Sign in to follow this  
ArthurOPlasty

help with sys restore: problems after running GMER

Recommended Posts

[quote name='Blade81' post='116818' date='Feb 18 2010, 02:57 AM']Hi,

Please run this command in command prompt:
[b]dir /s/a \erdnt.con[/b]

Note down locations (if any).[/quote]

It says

Volume in drive C is S3A6274D004
Volume Serial Number is FE5D-6C8E

Directory of C:\Users\Roo\Desktop\reg backup\7-02-2010

Share this post


Link to post
Share on other sites
Hi,

In command prompt, type these commands one by one (hit enter after each):
[b]c:
cd\Users\Roo\Desktop\reg backup\7-02-2010
batch erdnt.con[/b]

Share this post


Link to post
Share on other sites
[quote name='Blade81' post='116829' date='Feb 18 2010, 03:32 AM']Hi,

In command prompt, type these commands one by one (hit enter after each):
[b]c:
cd\Users\Roo\Desktop\reg backup\7-02-2010
batch erdnt.con[/b][/quote]

it says
'batch' is not recognized as an internal or external command, operable program or batch file.

Share this post


Link to post
Share on other sites
Hi,

While still in C:\Users\Roo\Desktop\reg backup\7-02-2010 folder please type this:
[b]erdnt.exe[/b]

Share this post


Link to post
Share on other sites
[quote name='Blade81' post='116831' date='Feb 18 2010, 03:51 AM']Hi,

While still in C:\Users\Roo\Desktop\reg backup\7-02-2010 folder please type this:
[b]erdnt.exe[/b][/quote]

it comes up with a pop up saying

with this program you can restore a registry backup of your windows NT/2000/XP system.

i have vista though, should I click on okay?

Share this post


Link to post
Share on other sites
[quote name='Blade81' post='116837' date='Feb 18 2010, 04:04 AM']Yes, allow it to restore.[/quote]

okay, done it. Computer still seems the same though. Should I restart my computer?

Is there anything else I should do while I still have this vista recovery window open, I had trouble getting into it last time trying to get the right timing when pressing esc.

Share this post


Link to post
Share on other sites
Hi,

After ERUNT has done its job please reboot and see if you're now able to log into normal mode properly.

Share this post


Link to post
Share on other sites
[quote name='Blade81' post='116839' date='Feb 18 2010, 04:11 AM']Hi,

After ERUNT has done its job please reboot and see if you're now able to log into normal mode properly.[/quote]

nope doesn't work. still the same.

Share this post


Link to post
Share on other sites
Hi,

Then I'm afraid the only solution is to backup your important documents, music, pictures and videos to removable drive in command prompt and then use that Toshiba recovery wizard (available in that advanced bootup menu) to restore system back to factory defaults.

Share this post


Link to post
Share on other sites
[quote name='Blade81' post='116844' date='Feb 18 2010, 05:31 AM']Hi,

Then I'm afraid the only solution is to backup your important documents, music, pictures and videos to removable drive in command prompt and then use that Toshiba recovery wizard (available in that advanced bootup menu) to restore system back to factory defaults.[/quote]


how do I back up things from command prompt? I do not need all of the c drive backed up, I have most things. I just need a few folders and files, but I can't remember exactly what they're called or where they are. Is there some sort of way of just browsing the files and then choosing which ones I want?

Also do u think I should try system restore first? Or do you think that the malware might block it from running completely? Edited by ArthurOPlasty

Share this post


Link to post
Share on other sites
Hi,

[quote]how do I back up things from command prompt? I do not need all of the c drive backed up, I have most things. I just need a few folders and files, but I can't remember exactly what they're called or where they are. Is there some sort of way of just browsing the files and then choosing which ones I want?[/quote]
You can use dir command for searching. If you recall file/folder names we can try to create a batch that lists the locations.

[quote]Also do u think I should try system restore first? Or do you think that the malware might block it from running completely?[/quote]
Yes, you could attempt that since the option is available there.

Share this post


Link to post
Share on other sites
[quote name='Blade81' post='116900' date='Feb 19 2010, 01:32 AM']Hi,
You can use dir command for searching. If you recall file/folder names we can try to create a batch that lists the locations.
Yes, you could attempt that since the option is available there.[/quote]

sys restore worked, I can see my desktop now. Still got the malware though, I could not restore to a point before the infection, there was not anything listed.

i'm running adaware now to quarantine the file, then will run hijack this and post the logs.

Should I try running GMER again?

Share this post


Link to post
Share on other sites
Great! Let's see DDS log instead of hjt:
Download DDS and save it to your desktop from [url="http://www.techsupportforum.com/sectools/sUBs/dds"][b][color="seagreen"]here[/color][/b][/url] or [url="http://download.bleepingcomputer.com/sUBs/dds.scr"][b][color="seagreen"]here[/color][/b][/url] or [url="http://www.forospyware.com/sUBs/dds"][b][color="seagreen"]here[/color][/b][/url].
Disable any script blocker, and then double click [b]dds.scr [/b]to run the tool. [list]
[*]When done, DDS will open two (2) logs: [list=1]
[*] DDS.txt
[*] Attach.txt
[/list]
[*]Save both reports to your desktop. Post them back to your topic.
[/list]
Let's skip GMER scan for now.

Share this post


Link to post
Share on other sites
Okay here is the DDS log. I've also included two adaware scan logs. The one named scan log 3 was taken before the GMER problem, when it detected the malware. The one named log 4 was taken today, after the system restore, which didn't detect anything. When I restarted the computer, the malware pop ups still appeared - with one saying I have been infected with Win32.Netsky, and a few ones saying this file is infected, etc. but they have stopped now and internet explorer goes to the homepage now, instead of opening up a thousand different pages like it did before. I'm still d/c from the internet, and don't want to connect again until i know all the stuff has been cleared.

Share this post


Link to post
Share on other sites
Hi again,

[color="#FF0000"]DC++[/color]

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My [b]recommendation is to uninstall these (and other if present) P2P file sharing programs[/b].



Please visit this webpage for download links, and instructions for running ComboFix tool:

[url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url]

[color="Blue"]Please ensure you read this guide carefully first.[/color]


Please continue as follows:
[list=1]
[*][b]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix[/b], [url="http://www.bleepingcomputer.com/forums/topic114351.html"]link[/url]
Remember to re-enable them afterwards.


[*]Click [b]Yes[/b] to allow ComboFix to continue scanning for malware.
[/list]
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

[b]C:\ComboFix.txt
New dds log.[/b]

[color="#ff0000"][b]A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.[/b][/color]

Share this post


Link to post
Share on other sites
[quote name='Blade81' post='116952' date='Feb 20 2010, 03:13 AM'][color="#ff0000"][b]A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.[/b][/color][/quote]


Wow, that has me worried. What could the application end up doing? What would happen if I don't correctly disable my antivirus? I'm not sure I know how to do that properly. Do you know if the tool works? or is it something created by some random to intentionally damage your computer? Edited by ArthurOPlasty

Share this post


Link to post
Share on other sites
Hi,

By following [url="http://www.bleepingcomputer.com/forums/topic114351.html"]instructions[/url] you should be able to disable protection properly.

Share this post


Link to post
Share on other sites
I've run Combofix, but soon after starting my computer came up with the blue screen and restarted. It said something about boot cleaning, on the black screen I selected start windows normally. The computer loaded up fine, and there were no malware pop ups at all this time.

I don't think the scan completed though, because the progress stages was not displayed on the screen, and there was no log saved (there is one Combofix file in C:, but it is not a text file and it is 15mb). I tried running it again, and the same thing happened. I have all my antivirus and malware programs disabled, as well as the firewall and have no programs open. What should I do now? Edited by ArthurOPlasty

Share this post


Link to post
Share on other sites
Hi,

Please try to run ComboFix in safe mode.

Share this post


Link to post
Share on other sites
[quote name='Blade81' post='116987' date='Feb 20 2010, 09:26 AM']Hi,

Please try to run ComboFix in safe mode.[/quote]

After running in safe mode it completes the first 2 stages, then shows a pop up saying.


PEV.cfxxe - Corrupt File
The file or directory C:\Windows\System32\Drivers\en-US is corrupt and unreadable. Please run the Chkdsk utility. The only button is okay. I clicked it and it did not go away, After 30 minutes the scan was not progressing, so I tried closing it and it wouldn't close. In the blue window it says the system cannot find message text for message number 0x237b in the message file for Application. Should I try running chkdsk with this application still open or should I restart and then do it? Edited by ArthurOPlasty

Share this post


Link to post
Share on other sites
Hi,

Try to run GMER by making sure that only these options are selected:
-IAT/EAT
-Devices
-Processes
-Threads

Share this post


Link to post
Share on other sites
GMER has now been scanning for about 90 mins, is that normal?

Down the bottom it seems like it is getting through the files really slowly, it will pause for about 10seconds then flick through a few. It is still on the IAT.

I've noticed a few files that have been scanned twice, i think the scan might be looping over the same files over and over again. Edited by ArthurOPlasty

Share this post


Link to post
Share on other sites
Hi,

Are you running the scan in normal or safe mode? Is protection software disabled? Running in normal mode takes usually more time since there're more processes running.

Share this post


Link to post
Share on other sites
[quote name='Blade81' post='117040' date='Feb 21 2010, 04:12 AM']Hi,

Are you running the scan in normal or safe mode? Is protection software disabled? Running in normal mode takes usually more time since there're more processes running.[/quote]

I was running it in normal mode. The scan finished now. It came up with a box saying GMER did not detect any system modifications. I can't seem to save the log, I click on save and nothing happens.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this