Beruflich Dokumente
Kultur Dokumente
The Recovery Console is a special boot up method that can be used to help fix problems
that are preventing your Windows installation from properly booting up into Windows.
This method allows you to access the files, format drives, disable and enable services,
and other tasks from a console prompt while the operating system is not loaded. It is
suggested that the Recovery Console is to only be used only after Safe mode and the
other standard startup options do not work. I feel that the Recovery Console is also useful
in other situations such as removing malware files that start in both Safe mode and
Standard Mode and thus not allowing you to delete the infection.
This tutorial will guide you through the installation of the Recovery Console and how to
use it. For those who are familiar with DOS or the command prompt, you will find the
Recovery Console to be very familiar. For those who are not comfortable with this type
of environment, I suggest you read through this primer in order to get familiar with this
type of interface:
I recommend that you install the Recovery Console directly onto your computer so that if
you need it in the future, it is readily available. The Recovery Console only takes up
approximately 7 megabytes so there is no reason why you should not have it installed in
case you need it.
To install the Recovery Console on your hard drive, follow these steps:
Simply press the Yes button to continue with the installation of the Recovery
Console. The setup program will then attempt to do a Dynamic Update to make
sure you have the latest files as shown below.
Simply allow it to continue and then when it is finished, you will be presented
with a screen similar to the one below telling you so.
Now when you start your computer you will have an option to start the Recovery
Console.
How to start the Recovery Console
To start the Recovery Console when it is installed on your hard drive you would do the
following:
1. Reboot your computer and as Windows starts it will present you with your startup
options as shown in the figure below.
2. With the arrows keys on your keyboard select the option listed as Microsoft
Windows Recovery Console and press the enter key on your keyboard.
3. The Recovery Console will start and ask you which Windows installation you
would like to log on to. If you have multiple Windows installations, it will list
each one, and you would enter the number associated with the installation you
would like to work on and press enter. If you have just one Windows installation,
type 1 and press enter.
4. It will then prompt you for the Administrator's password. If there is no password,
simply press enter. Otherwise type in the password and then press enter. If you
do not know your password then see this.
5. If you entered the correct password you will now be presented with a
C:\Windows> prompt and you can start using the Recovery Console.
To start the Recovery Console directly from the Windows XP CD you would do the
following:
3. When the Welcome to Setup screen appears, press the R button on your keyboard
to start the Recovery Console.
4. The Recovery Console will start and ask you which Windows installation you
would like to log on to. If you have multiple Windows installations, it will list
each one, and you would enter the number associated with the installation you
would like to work on and press enter. If you have just one Windows installation,
type 1 and press enter.
5. It will then prompt you for the Administrator's password. If there is no password,
simply press enter. Otherwise type in the password and then press enter. If you
do not know your password then see this.
6. If you entered the correct password you will now be presented with a
C:\Windows> prompt and you can start using the Recovery Console.
When the Recovery Console starts it will ask for your Administrator password before
continuing. In many cases when you have XP pre installed on your computer the
Recovery Console will not recognize your Administrator's password. In these situations it
is possible to edit a registry setting so that the Recovery Console does not ask for a
password. This setting works on both Windows XP Home and Pro editions.
6. Close regedit
Though the Recovery Console looks similar to a standard command prompt it is not the
same. Certain commands work, while others do not, and there are new commands
available to you. There is no graphical interface, and all commands must be entered by
typing them into the console prompt with your keyboard and pressing enter. This may be
confusing for those who are not familiar with this type of interface, but after doing a few
commands it does becomes easier.
The following is a list of the available commands that you can use in the Recovery
Console. When using the recovery console you can type help followed by the command
to see a more detailed explanation. For example: help attrib.
Command Description
Warning: To remove the Recovery Console you need to modify the Boot.ini file.
Modifying this file incorrectly can prevent your computer from starting properly. Please
only attempt this step if you feel comfortable doing this.
To remove the Recovery Console from your hard drive follow these steps:
4. Select Show hidden files and folders and uncheck Hide protected operating
system files.
6. Now at the root folder delete the Cmdcons folder and the Cmldr file.
7. At the root folder, right-click the Boot.ini file, and then click Properties.
8. Click to clear the Read-only check box, and then click the OK button.
9. Click on Start, then Run and type Notepad.exe c:\boot.ini in the Open: field and
press the OK button.
10. Remove the entry for the Recovery Console. It will look similar to this:
C:\cmdcons\bootsect.dat="Microsoft Windows Recovery Console" /cmdcons
11. When you are done, close the notepad and save when it asks.
12. Right click again on the boot.ini file and select Properties.
13. Put a checkmark back in the Read-only checkbox and then press the OK button.
--
Lawrence Abrams
Bleeping Computer Advanced Microsoft Tutorials
BleepingComputer.com: Computer Help & Tutorials for the beginning computer
user.
Automated Removal Instructions for Antivirus 2010 using Malwarebytes' Anti-Malware
and the Windows Recovery Environment:
1. These instructions are for advanced users. We will not be going into great detail
on how to perform these steps and it is expected that you will understand what to
do with the information provided below. If you do not feel comfortable
performing these steps, then please do not attempt them. Instead follow the steps
in this topic in order to receive malware removal help from one of our helpers.
With this said, if you are using Windows XP, please reboot into the Windows XP
Recovery Console using the instructions found in this guide.
If you are using Windows 7 or Windows Vista, please use this guide to boot into
the Windows Recovery Environment. Please note that the following guide was
written for Vista, but applies to Windows 7 as well.
How to use the Command Prompt in the Vista Windows Recovery Environment
4. Once you are in the recovery environment you must rename the following files.
You can rename them as the same filename but ending with .bad.
c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b
64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll
c:\WINDOWS\system32\drivers\vbma22b4.sys (Please note that the filename
may not be exactly the same, but should start with vbma)
The reason we state you should rename them instead of deleting them, is if you
delete the wrong file and Windows no longer operates correctly, you can go back
into the Windows recovery environment and restore the file to get Windows
working again.
5. Once these two files have been renamed, please type Exit and reboot your
computer so that it enters Windows normally.
6. Once you are in Windows, go into Add or Remove Programs (Windows XP) or
Uninstall a Program (Windows 7 and Vista) in the Windows Control Panel.
Once the Uninstall control panel is open, look for Antivirus 2010 or
Antivirus2010 and uninstall it.
7. Now download the following reg file for your corresponding version of Windows
and run it. When it asks if you would like to merge the data, please allow it to do
so.
These reg files will restore a key that was changed by the rootkit.
8. For the next steps, if you attempt to run a program and it gives a permission
denied or similar error, then please use the CACLS program to restore
permissions as described in the description of the program above.
9. You can now now download Malwarebytes' Anti-Malware, or MBAM, from the
following location and save it to your desktop:
10. Once downloaded, close all programs and Windows on your computer, including
this one.
11. Double-click on the icon on your desktop named mbam-setup.exe. This will start
the installation of MBAM onto your computer.
12. When the installation begins, keep following the prompts in order to continue
with the installation process. Do not make any changes to default settings and
when the program has finished installing, make sure you leave both the Update
Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware
checked. Then click on the Finish button.
13. MBAM will now automatically start and you will see a message stating that you
should update the program before performing a scan. As MBAM will
automatically update itself after the install, you can press the OK button to close
that box and you will now be at the main program as shown below.
14. On the Scanner tab, make sure the the Perform full scan option is selected and
then click on the Scan button to start scanning your computer for Antivirus 2010
related files.
15. MBAM will now start scanning your computer for malware. This process can
take quite a while, so we suggest you go and do something else and periodically
check on the status of the scan. When MBAM is scanning it will look like the
image below.
16. When the scan is finished a message box will appear as shown in the image
below.
You should click on the OK button to close the message box and continue with
the Antivirus2010 removal process.
17. You will now be back at the main Scanner screen. At this point you should click
on the Show Results button.
18. A screen displaying all the malware that the program found will be shown as seen
in the image below. Please note that the infections found may be different than
what is shown in the image.
You should now click on the Remove Selected button to remove all the listed
malware. MBAM will now delete all of the files and registry keys and add them
to the programs quarantine. When removing the files, MBAM may require a
reboot in order to remove some of them. If it displays a message stating that it
needs to reboot, please allow it to do so. Once your computer has rebooted, and
you are logged in, please continue with the rest of the steps.
19. When MBAM has finished removing the malware, it will open the scan log and
display it in Notepad. Review the log as desired, and then close the Notepad
window.
21. As many rogues and other malware are installed through vulnerabilities found in
out-dated and insecure programs, it is strongly suggested that you use Secunia PSI
to scan for vulnerable programs on your computer. A tutorial on how to use
Secunia PSI to scan for vulnerable programs can be found here:
How to detect vulnerable and out-dated programs using Secunia Personal
Software Inspector
Your computer should now be free of the Antivirus2010 program. If your current anti-
virus solution let this infection through, you may want to consider purchasing the PRO
version of Malwarebytes' Anti-Malware to protect against these types of threats in the
future.
c:\Program Files\AV2010
c:\Program Files\AV2010\AV2010.exe
c:\Program Files\AV2010\svchost.exe
c:\WINDOWS\system32\IEDefender.dll
c:\WINDOWS\system32\wingamma.exe
c:\Documents and Settings\All Users\Desktop\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk
HKEY_CLASSES_ROOT\Interface\{35c95ec8-f789-9a3a-375c-bdb89a3684fd}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstal
l\{9CB00F85-D96F-1C82-F5A4-A31D57D6528D}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFBCFDBA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\userinit
HKEY_CURRENT_USER\Software\AV2010
HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore
r\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-
11CE-BFC1-08002bE10318}\0012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-
11CE-BFC1-08002bE10318}\0013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-
11CE-BFC1-08002bE10318}\0014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Windows Gamma Display"