[JSntgRvr]

Lets try an alternate Recovery Console.

• Please download BurnAtOnce and save it to your desktop. Click on Downloads, then on burnatonce 0.99.5
  
  • Install it by double-clicking on the file bao0995.exe that you downloaded.
  • Click Next, accept the license agreement, and click Next until the button says "Install". Click "Install" to finish.
• Download the rc.iso file.
• Save it to your desktop.
• Put a blank CD in your computer’s burner.
• Right-click on the file rc.iso, and select "burnatonce" from the menu.
• Confirm that the box under the menu at the top says "rc.iso".
• Click the "Write" button.
• When the disk finishes, eject the CD.
• Configure the computer to start from the CD-ROM or DVD-ROM drive. For information about how to do this, see your computer documentation, or contact your computer manufacturer.
• Insert the Image of rc.iso that you copied to CD into your CD-ROM or DVD-ROM drive, and then restart your computer.
• When you receive the "Press any key to boot from CD" message, press a key to start your computer from the Windows XP CD-ROM.
• You will be prompted with the following options:
  

  A. To setup Windows XP, press Enter.
  B. To repair Windows XP installation using recovery console, press R.
  
  Choose the option, "To repair the Windows XP installation using recovery console", press R. If an Administrator Password have been established, you will be prompted to type it in. If no Administrator Password exists, just press ENTER.

• You will be presented with the following:
  
  
  

  Microsoft Windows® Recovery Console
  
  The Recovery Console provides system repair and recovery functionality.
  Type EXIT to quit the Recovery Console and restart the computer.
  
  1: C:\WINDOWS
  
  Which Windows Installation would you like to log onto
  (To cancel, press ENTER)?

• Press the number 1 on your keyboard and hit Enter.
  
• At the command prompt, type the following command and press Enter:
  
  Disable tzkybkkt
  Del c:\windows\system32\drivers\tzkybkkt.sys (Make sure you use back slashes "\")

Type Exit and press Enter. Take the CD out of the drive and let the computer restart.

[Advertisements]

ok so i downloaded the stuff you told me.. but when i went to write the iso image to the disc i got this from the burn at once program:


Error 70: Permission denied
Error occurred in: frmMain:cmdWrite_Click

App Version: 0.99.5 Windows Version: 6.0.6001


however, i was able to burn the image to the disc by clicking ignore on the prompts that gave me that log above and i used the disk like you said and went throuh the recovery process but i'm still getting the same thing, i don't know maybe when i clicked on the ignore button it skipped some stuff that i might've needed i don't know???

[pauliede38]

ok so i downloaded the stuff you told me.. but when i went to write the iso image to the disc i got this from the burn at once program:


Error 70: Permission denied
Error occurred in: frmMain:cmdWrite_Click

App Version: 0.99.5 Windows Version: 6.0.6001


however, i was able to burn the image to the disc by clicking ignore on the prompts that gave me that log above and i used the disk like you said and went throuh the recovery process but i'm still getting the same thing, i don't know maybe when i clicked on the ignore button it skipped some stuff that i might've needed i don't know???

[pauliede38]

i tought i should mention that the pc i'm communicating from is running VISTA and the infected pc is running xp i don't know if that makes any difference

[JSntgRvr]

ok so i downloaded the stuff you told me.. but when i went to write the iso image to the disc i got this from the burn at once program:


Error 70: Permission denied
Error occurred in: frmMain:cmdWrite_Click

App Version: 0.99.5 Windows Version: 6.0.6001


however, i was able to burn the image to the disc by clicking ignore on the prompts that gave me that log above and i used the disk like you said and went throuh the recovery process but i'm still getting the same thing, i don't know maybe when i clicked on the ignore button it skipped some stuff that i might've needed i don't know???

VISTA should not make a difference. Were you able to boot to the Recovery Console? If yes, which prompt, C:\Windows or just C:\?

[pauliede38]

This is the command prompt i get:

C:\WINDOWS>

[JSntgRvr]

Lets rename the Boot.ini:

At the C:\WINDOWS> prompt type the following and press Enter:

Ren C:\Boot.ini Boot.ini.old

Type Exit and press Enter to re-start the computer. Ignore any error message. Are you able to boot into windows?

To reverse the above command type:

Ren C:\Boot.ini.old Boot.ini

[pauliede38]

Nope no luck

[JSntgRvr]

If the above does not force Windows to start, at the C:\Windows prompt type the following and press Enter after each line:

cd ERDNT
Dir

Write down the list of folders on screen and post it in a reply.

[pauliede38]

This is what i Got:


The volume in drive C has no label
The volume Serial Number is 087d-eccf

Directory of C:\Windows|ERDNT

08/24/09 10:30P d------- 0 .
08/24/09 10:30p d------- 0 ..
2 file(s) 0 bytes
15682383872 bytes free

[JSntgRvr]

There is a lot of information missing. Since you ran Combofix, although from the D:\ drive, there should be a couple of folders within the ERDNT folder such as sUBs and hiv-backup.

At the C:\Windows prompt type cd ERDNT\subs. Does it returns an error message?

[pauliede38]

yes it states the following:


The system cannot find the file or directory specified.

[JSntgRvr]

All registry backups are no longer available.

Have you tried booting in Safe Mode, Last Known Configuration, Safe Mode with command prompt... Etc..?

[pauliede38]

yes i have tried all of them, no luck...

[JSntgRvr]

I don't know if the problem is due to missing files and folders, which is what it seems to be, but I can attempt to load the First Run Registry and give it a try. Make sure you use the exact syntax.

At the C:\Windows prompt type the following and press Enter after each line:

cd System32\Config
Ren System System.old
Ren Sam Sam.old
Ren Security Security.old
Ren Software Software.old
Ren Default Default.old
Copy C:\Windows\Repair\System
Copy C:\Windows\Repair\Sam
Copy C:\Windows\Repair\Security
Copy C:\Windows\Repair\Software
Copy C:\Windows\Repair\Default

Type Exit to restart the computer.

[pauliede38]

well it looks like we might be getting somewhere it's now performing a diskcheck its in the CHKDSK mode it's deleted a few corrupt attributes so i'm gonna let it run and see what happens