Inactive Having continual problems with Google redirect virus
- Thread starter vukker
- Start date
- Status
Broni
Posts: 56,041 +516
OK. It looks like, file size and MD5 number has changed, so your download is fine.
I went back to your original boot error and now, I know why you can boot from OTLPE CD, but double clicking on OTLPE doesn't work.
Let me prepare next step for you. Hold on...
I went back to your original boot error and now, I know why you can boot from OTLPE CD, but double clicking on OTLPE doesn't work.
System hive is either missing or corrupted.
Let me prepare next step for you. Hold on...
Broni
Posts: 56,041 +516
We'll have to replace the registry hives with a set of those present in the C:\System Volume Information folder, (if Restore Points are available).
Be very careful with following next set of steps:
We need to create a batch file and save it into a flash drive to move information from the sick computer to a working computer. This batch is to list all directories in C:\system volume information, which is useful for finding the backed up registry!.
Important note: Ensure that you Save it on the flash drive. Do NOT save this file on the working computer. You can accidentally run the file in the computer and damage its registry. This file will be ran in the non working computer after following the next set of instructions.
Using your clean working computer do the following:
1. Go to Start -> Run, and type notepad into the box.
2. Click OK.
3. Copy and paste the following code into Notepad:
4. Go to File -> Saveas then enter: ren.bat (save it as all files (*.*))
5. Then.. Save it on the flash drive. Do NOT save this file on the working computer.
6. After that insert the flash drive into the infected computer before booting the system.
7. Once booted with OTLPE CD, go to Start My Computer then go to your flash drive and copy the batch file to the desktop then double click it to run it.
8. Then go to C:\log.txt copy and paste it back here as a reply to this post.
Note: You may have to copy and paste the log into the flash drive so you can post it back here.
Be very careful with following next set of steps:
We need to create a batch file and save it into a flash drive to move information from the sick computer to a working computer. This batch is to list all directories in C:\system volume information, which is useful for finding the backed up registry!.
Important note: Ensure that you Save it on the flash drive. Do NOT save this file on the working computer. You can accidentally run the file in the computer and damage its registry. This file will be ran in the non working computer after following the next set of instructions.
Using your clean working computer do the following:
1. Go to Start -> Run, and type notepad into the box.
2. Click OK.
3. Copy and paste the following code into Notepad:
Code:
Ren C:\windows\system32\config\system system.123
Dir "C:\System Volume Information" /s >C:\log.txt
Ren C:\windows\system32\config\system.123 system
Del %04. Go to File -> Saveas then enter: ren.bat (save it as all files (*.*))
5. Then.. Save it on the flash drive. Do NOT save this file on the working computer.
6. After that insert the flash drive into the infected computer before booting the system.
7. Once booted with OTLPE CD, go to Start My Computer then go to your flash drive and copy the batch file to the desktop then double click it to run it.
8. Then go to C:\log.txt copy and paste it back here as a reply to this post.
Note: You may have to copy and paste the log into the flash drive so you can post it back here.
Volume in drive C has no label.
Volume Serial Number is 54BF-ACF3
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}
05/17/2010 08:12 AM 454 drivetable.txt
05/14/2010 09:29 PM <DIR> RP1
05/16/2010 09:59 AM <DIR> RP2
05/17/2010 02:22 AM <DIR> RP3
05/17/2010 08:12 AM 24 _driver.cfg
05/16/2010 09:59 AM 23,268 _filelst.cfg
3 File(s) 23,746 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1
05/14/2010 09:29 PM <DIR> .
05/14/2010 09:29 PM <DIR> ..
05/13/2010 09:40 AM 1,143,079 A0000001.mfl
05/13/2010 11:07 AM 2,022,798 A0000002.mfl
05/06/2010 07:12 PM 521 A0000003.ini
05/13/2010 08:58 PM 521 A0000004.ini
05/13/2010 08:58 PM 521 A0000005.ini
08/10/2004 03:02 PM 1,476 A0000006.lnk
05/13/2010 08:40 PM 1,095 A0001004.ini
05/13/2010 08:40 PM 4,334 A0001005.ini
05/13/2010 08:40 PM 120 A0001006.ini
05/13/2010 08:41 PM 2,415 A0001007.ini
05/13/2010 11:22 AM 4,096 A0001008.dir
05/13/2010 11:22 AM 4,096 A0001009.dir
05/13/2010 11:25 AM 4,096 A0001010.dir
05/13/2010 11:25 AM 4,096 A0001011.dir
05/13/2010 08:34 PM 4,096 A0001012.dir
05/13/2010 08:37 PM 4,096 A0001013.dir
05/13/2010 08:37 PM 4,096 A0001014.dir
05/13/2010 08:37 PM 4,096 A0001015.dir
05/13/2010 08:38 PM 4,096 A0001016.dir
05/13/2010 08:55 PM 4,096 A0001017.dir
05/13/2010 08:55 PM 4,096 A0001018.dir
05/13/2010 09:01 PM 4,096 A0001019.dir
05/13/2010 11:22 AM 4,096 A0001020.dir
05/13/2010 11:22 AM 4,096 A0001021.dir
05/13/2010 08:46 PM 1,066,320 A0001022.exe
07/10/2007 06:14 PM 195,848 A0001023.exe
06/13/2007 03:25 PM 225,792 A0001024.dll
07/10/2007 06:14 PM 1,468,680 A0001025.dll
11/08/2007 09:18 PM 256 A0001026.ini
07/10/2007 06:14 PM 214,280 A0001027.dll
07/10/2007 06:14 PM 210,184 A0001028.dll
06/25/2007 02:24 PM 321,536 A0001029.dll
05/13/2010 08:46 PM 170 A0001030.ini
05/13/2010 08:58 PM 1,499,602 A0001031.mfl
04/26/2010 09:30 AM 3,045 A0001032.old
04/26/2010 09:52 AM 5,380 A0001033.old
05/13/2010 12:59 PM 222 A0001034.ULG
04/13/2010 10:04 PM 2,074 A0001035.ULG
06/19/2008 08:30 PM 598 A0001036.cfg
05/13/2010 02:54 PM 1,328 A0001037.ini
04/25/2010 11:14 PM 99 A0001038.old
04/25/2010 11:14 PM 243 A0001039.old
05/13/2010 11:21 PM 4,334 A0001043.ini
05/13/2010 11:21 PM 1,095 A0001044.ini
05/13/2010 11:21 PM 120 A0001045.ini
05/14/2010 02:24 AM 2,415 A0001046.ini
05/14/2010 12:15 AM 1,522,315 A0001047.mfl
05/14/2010 02:23 AM 1,066,320 A0001048.exe
07/10/2007 06:14 PM 195,848 A0001049.exe
06/13/2007 03:25 PM 225,792 A0001050.dll
07/10/2007 06:14 PM 1,468,680 A0001051.dll
11/08/2007 09:18 PM 256 A0001052.ini
07/10/2007 06:14 PM 214,280 A0001053.dll
07/10/2007 06:14 PM 210,184 A0001054.dll
06/25/2007 02:24 PM 321,536 A0001055.dll
05/19/2008 04:18 PM 238,856 A0001056.dll
08/21/2006 03:15 PM 6,725 A0001057.ini
05/14/2010 02:23 AM 170 A0001058.ini
05/14/2010 03:00 AM 3,047 A0001059.old
04/26/2010 09:54 AM 99 A0001060.old
04/26/2010 09:54 AM 111 A0001061.old
05/14/2010 03:03 AM 87,226 A0001062.old
05/13/2010 11:50 PM 4,096 A0001063.dir
05/14/2010 12:10 AM 4,096 A0001064.dir
05/14/2010 12:11 AM 4,096 A0001065.dir
05/14/2010 12:15 AM 4,096 A0001066.dir
05/14/2010 12:16 AM 4,096 A0001067.dir
05/14/2010 12:17 AM 4,096 A0001068.dir
05/14/2010 12:35 AM 4,096 A0001069.dir
05/14/2010 01:06 AM 4,096 A0001070.dir
05/13/2010 11:24 PM 4,096 A0001071.dir
05/13/2010 10:32 AM 4,096 A0001072.dir
05/13/2010 11:21 AM 702 A0001073.lnk
05/13/2010 11:21 AM 419 A0001074.lnk
05/13/2010 11:15 AM 437 A0001075.LNK
05/13/2010 09:47 AM 602 A0001076.LNK
05/14/2010 02:24 AM 1,328 A0001077.ini
05/13/2010 09:47 AM 1,032 A0001078.lnk
05/13/2010 09:47 AM 932 A0001079.LNK
05/13/2010 09:53 PM 18,398 change.log.1
05/14/2010 03:04 AM 404,910 change.log.2
05/14/2010 04:42 PM 1,048,376 change.log.3
05/14/2010 09:28 PM 667,368 change.log.4
05/14/2010 09:29 PM 134 drivetable.txt
05/14/2010 10:21 PM 8 RestorePointSize
05/13/2010 08:57 PM 536 rp.log
05/13/2010 08:57 PM <DIR> snapshot
86 File(s) 16,205,432 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\snapshot
05/13/2010 08:57 PM <DIR> .
05/13/2010 08:57 PM <DIR> ..
12/25/2007 03:38 PM 23,600 ComDb.Dat
05/13/2010 08:57 PM 26 domain.txt
05/13/2010 08:57 PM <DIR> Repository
05/13/2010 08:57 PM 24,576 _REGISTRY_MACHINE_SAM
05/13/2010 08:57 PM 53,248 _REGISTRY_MACHINE_SECURITY
05/13/2010 08:57 PM 44,105,728 _REGISTRY_MACHINE_SOFTWARE
05/13/2010 08:57 PM 8,130,560 _REGISTRY_MACHINE_SYSTEM
05/13/2010 08:57 PM 1,572,864 _REGISTRY_USER_.DEFAULT
12/08/2007 02:39 AM 262,144 _REGISTRY_USER_NTUSER_S-1-5-18
05/13/2010 08:57 PM 237,568 _REGISTRY_USER_NTUSER_S-1-5-19
05/13/2010 08:57 PM 233,472 _REGISTRY_USER_NTUSER_S-1-5-20
05/13/2010 08:57 PM 7,839,744 _REGISTRY_USER_NTUSER_S-1-5-21-3533347811-4231963961-3829418293-1006
05/13/2010 08:57 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
05/13/2010 08:57 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
05/13/2010 08:57 PM 241,664 _REGISTRY_USER_USRCLASS_S-1-5-21-3533347811-4231963961-3829418293-1006
14 File(s) 62,741,578 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\snapshot\Repository
05/13/2010 08:57 PM <DIR> .
05/13/2010 08:57 PM <DIR> ..
05/13/2010 08:40 PM 20 $WinMgmt.CFG
05/13/2010 08:57 PM <DIR> FS
1 File(s) 20 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\snapshot\Repository\FS
05/13/2010 08:57 PM <DIR> .
05/13/2010 08:57 PM <DIR> ..
05/13/2010 08:41 PM 1,187,840 INDEX.BTR
05/13/2010 08:41 PM 604 INDEX.MAP
05/13/2010 08:41 PM 4 MAPPING.VER
05/13/2010 08:41 PM 3,616 MAPPING1.MAP
05/13/2010 08:41 PM 3,616 MAPPING2.MAP
05/13/2010 08:41 PM 6,111,232 OBJECTS.DATA
05/13/2010 08:41 PM 3,012 OBJECTS.MAP
7 File(s) 7,309,924 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2
05/16/2010 09:59 AM <DIR> .
05/16/2010 09:59 AM <DIR> ..
05/14/2010 09:28 PM 23,218 A0001080.old
05/14/2010 08:38 PM 3,050 A0001081.old
04/14/2010 02:44 PM 234 A0001082.ULG
06/19/2008 08:30 PM 598 A0001083.cfg
05/14/2010 09:10 PM 1,066,320 A0001084.exe
07/10/2007 06:14 PM 195,848 A0001085.exe
06/13/2007 03:25 PM 225,792 A0001086.dll
07/10/2007 06:14 PM 1,468,680 A0001087.dll
11/08/2007 09:18 PM 256 A0001088.ini
07/10/2007 06:14 PM 214,280 A0001089.dll
07/10/2007 06:14 PM 210,184 A0001090.dll
06/25/2007 02:24 PM 321,536 A0001091.dll
05/14/2010 09:10 PM 170 A0001092.ini
05/14/2010 03:10 PM 2,415 A0001093.ini
05/14/2010 03:09 PM 1,328 A0001094.ini
05/07/2010 12:00 PM 468 A0001095.ini
05/14/2010 08:54 AM 4,334 A0002043.ini
05/14/2010 08:54 AM 1,095 A0002044.ini
05/14/2010 08:54 AM 120 A0002045.ini
05/14/2010 12:08 PM 1,653,780 A0002046.mfl
05/15/2010 12:11 AM 2,415 A0002047.ini
05/15/2010 12:13 PM 1,066,320 A0002048.exe
07/10/2007 06:14 PM 195,848 A0002049.exe
06/13/2007 03:25 PM 225,792 A0002050.dll
07/10/2007 06:14 PM 1,468,680 A0002051.dll
11/08/2007 09:18 PM 256 A0002052.ini
07/10/2007 06:14 PM 214,280 A0002053.dll
07/10/2007 06:14 PM 210,184 A0002054.dll
06/25/2007 02:24 PM 321,536 A0002055.dll
05/15/2010 12:13 PM 170 A0002056.ini
05/15/2010 12:11 AM 1,328 A0002057.ini
06/19/2008 08:30 PM 598 A0002058.cfg
05/15/2010 06:54 AM 1,048,382 change.log.1
05/15/2010 04:35 PM 1,048,414 change.log.2
05/15/2010 06:04 PM 155,900 change.log.3
05/16/2010 09:48 AM 62,890 change.log.4
05/16/2010 09:59 AM 454 drivetable.txt
05/16/2010 12:35 PM 8 RestorePointSize
05/14/2010 09:29 PM 536 rp.log
05/14/2010 09:29 PM <DIR> snapshot
39 File(s) 11,417,697 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\snapshot
05/14/2010 09:29 PM <DIR> .
05/14/2010 09:29 PM <DIR> ..
12/25/2007 03:38 PM 23,600 ComDb.Dat
05/14/2010 09:29 PM 26 domain.txt
05/14/2010 09:29 PM <DIR> Repository
05/14/2010 09:29 PM 24,576 _REGISTRY_MACHINE_SAM
05/14/2010 09:29 PM 53,248 _REGISTRY_MACHINE_SECURITY
05/14/2010 09:29 PM 44,105,728 _REGISTRY_MACHINE_SOFTWARE
05/14/2010 09:29 PM 8,130,560 _REGISTRY_MACHINE_SYSTEM
05/14/2010 09:29 PM 1,572,864 _REGISTRY_USER_.DEFAULT
12/08/2007 02:39 AM 262,144 _REGISTRY_USER_NTUSER_S-1-5-18
05/14/2010 09:29 PM 237,568 _REGISTRY_USER_NTUSER_S-1-5-19
05/14/2010 09:29 PM 233,472 _REGISTRY_USER_NTUSER_S-1-5-20
05/14/2010 09:29 PM 7,860,224 _REGISTRY_USER_NTUSER_S-1-5-21-3533347811-4231963961-3829418293-1006
05/14/2010 09:29 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
05/14/2010 09:29 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
05/14/2010 09:29 PM 241,664 _REGISTRY_USER_USRCLASS_S-1-5-21-3533347811-4231963961-3829418293-1006
14 File(s) 62,762,058 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\snapshot\Repository
05/14/2010 09:29 PM <DIR> .
05/14/2010 09:29 PM <DIR> ..
05/14/2010 08:54 AM 20 $WinMgmt.CFG
05/14/2010 09:29 PM <DIR> FS
1 File(s) 20 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\snapshot\Repository\FS
05/14/2010 09:29 PM <DIR> .
05/14/2010 09:29 PM <DIR> ..
05/14/2010 09:08 PM 1,187,840 INDEX.BTR
05/14/2010 09:08 PM 604 INDEX.MAP
05/14/2010 09:08 PM 4 MAPPING.VER
05/14/2010 08:08 PM 3,616 MAPPING1.MAP
05/14/2010 09:08 PM 3,616 MAPPING2.MAP
05/14/2010 09:08 PM 6,111,232 OBJECTS.DATA
05/14/2010 09:08 PM 3,012 OBJECTS.MAP
7 File(s) 7,309,924 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3
05/17/2010 02:22 AM <DIR> .
05/17/2010 02:22 AM <DIR> ..
05/16/2010 08:17 AM 1,066,320 A0002194.exe
07/10/2007 06:14 PM 195,848 A0002195.exe
06/13/2007 03:25 PM 225,792 A0002196.dll
07/10/2007 06:14 PM 1,468,680 A0002197.dll
11/08/2007 09:18 PM 256 A0002198.ini
07/10/2007 06:14 PM 214,280 A0002199.dll
07/10/2007 06:14 PM 210,184 A0002200.dll
06/25/2007 02:24 PM 321,536 A0002201.dll
05/19/2008 04:18 PM 238,856 A0002202.dll
08/21/2006 03:15 PM 6,725 A0002203.ini
05/16/2010 08:17 AM 170 A0002204.ini
05/11/2010 12:16 PM 2,485 A0002292.lnk
05/14/2010 09:11 PM 702 A0002293.lnk
05/14/2010 09:11 PM 419 A0002294.lnk
05/14/2010 09:09 PM 4,096 A0002295.dir
05/14/2010 09:10 PM 4,096 A0002296.dir
05/14/2010 09:10 PM 4,096 A0002297.dir
05/14/2010 09:10 PM 4,096 A0002298.dir
05/14/2010 09:11 PM 4,096 A0002299.dir
05/14/2010 09:11 PM 4,096 A0002300.dir
05/15/2010 05:12 PM 4,096 A0002301.dir
05/15/2010 05:12 PM 4,096 A0002302.dir
05/15/2010 05:12 PM 4,096 A0002303.dir
05/15/2010 05:12 PM 4,096 A0002304.dir
05/14/2010 09:09 PM 4,096 A0002305.dir
05/15/2010 06:16 PM 4,096 A0002306.dir
05/15/2010 06:16 PM 4,096 A0002307.dir
05/15/2010 06:16 PM 4,096 A0002308.dir
05/14/2010 08:59 PM 1,032 A0002309.lnk
05/14/2010 09:09 PM 4,096 A0002527.dir
05/13/2010 08:33 PM 0 A0002614.VDB
05/16/2010 08:18 AM 2,415 A0002615.ini
05/15/2010 08:13 PM 1,653,780 A0002616.mfl
05/08/2010 11:23 AM 803 A0002617.ini
05/08/2010 11:26 AM 1,713 A0002618.ini
04/15/2010 02:05 PM 452 A0002619.ULG
05/16/2010 08:18 AM 1,328 A0002620.ini
05/08/2010 12:13 PM 20,423 A0002621.ini
05/17/2010 08:12 AM 636,520 change.log
05/16/2010 09:59 AM 8 RestorePointSize
05/16/2010 09:59 AM 536 rp.log
05/16/2010 09:59 AM <DIR> snapshot
41 File(s) 6,332,703 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot
05/16/2010 09:59 AM <DIR> .
05/16/2010 09:59 AM <DIR> ..
12/25/2007 03:38 PM 23,600 ComDb.Dat
05/16/2010 09:59 AM 26 domain.txt
05/16/2010 09:59 AM <DIR> Repository
05/16/2010 09:59 AM 24,576 _REGISTRY_MACHINE_SAM
05/16/2010 09:59 AM 53,248 _REGISTRY_MACHINE_SECURITY
05/16/2010 09:59 AM 44,105,728 _REGISTRY_MACHINE_SOFTWARE
05/16/2010 09:59 AM 8,130,560 _REGISTRY_MACHINE_SYSTEM
05/16/2010 09:59 AM 1,572,864 _REGISTRY_USER_.DEFAULT
12/08/2007 02:39 AM 262,144 _REGISTRY_USER_NTUSER_S-1-5-18
05/16/2010 09:59 AM 237,568 _REGISTRY_USER_NTUSER_S-1-5-19
05/16/2010 09:59 AM 233,472 _REGISTRY_USER_NTUSER_S-1-5-20
05/16/2010 09:59 AM 7,876,608 _REGISTRY_USER_NTUSER_S-1-5-21-3533347811-4231963961-3829418293-1006
05/16/2010 09:59 AM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
05/16/2010 09:59 AM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
05/16/2010 09:59 AM 241,664 _REGISTRY_USER_USRCLASS_S-1-5-21-3533347811-4231963961-3829418293-1006
14 File(s) 62,778,442 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\Repository
05/16/2010 09:59 AM <DIR> .
05/16/2010 09:59 AM <DIR> ..
05/15/2010 06:14 PM 20 $WinMgmt.CFG
05/16/2010 09:59 AM <DIR> FS
1 File(s) 20 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\Repository\FS
05/16/2010 09:59 AM <DIR> .
05/16/2010 09:59 AM <DIR> ..
05/16/2010 09:22 AM 1,187,840 INDEX.BTR
05/16/2010 09:22 AM 604 INDEX.MAP
05/16/2010 09:23 AM 4 MAPPING.VER
05/15/2010 10:16 PM 3,616 MAPPING1.MAP
05/16/2010 09:22 AM 3,616 MAPPING2.MAP
05/16/2010 09:22 AM 6,111,232 OBJECTS.DATA
05/16/2010 09:22 AM 3,012 OBJECTS.MAP
7 File(s) 7,309,924 bytes
Total Files Listed:
235 File(s) 244,191,488 bytes
36 Dir(s) 22,671,134,720 bytes free
Volume Serial Number is 54BF-ACF3
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}
05/17/2010 08:12 AM 454 drivetable.txt
05/14/2010 09:29 PM <DIR> RP1
05/16/2010 09:59 AM <DIR> RP2
05/17/2010 02:22 AM <DIR> RP3
05/17/2010 08:12 AM 24 _driver.cfg
05/16/2010 09:59 AM 23,268 _filelst.cfg
3 File(s) 23,746 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1
05/14/2010 09:29 PM <DIR> .
05/14/2010 09:29 PM <DIR> ..
05/13/2010 09:40 AM 1,143,079 A0000001.mfl
05/13/2010 11:07 AM 2,022,798 A0000002.mfl
05/06/2010 07:12 PM 521 A0000003.ini
05/13/2010 08:58 PM 521 A0000004.ini
05/13/2010 08:58 PM 521 A0000005.ini
08/10/2004 03:02 PM 1,476 A0000006.lnk
05/13/2010 08:40 PM 1,095 A0001004.ini
05/13/2010 08:40 PM 4,334 A0001005.ini
05/13/2010 08:40 PM 120 A0001006.ini
05/13/2010 08:41 PM 2,415 A0001007.ini
05/13/2010 11:22 AM 4,096 A0001008.dir
05/13/2010 11:22 AM 4,096 A0001009.dir
05/13/2010 11:25 AM 4,096 A0001010.dir
05/13/2010 11:25 AM 4,096 A0001011.dir
05/13/2010 08:34 PM 4,096 A0001012.dir
05/13/2010 08:37 PM 4,096 A0001013.dir
05/13/2010 08:37 PM 4,096 A0001014.dir
05/13/2010 08:37 PM 4,096 A0001015.dir
05/13/2010 08:38 PM 4,096 A0001016.dir
05/13/2010 08:55 PM 4,096 A0001017.dir
05/13/2010 08:55 PM 4,096 A0001018.dir
05/13/2010 09:01 PM 4,096 A0001019.dir
05/13/2010 11:22 AM 4,096 A0001020.dir
05/13/2010 11:22 AM 4,096 A0001021.dir
05/13/2010 08:46 PM 1,066,320 A0001022.exe
07/10/2007 06:14 PM 195,848 A0001023.exe
06/13/2007 03:25 PM 225,792 A0001024.dll
07/10/2007 06:14 PM 1,468,680 A0001025.dll
11/08/2007 09:18 PM 256 A0001026.ini
07/10/2007 06:14 PM 214,280 A0001027.dll
07/10/2007 06:14 PM 210,184 A0001028.dll
06/25/2007 02:24 PM 321,536 A0001029.dll
05/13/2010 08:46 PM 170 A0001030.ini
05/13/2010 08:58 PM 1,499,602 A0001031.mfl
04/26/2010 09:30 AM 3,045 A0001032.old
04/26/2010 09:52 AM 5,380 A0001033.old
05/13/2010 12:59 PM 222 A0001034.ULG
04/13/2010 10:04 PM 2,074 A0001035.ULG
06/19/2008 08:30 PM 598 A0001036.cfg
05/13/2010 02:54 PM 1,328 A0001037.ini
04/25/2010 11:14 PM 99 A0001038.old
04/25/2010 11:14 PM 243 A0001039.old
05/13/2010 11:21 PM 4,334 A0001043.ini
05/13/2010 11:21 PM 1,095 A0001044.ini
05/13/2010 11:21 PM 120 A0001045.ini
05/14/2010 02:24 AM 2,415 A0001046.ini
05/14/2010 12:15 AM 1,522,315 A0001047.mfl
05/14/2010 02:23 AM 1,066,320 A0001048.exe
07/10/2007 06:14 PM 195,848 A0001049.exe
06/13/2007 03:25 PM 225,792 A0001050.dll
07/10/2007 06:14 PM 1,468,680 A0001051.dll
11/08/2007 09:18 PM 256 A0001052.ini
07/10/2007 06:14 PM 214,280 A0001053.dll
07/10/2007 06:14 PM 210,184 A0001054.dll
06/25/2007 02:24 PM 321,536 A0001055.dll
05/19/2008 04:18 PM 238,856 A0001056.dll
08/21/2006 03:15 PM 6,725 A0001057.ini
05/14/2010 02:23 AM 170 A0001058.ini
05/14/2010 03:00 AM 3,047 A0001059.old
04/26/2010 09:54 AM 99 A0001060.old
04/26/2010 09:54 AM 111 A0001061.old
05/14/2010 03:03 AM 87,226 A0001062.old
05/13/2010 11:50 PM 4,096 A0001063.dir
05/14/2010 12:10 AM 4,096 A0001064.dir
05/14/2010 12:11 AM 4,096 A0001065.dir
05/14/2010 12:15 AM 4,096 A0001066.dir
05/14/2010 12:16 AM 4,096 A0001067.dir
05/14/2010 12:17 AM 4,096 A0001068.dir
05/14/2010 12:35 AM 4,096 A0001069.dir
05/14/2010 01:06 AM 4,096 A0001070.dir
05/13/2010 11:24 PM 4,096 A0001071.dir
05/13/2010 10:32 AM 4,096 A0001072.dir
05/13/2010 11:21 AM 702 A0001073.lnk
05/13/2010 11:21 AM 419 A0001074.lnk
05/13/2010 11:15 AM 437 A0001075.LNK
05/13/2010 09:47 AM 602 A0001076.LNK
05/14/2010 02:24 AM 1,328 A0001077.ini
05/13/2010 09:47 AM 1,032 A0001078.lnk
05/13/2010 09:47 AM 932 A0001079.LNK
05/13/2010 09:53 PM 18,398 change.log.1
05/14/2010 03:04 AM 404,910 change.log.2
05/14/2010 04:42 PM 1,048,376 change.log.3
05/14/2010 09:28 PM 667,368 change.log.4
05/14/2010 09:29 PM 134 drivetable.txt
05/14/2010 10:21 PM 8 RestorePointSize
05/13/2010 08:57 PM 536 rp.log
05/13/2010 08:57 PM <DIR> snapshot
86 File(s) 16,205,432 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\snapshot
05/13/2010 08:57 PM <DIR> .
05/13/2010 08:57 PM <DIR> ..
12/25/2007 03:38 PM 23,600 ComDb.Dat
05/13/2010 08:57 PM 26 domain.txt
05/13/2010 08:57 PM <DIR> Repository
05/13/2010 08:57 PM 24,576 _REGISTRY_MACHINE_SAM
05/13/2010 08:57 PM 53,248 _REGISTRY_MACHINE_SECURITY
05/13/2010 08:57 PM 44,105,728 _REGISTRY_MACHINE_SOFTWARE
05/13/2010 08:57 PM 8,130,560 _REGISTRY_MACHINE_SYSTEM
05/13/2010 08:57 PM 1,572,864 _REGISTRY_USER_.DEFAULT
12/08/2007 02:39 AM 262,144 _REGISTRY_USER_NTUSER_S-1-5-18
05/13/2010 08:57 PM 237,568 _REGISTRY_USER_NTUSER_S-1-5-19
05/13/2010 08:57 PM 233,472 _REGISTRY_USER_NTUSER_S-1-5-20
05/13/2010 08:57 PM 7,839,744 _REGISTRY_USER_NTUSER_S-1-5-21-3533347811-4231963961-3829418293-1006
05/13/2010 08:57 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
05/13/2010 08:57 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
05/13/2010 08:57 PM 241,664 _REGISTRY_USER_USRCLASS_S-1-5-21-3533347811-4231963961-3829418293-1006
14 File(s) 62,741,578 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\snapshot\Repository
05/13/2010 08:57 PM <DIR> .
05/13/2010 08:57 PM <DIR> ..
05/13/2010 08:40 PM 20 $WinMgmt.CFG
05/13/2010 08:57 PM <DIR> FS
1 File(s) 20 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\snapshot\Repository\FS
05/13/2010 08:57 PM <DIR> .
05/13/2010 08:57 PM <DIR> ..
05/13/2010 08:41 PM 1,187,840 INDEX.BTR
05/13/2010 08:41 PM 604 INDEX.MAP
05/13/2010 08:41 PM 4 MAPPING.VER
05/13/2010 08:41 PM 3,616 MAPPING1.MAP
05/13/2010 08:41 PM 3,616 MAPPING2.MAP
05/13/2010 08:41 PM 6,111,232 OBJECTS.DATA
05/13/2010 08:41 PM 3,012 OBJECTS.MAP
7 File(s) 7,309,924 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2
05/16/2010 09:59 AM <DIR> .
05/16/2010 09:59 AM <DIR> ..
05/14/2010 09:28 PM 23,218 A0001080.old
05/14/2010 08:38 PM 3,050 A0001081.old
04/14/2010 02:44 PM 234 A0001082.ULG
06/19/2008 08:30 PM 598 A0001083.cfg
05/14/2010 09:10 PM 1,066,320 A0001084.exe
07/10/2007 06:14 PM 195,848 A0001085.exe
06/13/2007 03:25 PM 225,792 A0001086.dll
07/10/2007 06:14 PM 1,468,680 A0001087.dll
11/08/2007 09:18 PM 256 A0001088.ini
07/10/2007 06:14 PM 214,280 A0001089.dll
07/10/2007 06:14 PM 210,184 A0001090.dll
06/25/2007 02:24 PM 321,536 A0001091.dll
05/14/2010 09:10 PM 170 A0001092.ini
05/14/2010 03:10 PM 2,415 A0001093.ini
05/14/2010 03:09 PM 1,328 A0001094.ini
05/07/2010 12:00 PM 468 A0001095.ini
05/14/2010 08:54 AM 4,334 A0002043.ini
05/14/2010 08:54 AM 1,095 A0002044.ini
05/14/2010 08:54 AM 120 A0002045.ini
05/14/2010 12:08 PM 1,653,780 A0002046.mfl
05/15/2010 12:11 AM 2,415 A0002047.ini
05/15/2010 12:13 PM 1,066,320 A0002048.exe
07/10/2007 06:14 PM 195,848 A0002049.exe
06/13/2007 03:25 PM 225,792 A0002050.dll
07/10/2007 06:14 PM 1,468,680 A0002051.dll
11/08/2007 09:18 PM 256 A0002052.ini
07/10/2007 06:14 PM 214,280 A0002053.dll
07/10/2007 06:14 PM 210,184 A0002054.dll
06/25/2007 02:24 PM 321,536 A0002055.dll
05/15/2010 12:13 PM 170 A0002056.ini
05/15/2010 12:11 AM 1,328 A0002057.ini
06/19/2008 08:30 PM 598 A0002058.cfg
05/15/2010 06:54 AM 1,048,382 change.log.1
05/15/2010 04:35 PM 1,048,414 change.log.2
05/15/2010 06:04 PM 155,900 change.log.3
05/16/2010 09:48 AM 62,890 change.log.4
05/16/2010 09:59 AM 454 drivetable.txt
05/16/2010 12:35 PM 8 RestorePointSize
05/14/2010 09:29 PM 536 rp.log
05/14/2010 09:29 PM <DIR> snapshot
39 File(s) 11,417,697 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\snapshot
05/14/2010 09:29 PM <DIR> .
05/14/2010 09:29 PM <DIR> ..
12/25/2007 03:38 PM 23,600 ComDb.Dat
05/14/2010 09:29 PM 26 domain.txt
05/14/2010 09:29 PM <DIR> Repository
05/14/2010 09:29 PM 24,576 _REGISTRY_MACHINE_SAM
05/14/2010 09:29 PM 53,248 _REGISTRY_MACHINE_SECURITY
05/14/2010 09:29 PM 44,105,728 _REGISTRY_MACHINE_SOFTWARE
05/14/2010 09:29 PM 8,130,560 _REGISTRY_MACHINE_SYSTEM
05/14/2010 09:29 PM 1,572,864 _REGISTRY_USER_.DEFAULT
12/08/2007 02:39 AM 262,144 _REGISTRY_USER_NTUSER_S-1-5-18
05/14/2010 09:29 PM 237,568 _REGISTRY_USER_NTUSER_S-1-5-19
05/14/2010 09:29 PM 233,472 _REGISTRY_USER_NTUSER_S-1-5-20
05/14/2010 09:29 PM 7,860,224 _REGISTRY_USER_NTUSER_S-1-5-21-3533347811-4231963961-3829418293-1006
05/14/2010 09:29 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
05/14/2010 09:29 PM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
05/14/2010 09:29 PM 241,664 _REGISTRY_USER_USRCLASS_S-1-5-21-3533347811-4231963961-3829418293-1006
14 File(s) 62,762,058 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\snapshot\Repository
05/14/2010 09:29 PM <DIR> .
05/14/2010 09:29 PM <DIR> ..
05/14/2010 08:54 AM 20 $WinMgmt.CFG
05/14/2010 09:29 PM <DIR> FS
1 File(s) 20 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\snapshot\Repository\FS
05/14/2010 09:29 PM <DIR> .
05/14/2010 09:29 PM <DIR> ..
05/14/2010 09:08 PM 1,187,840 INDEX.BTR
05/14/2010 09:08 PM 604 INDEX.MAP
05/14/2010 09:08 PM 4 MAPPING.VER
05/14/2010 08:08 PM 3,616 MAPPING1.MAP
05/14/2010 09:08 PM 3,616 MAPPING2.MAP
05/14/2010 09:08 PM 6,111,232 OBJECTS.DATA
05/14/2010 09:08 PM 3,012 OBJECTS.MAP
7 File(s) 7,309,924 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3
05/17/2010 02:22 AM <DIR> .
05/17/2010 02:22 AM <DIR> ..
05/16/2010 08:17 AM 1,066,320 A0002194.exe
07/10/2007 06:14 PM 195,848 A0002195.exe
06/13/2007 03:25 PM 225,792 A0002196.dll
07/10/2007 06:14 PM 1,468,680 A0002197.dll
11/08/2007 09:18 PM 256 A0002198.ini
07/10/2007 06:14 PM 214,280 A0002199.dll
07/10/2007 06:14 PM 210,184 A0002200.dll
06/25/2007 02:24 PM 321,536 A0002201.dll
05/19/2008 04:18 PM 238,856 A0002202.dll
08/21/2006 03:15 PM 6,725 A0002203.ini
05/16/2010 08:17 AM 170 A0002204.ini
05/11/2010 12:16 PM 2,485 A0002292.lnk
05/14/2010 09:11 PM 702 A0002293.lnk
05/14/2010 09:11 PM 419 A0002294.lnk
05/14/2010 09:09 PM 4,096 A0002295.dir
05/14/2010 09:10 PM 4,096 A0002296.dir
05/14/2010 09:10 PM 4,096 A0002297.dir
05/14/2010 09:10 PM 4,096 A0002298.dir
05/14/2010 09:11 PM 4,096 A0002299.dir
05/14/2010 09:11 PM 4,096 A0002300.dir
05/15/2010 05:12 PM 4,096 A0002301.dir
05/15/2010 05:12 PM 4,096 A0002302.dir
05/15/2010 05:12 PM 4,096 A0002303.dir
05/15/2010 05:12 PM 4,096 A0002304.dir
05/14/2010 09:09 PM 4,096 A0002305.dir
05/15/2010 06:16 PM 4,096 A0002306.dir
05/15/2010 06:16 PM 4,096 A0002307.dir
05/15/2010 06:16 PM 4,096 A0002308.dir
05/14/2010 08:59 PM 1,032 A0002309.lnk
05/14/2010 09:09 PM 4,096 A0002527.dir
05/13/2010 08:33 PM 0 A0002614.VDB
05/16/2010 08:18 AM 2,415 A0002615.ini
05/15/2010 08:13 PM 1,653,780 A0002616.mfl
05/08/2010 11:23 AM 803 A0002617.ini
05/08/2010 11:26 AM 1,713 A0002618.ini
04/15/2010 02:05 PM 452 A0002619.ULG
05/16/2010 08:18 AM 1,328 A0002620.ini
05/08/2010 12:13 PM 20,423 A0002621.ini
05/17/2010 08:12 AM 636,520 change.log
05/16/2010 09:59 AM 8 RestorePointSize
05/16/2010 09:59 AM 536 rp.log
05/16/2010 09:59 AM <DIR> snapshot
41 File(s) 6,332,703 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot
05/16/2010 09:59 AM <DIR> .
05/16/2010 09:59 AM <DIR> ..
12/25/2007 03:38 PM 23,600 ComDb.Dat
05/16/2010 09:59 AM 26 domain.txt
05/16/2010 09:59 AM <DIR> Repository
05/16/2010 09:59 AM 24,576 _REGISTRY_MACHINE_SAM
05/16/2010 09:59 AM 53,248 _REGISTRY_MACHINE_SECURITY
05/16/2010 09:59 AM 44,105,728 _REGISTRY_MACHINE_SOFTWARE
05/16/2010 09:59 AM 8,130,560 _REGISTRY_MACHINE_SYSTEM
05/16/2010 09:59 AM 1,572,864 _REGISTRY_USER_.DEFAULT
12/08/2007 02:39 AM 262,144 _REGISTRY_USER_NTUSER_S-1-5-18
05/16/2010 09:59 AM 237,568 _REGISTRY_USER_NTUSER_S-1-5-19
05/16/2010 09:59 AM 233,472 _REGISTRY_USER_NTUSER_S-1-5-20
05/16/2010 09:59 AM 7,876,608 _REGISTRY_USER_NTUSER_S-1-5-21-3533347811-4231963961-3829418293-1006
05/16/2010 09:59 AM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-19
05/16/2010 09:59 AM 8,192 _REGISTRY_USER_USRCLASS_S-1-5-20
05/16/2010 09:59 AM 241,664 _REGISTRY_USER_USRCLASS_S-1-5-21-3533347811-4231963961-3829418293-1006
14 File(s) 62,778,442 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\Repository
05/16/2010 09:59 AM <DIR> .
05/16/2010 09:59 AM <DIR> ..
05/15/2010 06:14 PM 20 $WinMgmt.CFG
05/16/2010 09:59 AM <DIR> FS
1 File(s) 20 bytes
Directory of C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\Repository\FS
05/16/2010 09:59 AM <DIR> .
05/16/2010 09:59 AM <DIR> ..
05/16/2010 09:22 AM 1,187,840 INDEX.BTR
05/16/2010 09:22 AM 604 INDEX.MAP
05/16/2010 09:23 AM 4 MAPPING.VER
05/15/2010 10:16 PM 3,616 MAPPING1.MAP
05/16/2010 09:22 AM 3,616 MAPPING2.MAP
05/16/2010 09:22 AM 6,111,232 OBJECTS.DATA
05/16/2010 09:22 AM 3,012 OBJECTS.MAP
7 File(s) 7,309,924 bytes
Total Files Listed:
235 File(s) 244,191,488 bytes
36 Dir(s) 22,671,134,720 bytes free
Broni
Posts: 56,041 +516
Using your clean working computer do the following:
1. Go to Start -> Run, and type notepad into the box.
2. Click OK.
3. Copy and paste the following code into Notepad:
4. Go to File -> Saveas then enter: ren.bat (save it as all files (*.*))
5. Then.. Save it on the flash drive. Do NOT save this file on the working computer.
6. After that insert the flash drive into the infected computer before booting the system.
7. Once booted with OTLPE CD, go to Start My Computer then go to your flash drive and copy the batch file to the desktop then double click it to run it.
8. See, if you can boot bad computer normally.
1. Go to Start -> Run, and type notepad into the box.
2. Click OK.
3. Copy and paste the following code into Notepad:
Code:
Ren C:\windows\system32\config\SYSTEM SYSTEM.123
Ren C:\windows\system32\config\SAM SAM.123
Ren C:\windows\system32\config\SECURITY SECURITY.123
Ren C:\windows\system32\config\SOFTWARE SOFTWARE.123
Ren C:\windows\system32\config\DEFAULT DEFAULT.123
Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\_REGISTRY_MACHINE_SAM" C:\
Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\_REGISTRY_MACHINE_SECURITY" C:\
Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\_REGISTRY_MACHINE_SOFTWARE" C:\
Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\_REGISTRY_MACHINE_SYSTEM" C:\
Copy "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\snapshot\_REGISTRY_USER_.DEFAULT" C:\
Copy C:\_REGISTRY_MACHINE_SAM C:\windows\system32\config\SAM
Copy C:\_REGISTRY_MACHINE_SECURITY C:\windows\system32\config\SECURITY
Copy C:\_REGISTRY_MACHINE_SOFTWARE C:\windows\system32\config\SOFTWARE
Copy C:\_REGISTRY_MACHINE_SYSTEM C:\windows\system32\config\SYSTEM
Copy C:\_REGISTRY_USER_.DEFAULT C:\windows\system32\config\DEFAULT
Del %04. Go to File -> Saveas then enter: ren.bat (save it as all files (*.*))
5. Then.. Save it on the flash drive. Do NOT save this file on the working computer.
6. After that insert the flash drive into the infected computer before booting the system.
7. Once booted with OTLPE CD, go to Start My Computer then go to your flash drive and copy the batch file to the desktop then double click it to run it.
8. See, if you can boot bad computer normally.
Dear Broni I followed your instructions and upon trying to start the computer normally I got a new error message saying Windows could not start because the following file is missing or corrupt: System32\Drivers\Ntfs.sys.....Awaiting your guidence thanks again for helping me so much with this your really doing me a huge favor
Broni
Posts: 56,041 +516
OK. Hopefully, we're getting somewhere.
Go back to my post #12
Since you have OTLPE CD already created, boot from it and follow instructions from my post #12, starting with:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
Ntfs.sys
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
userinit.exe
explorer.exe
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
Go back to my post #12
Since you have OTLPE CD already created, boot from it and follow instructions from my post #12, starting with:
A script, which I posted there in red will be slightly different:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
Ntfs.sys
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
userinit.exe
explorer.exe
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
Another 5 am evening haha....here is the log that you asked for although when running OTLPE i was never asked if I wanted to load the remote registry, and it had the options for standard registry and extra registry I only checked all under standard because the directions didnt specify one or the other or both. Thanks
Cheers,
Vuk
Cheers,
Vuk
Broni
Posts: 56,041 +516
Sorry for that...hehehe
Very good
Since you're able to run OTLPE, that means, we're able to fix corrupted system hive.
Now, we'll try to fix NTFS.SYS issue.
Do this on the computer you are posting from:
Copy the text in the codebox below:
Code:
:OTL
:Services
:Reg
:Files
C:\WINDOWS\system32\drivers\ntfs.sys|C:\WINDOWS\ServicePackFiles\i386\ntfs.sys /replace
:Commands
[purity]
[emptytemp]Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive
On the infected computer the following...
Run OTLPE
- Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
- (The content of Fix.txt should appear in the box)
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Post the log produced (you'll need to transfer it with USB stick)
- Attempt to reboot normally into windows.
Broni here is the log you asked for tried booting up the computer normally it got past the part an error came up last time although now its stuck at first windows screen that appears. The computer is not frozen I dont think because the progress bar is still moving but it has taken over 5 minutes to boot so I dont think its happening
Broni
Posts: 56,041 +516
I just wonder how many more system files are missing/corrupted?
Let's give it another shot.
You'll have to boot to OTLPE CD and run another OTL scan.
New code:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
ntoskrnl.exe
Ntfs.sys
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
userinit.exe
explorer.exe
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
Let's give it another shot.
You'll have to boot to OTLPE CD and run another OTL scan.
New code:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
ntoskrnl.exe
Ntfs.sys
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
userinit.exe
explorer.exe
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
Broni
Posts: 56,041 +516
Do this on the computer you are posting from:
Copy the text in the codebox below:
Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive
On the infected computer the following...
Run OTLPE
Copy the text in the codebox below:
Code:
:OTL
:Services
:Reg
:Files
C:\WINDOWS\system32\ntoskrnl.exe|C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe /replace
:Commands
[purity]
[emptytemp]Open Notepad and paste it.
Save the document as Fix.txt on to a USB flash drive
On the infected computer the following...
Run OTLPE
- Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
- (The content of Fix.txt should appear in the box)
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Post the log produced (you'll need to transfer it with USB stick)
- Attempt to reboot normally into windows.
Broni
Posts: 56,041 +516
OK, we can keep playing around, if you wish, replacing those system files, but surely we can't do it for ever.
Let's give it couple more shots.
New OTLPE script:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
mup.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
Let's give it couple more shots.
New OTLPE script:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
mup.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
- Status
Similar threads
