Table of Contents

1. What is the Recovery Console?

2. How to install the Recovery Console to your hard drive
3. How to start the Recovery Console
4. Remove the prompting of a password
5. How to use the Recovery Console
6. Deleting the Recovery Console

What is the Recovery Console?

The Recovery Console is a special boot up method that can be used to help fix problems
that are preventing your Windows installation from properly booting up into Windows.
This method allows you to access the files, format drives, disable and enable services,
and other tasks from a console prompt while the operating system is not loaded. It is
suggested that the Recovery Console is to only be used only after Safe mode and the
other standard startup options do not work. I feel that the Recovery Console is also useful
in other situations such as removing malware files that start in both Safe mode and
Standard Mode and thus not allowing you to delete the infection.

This tutorial will guide you through the installation of the Recovery Console and how to
use it. For those who are familiar with DOS or the command prompt, you will find the
Recovery Console to be very familiar. For those who are not comfortable with this type
of environment, I suggest you read through this primer in order to get familiar with this
type of interface:

Introduction to the Windows Command Prompt

How to install the Recovery Console to your hard drive

I recommend that you install the Recovery Console directly onto your computer so that if
you need it in the future, it is readily available. The Recovery Console only takes up
approximately 7 megabytes so there is no reason why you should not have it installed in
case you need it.

To install the Recovery Console on your hard drive, follow these steps:

1. Insert the Windows XP CD into your CD-ROM drive.

2. Click the Start button.

3. Click the Run menu option.

4. In the Open: field type X:\i386\winnt32.exe /cmdcons , where X is the drive

letter for your CD reader, and press the OK button. An image of this step can be
found below:
5. After pressing the OK button a setup window will appear similar to the one
below.

Simply press the Yes button to continue with the installation of the Recovery
Console. The setup program will then attempt to do a Dynamic Update to make
sure you have the latest files as shown below.
 Simply allow it to continue and then when it is finished, you will be presented
with a screen similar to the one below telling you so.

6. Press the OK button and remove the CD from your computer.

Now when you start your computer you will have an option to start the Recovery
Console.
How to start the Recovery Console

To start the Recovery Console when it is installed on your hard drive you would do the
following:

1. Reboot your computer and as Windows starts it will present you with your startup
options as shown in the figure below.

2. With the arrows keys on your keyboard select the option listed as Microsoft
Windows Recovery Console and press the enter key on your keyboard.

3. The Recovery Console will start and ask you which Windows installation you
would like to log on to. If you have multiple Windows installations, it will list
each one, and you would enter the number associated with the installation you
would like to work on and press enter. If you have just one Windows installation,
type 1 and press enter.

4. It will then prompt you for the Administrator's password. If there is no password,
simply press enter. Otherwise type in the password and then press enter. If you
do not know your password then see this.
 5. If you entered the correct password you will now be presented with a
C:\Windows> prompt and you can start using the Recovery Console.

6. Proceed to How to use the Recovery Console.

To start the Recovery Console directly from the Windows XP CD you would do the
following:

1. Insert the Windows XP cd in your computer.

2. Restart your computer so you are booting off of the CD.

3. When the Welcome to Setup screen appears, press the R button on your keyboard
to start the Recovery Console.

4. The Recovery Console will start and ask you which Windows installation you
would like to log on to. If you have multiple Windows installations, it will list
each one, and you would enter the number associated with the installation you
would like to work on and press enter. If you have just one Windows installation,
type 1 and press enter.

5. It will then prompt you for the Administrator's password. If there is no password,
simply press enter. Otherwise type in the password and then press enter. If you
do not know your password then see this.

6. If you entered the correct password you will now be presented with a
C:\Windows> prompt and you can start using the Recovery Console.

7. Proceed to How to use the Recovery Console.

Remove the prompting of a password

When the Recovery Console starts it will ask for your Administrator password before
continuing. In many cases when you have XP pre installed on your computer the
Recovery Console will not recognize your Administrator's password. In these situations it
is possible to edit a registry setting so that the Recovery Console does not ask for a
password. This setting works on both Windows XP Home and Pro editions.

To change this setting do the following:

1. Click on the Start button.

2. Click on the Run option

3. Type regedit.exe in the open field and press the OK button.

 4. Navigate to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Current
Version\Setup\RecoveryConsole

5. Change the value of SecurityLevel value to 1

6. Close regedit

7. Reboot your computer.

Now the Recovery Console will no longer ask for a password.

How to use the Recovery Console

Though the Recovery Console looks similar to a standard command prompt it is not the
same. Certain commands work, while others do not, and there are new commands
available to you. There is no graphical interface, and all commands must be entered by
typing them into the console prompt with your keyboard and pressing enter. This may be
confusing for those who are not familiar with this type of interface, but after doing a few
commands it does becomes easier.

The following is a list of the available commands that you can use in the Recovery
Console. When using the recovery console you can type help followed by the command
to see a more detailed explanation. For example: help attrib.

Command Description

Attrib Changes attributes on a file or directory.

Executes commands that you specify in the text file,
Inputfile. Outputfile holds the output of the commands. If
Batch
you omit the Outputfile parameter, output appears on the
screen.
Allows you to modify the Boot.ini file for boot
Bootcfg
configuration and recovery.
(Chdir) Change directory. Operates only in the system
directories of the current Windows installation, removable
CD
media, the root directory of any hard disk partition, or the
local installation sources.
Chkdsk Checks a disk for drive problems or errors. The /p switch
runs Chkdsk even if the drive is not flagged as dirty.
The /r switch locates bad sectors and recovers readable
information. This switch implies /p. Chkdsk requires
 Autochk. Chkdsk automatically looks for Autochk.exe in
the startup folder. If Chkdsk cannot find the file in the
startup folder, it looks for the Windows 2000 Setup CD-
ROM. If Chkdsk cannot find the installation CD-ROM,
Chkdsk prompts the user for the location of Autochk.exe.
Cls Clears the screen
Copies one file to a target location. By default, the target
cannot be removable media, and you cannot use wildcard
Copy characters. Copying a compressed file from the Windows
2000 Setup CD-ROM automatically decompresses the
file.
(Delete) Deletes one file. Operates within the system
directories of the current Windows installation, removable
Del media, the root directory of any hard disk partition, or the
local installation sources. By default, you cannot use
wildcard characters.
Displays a list of all files, including hidden and system
Dir
files.
Disables a Windows system service or driver. The
variable service_or_driver is the name of the service or
driver that you want to disable. When you use this
command to disable a service, the command displays the
Disable
service's original startup type before it changes the type to
SERVICE_DISABLED. Note the original startup type so
that you can use the enable command to restart the
service.
Manages partitions on hard disk volumes. The /add option
creates a new partition. The /delete option deletes an
existing partition. The variable device is the device name
for a new partition (such as \device\harddisk0). The
variable drive is the drive letter for a partition that you are
Diskpart
deleting (for example, D). Partition is the partition-based
name for a partition that you are deleting, (for example:
\device\harddisk0\partition1) and can be used instead of
the drive variable. The variable size is the size, in
megabytes, of a new partition.
Enable Enables a Windows system service or driver. The variable
service_or_driver is the name of the service or driver that
you want to enable, and start_type is the startup type for
an enabled service. The startup type uses one of the
following formats:
SERVICE_BOOT_START
 SERVICE_SYSTEM_START
SERVICE_AUTO_START
SERVICE_DEMAND_START
Quits the Recovery Console, and then restarts the
Exit
computer.
Expands a compressed file. The variable source is the file
that you want to expand. By default, you cannot use
wildcard characters. The variable destination is the
directory for the new file. By default, the destination
cannot be removable media and cannot be read-only. You
can use the attrib command to remove the read-only
Expand
attribute from the destination directory. The option
/f:filespec is required if the source contains more than one
file. This option permits wildcard characters. The /y
switch disables the overwrite confirmation prompt. The /d
switch specifies that the files will not be expanded and
displays a directory of the files in the source.
Fixboot Writes a new startup sector on the system partition
Repairs the startup partition's master boot code. The
variable device is an optional name that specifies the
Fixmbr
device that requires a new Master Boot Record. Omit this
variable when the target is the startup device.
Formats a disk. The /q switch performs a quick format.
Format
The /fs switch specifies the file system.
If you do not use the command variable to specify a
Help command, help lists all the commands that the Recovery
Console supports.
Displays all available services and drivers on the
Listsvc
computer.
Displays detected installations of Windows and requests
the local Administrator password for those installations.
Logon
Use this command to move to another installation or
subdirectory.
Displays currently active device mappings. Include the arc
option to specify the use of Advanced RISC Computing
Map
(ARC) paths (the format for Boot.ini) instead of Windows
device paths.
MD (Mkdir) Creates a directory. Operates only within the
system directories of the current Windows installation,
removable media, the root directory of any hard disk
 partition, or the local installation sources.
Displays the specified text file on screen. More will
More/Type display a text file one page at a time, while Type displays
the entire text file at once.
(Rmdir) Removes a directory. Operates only within the
system directories of the current Windows installation,
Rd
removable media, the root directory of any hard disk
partition, or the local installation sources.
(Rename) Rename a file or directory. Operates only
within the system directories of the current Windows
Ren installation, removable media, the root directory of any
hard disk partition, or the local installation sources. You
cannot specify a new drive or path as the target.
Displays and sets the Recovery Console environment
Set
variables.
Systemroot Sets the current directory to %SystemRoot%.

Deleting the Recovery Console

Warning: To remove the Recovery Console you need to modify the Boot.ini file.
Modifying this file incorrectly can prevent your computer from starting properly. Please
only attempt this step if you feel comfortable doing this.

To remove the Recovery Console from your hard drive follow these steps:

1. Double-click on My Computer and then double-click on the drive you installed

the Recovery Console (usually the C: drive).

2. Click on the Tools menu and select Folder Options.

3. Click on the View tab.

4. Select Show hidden files and folders and uncheck Hide protected operating
system files.

5. Press the OK button.

6. Now at the root folder delete the Cmdcons folder and the Cmldr file.

7. At the root folder, right-click the Boot.ini file, and then click Properties.

8. Click to clear the Read-only check box, and then click the OK button.
 9. Click on Start, then Run and type Notepad.exe c:\boot.ini in the Open: field and
press the OK button.

10. Remove the entry for the Recovery Console. It will look similar to this:
C:\cmdcons\bootsect.dat="Microsoft Windows Recovery Console" /cmdcons

Make sure you only delete that one entry.

11. When you are done, close the notepad and save when it asks.

12. Right click again on the boot.ini file and select Properties.

13. Put a checkmark back in the Read-only checkbox and then press the OK button.

The recovery console should now be removed from your system.

--
Lawrence Abrams
Bleeping Computer Advanced Microsoft Tutorials
BleepingComputer.com: Computer Help & Tutorials for the beginning computer
user.
Automated Removal Instructions for Antivirus 2010 using Malwarebytes' Anti-Malware
and the Windows Recovery Environment:

1. These instructions are for advanced users. We will not be going into great detail
on how to perform these steps and it is expected that you will understand what to
do with the information provided below. If you do not feel comfortable
performing these steps, then please do not attempt them. Instead follow the steps
in this topic in order to receive malware removal help from one of our helpers.

2. Please print out these instructions as we will be performing steps in an

environment that does not support Internet browsing.

3. As the main defense mechanism of Antivirus2010 is a rookit, we must first

reboot our computer into a the XP Recovery Console or the Windows
Vista/Windows 7 Recovery Environment in order to delete certain files that will
then allow us to remove this infection while booted into Windows normally.

With this said, if you are using Windows XP, please reboot into the Windows XP
Recovery Console using the instructions found in this guide.

How to install and use the Windows XP Recovery Console

If you are using Windows 7 or Windows Vista, please use this guide to boot into
the Windows Recovery Environment. Please note that the following guide was
written for Vista, but applies to Windows 7 as well.

How to use the Command Prompt in the Vista Windows Recovery Environment

4. Once you are in the recovery environment you must rename the following files.
You can rename them as the same filename but ending with .bad.

c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b
64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll
c:\WINDOWS\system32\drivers\vbma22b4.sys (Please note that the filename
may not be exactly the same, but should start with vbma)

The reason we state you should rename them instead of deleting them, is if you
delete the wrong file and Windows no longer operates correctly, you can go back
into the Windows recovery environment and restore the file to get Windows
working again.

5. Once these two files have been renamed, please type Exit and reboot your
computer so that it enters Windows normally.
6. Once you are in Windows, go into Add or Remove Programs (Windows XP) or
Uninstall a Program (Windows 7 and Vista) in the Windows Control Panel.
Once the Uninstall control panel is open, look for Antivirus 2010 or
Antivirus2010 and uninstall it.

7. Now download the following reg file for your corresponding version of Windows
and run it. When it asks if you would like to merge the data, please allow it to do
so.

Windows XP Reg File

Windows Vista and Windows 7 Reg File

These reg files will restore a key that was changed by the rootkit.

8. For the next steps, if you attempt to run a program and it gives a permission
denied or similar error, then please use the CACLS program to restore
permissions as described in the description of the program above.

9. You can now now download Malwarebytes' Anti-Malware, or MBAM, from the
following location and save it to your desktop:

Malwarebytes' Anti-Malware Download Link (Download page will open in a new

window)

10. Once downloaded, close all programs and Windows on your computer, including
this one.

11. Double-click on the icon on your desktop named mbam-setup.exe. This will start
the installation of MBAM onto your computer.

12. When the installation begins, keep following the prompts in order to continue
with the installation process. Do not make any changes to default settings and
when the program has finished installing, make sure you leave both the Update
Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware
checked. Then click on the Finish button.

13. MBAM will now automatically start and you will see a message stating that you
should update the program before performing a scan. As MBAM will
automatically update itself after the install, you can press the OK button to close
that box and you will now be at the main program as shown below.
14. On the Scanner tab, make sure the the Perform full scan option is selected and
then click on the Scan button to start scanning your computer for Antivirus 2010
related files.

15. MBAM will now start scanning your computer for malware. This process can
take quite a while, so we suggest you go and do something else and periodically
check on the status of the scan. When MBAM is scanning it will look like the
image below.
16. When the scan is finished a message box will appear as shown in the image
below.

You should click on the OK button to close the message box and continue with
the Antivirus2010 removal process.

17. You will now be back at the main Scanner screen. At this point you should click
on the Show Results button.
18. A screen displaying all the malware that the program found will be shown as seen
in the image below. Please note that the infections found may be different than
what is shown in the image.

You should now click on the Remove Selected button to remove all the listed
malware. MBAM will now delete all of the files and registry keys and add them
to the programs quarantine. When removing the files, MBAM may require a
reboot in order to remove some of them. If it displays a message stating that it
needs to reboot, please allow it to do so. Once your computer has rebooted, and
you are logged in, please continue with the rest of the steps.

19. When MBAM has finished removing the malware, it will open the scan log and
display it in Notepad. Review the log as desired, and then close the Notepad
window.

20. You can now exit the MBAM program.

21. As many rogues and other malware are installed through vulnerabilities found in
out-dated and insecure programs, it is strongly suggested that you use Secunia PSI
to scan for vulnerable programs on your computer. A tutorial on how to use
Secunia PSI to scan for vulnerable programs can be found here:
 How to detect vulnerable and out-dated programs using Secunia Personal
Software Inspector

Your computer should now be free of the Antivirus2010 program. If your current anti-
virus solution let this infection through, you may want to consider purchasing the PRO
version of Malwarebytes' Anti-Malware to protect against these types of threats in the
future.

Associated Antivirus 2010 Files:

Current Antivirus 2010 Files:

c:\Documents and Settings\All Users\Application Data\.wtav

c:\WINDOWS\system32\mswmqnei.dll
c:\WINDOWS\system32\us?rinit.exe
c:\WINDOWS\system32\drivers\vbma22b4.sys

Old Antivirus 2010 Files:

c:\Program Files\AV2010
c:\Program Files\AV2010\AV2010.exe
c:\Program Files\AV2010\svchost.exe
c:\WINDOWS\system32\IEDefender.dll
c:\WINDOWS\system32\wingamma.exe
c:\Documents and Settings\All Users\Desktop\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk

Associated Antivirus 2010 Windows Registry Information:

Current Antivirus 2010 Files:

HKEY_CLASSES_ROOT\Interface\{35c95ec8-f789-9a3a-375c-bdb89a3684fd}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstal
l\{9CB00F85-D96F-1C82-F5A4-A31D57D6528D}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFBCFDBA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\userinit

Old Antivirus 2010 Files:

HKEY_CURRENT_USER\Software\AV2010
HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore
r\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-
11CE-BFC1-08002bE10318}\0012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-
11CE-BFC1-08002bE10318}\0013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-
11CE-BFC1-08002bE10318}\0014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Windows Gamma Display"