\system32\config\SOFTWARE SOFTWARE.123
    Ren C:\windows\system32\config\DEFAULT DEFAULT.123
    
    Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\_REGISTRY_MACHINE_SAM" C:\
    Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\_REGISTRY_MACHINE_SECURITY" C:\
    Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\_REGISTRY_MACHINE_SOFTWARE" C:\
    Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\_REGISTRY_MACHINE_SYSTEM" C:\
    Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\_REGISTRY_USER_.DEFAULT" C:\
    
    
    Copy C:\_REGISTRY_MACHINE_SAM C:\windows\system32\config\SAM
    Copy C:\_REGISTRY_MACHINE_SECURITY C:\windows\system32\config\SECURITY
    Copy C:\_REGISTRY_MACHINE_SOFTWARE C:\windows\system32\config\SOFTWARE
    Copy C:\_REGISTRY_MACHINE_SYSTEM C:\windows\system32\config\SYSTEM
    Copy C:\_REGISTRY_USER_.DEFAULT C:\windows\system32\config\DEFAULT
    
    Del %0
    
    4. Go to File -> Saveas then enter: ren.bat (save it as all files (*.*))
    5. Then.. Save it on the flash drive. Do NOT save this file on the working computer.
    6. After that insert the flash drive into the infected computer before booting the system.
    7. Once booted with OTLPE CD, go to Start My Computer then go to your flash drive and copy the batch file to the desktop then double click it to run it.
    8. See, if you can boot bad computer normally.
     
  8. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Dear Broni I followed your instructions and upon trying to start the computer normally I got a new error message saying Windows could not start because the following file is missing or corrupt: System32\Drivers\Ntfs.sys.....Awaiting your guidence thanks again for helping me so much with this your really doing me a huge favor
     
  9. Broni

    Broni Malware Annihilator Posts: 47,710   +268

    OK. Hopefully, we're getting somewhere.
    Go back to my post #12
    Since you have OTLPE CD already created, boot from it and follow instructions from my post #12, starting with:
    A script, which I posted there in red will be slightly different:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    Ntfs.sys
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    userinit.exe
    explorer.exe
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
     
  10. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Another 5 am evening haha....here is the log that you asked for although when running OTLPE i was never asked if I wanted to load the remote registry, and it had the options for standard registry and extra registry I only checked all under standard because the directions didnt specify one or the other or both. Thanks

    Cheers,
    Vuk
     
  11. vukker

    vukker TS Rookie Topic Starter Posts: 37

    cough cough like i said here is the log you asked for haha
     

    Attached Files:

    • OTL.Txt
      File size:
      176.9 KB
      Views:
      1
     
  12. Broni

    Broni Malware Annihilator Posts: 47,710   +268

    Sorry for that...hehehe

    Very good :)
    Since you're able to run OTLPE, that means, we're able to fix corrupted system hive.
    Now, we'll try to fix NTFS.SYS issue.

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    
    :Services
    
    :Reg
    
    :Files
    C:\WINDOWS\system32\drivers\ntfs.sys|C:\WINDOWS\ServicePackFiles\i386\ntfs.sys /replace
     
    
    :Commands
    [purity]
    [emptytemp]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into windows.
     
  13. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Broni here is the log you asked for tried booting up the computer normally it got past the part an error came up last time although now its stuck at first windows screen that appears. The computer is not frozen i dont think because the progress bar is still moving but it has taken over 5 minutes to boot so I dont think its happening
     

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 47,710   +268

    Try safe mode and give it some time.
     
  15. vukker

    vukker TS Rookie Topic Starter Posts: 37

    mmk so fired it up in safe mode and now it says windows could not start because the following file is missing or corrupt: <Windows root>\system32\ntoskrnl.exe
     
  16. Broni

    Broni Malware Annihilator Posts: 47,710   +268

    I just wonder how many more system files are missing/corrupted?

    Let's give it another shot.
    You'll have to boot to OTLPE CD and run another OTL scan.

    New code:

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    ntoskrnl.exe
    Ntfs.sys
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    userinit.exe
    explorer.exe
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
     
  17. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Yea it does seem a bit excessive I just wonder how all this happened and if it has to do with my external hard drive or what. But anyhow here is the OTL log
     

    Attached Files:

    • OTL.Txt
      File size:
      184.1 KB
      Views:
      2
  18. Broni

    Broni Malware Annihilator Posts: 47,710   +268

    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
    
    :Services
    
    :Reg
    
    :Files
    C:\WINDOWS\system32\ntoskrnl.exe|C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe /replace
    
    :Commands
    [purity]
    [emptytemp]
    
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into windows.
     
  19. vukker

    vukker TS Rookie Topic Starter Posts: 37

    heres the log booting in safe mode now keeping my fingers crossed
     
  20. vukker

    vukker TS Rookie Topic Starter Posts: 37

    like i said heres the log
     

    Attached Files:

  21. vukker

    vukker TS Rookie Topic Starter Posts: 37

    windows not starting stuck at initial windows screen with loading bar still moving
     
  22. vukker

    vukker TS Rookie Topic Starter Posts: 37

    when starting in safe mode it starts loading last output on screen is loading windows\system32\drivers\mup.sys then it restarts the computer
     
  23. Broni

    Broni Malware Annihilator Posts: 47,710   +268

    OK, we can keep playing around, if you wish, replacing those system files, but surely we can't do it for ever.
    Let's give it couple more shots.

    New OTLPE script:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    mup.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
     
  24. vukker

    vukker TS Rookie Topic Starter Posts: 37

    Hey broni sorry went on an outing for the day yesterday and yes I agree i dont think we can keep this up forever, what would be my options after that? And is that a fix or a scan for OTL
     
  25. vukker

    vukker TS Rookie Topic Starter Posts: 37

    stupid question scan obviously.....booting up other pc will have log soon
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.