I'm Toast and Burnt - Please help me

Hi folks. I've been battling malware and in the midst of it ... ended up having a windows update toast my system. It was the WP Service Pack and now I get blue screen on boot-up (Error:C0000218 Registry File Failure).

I do have a back-up using ATI and an external hard drive from 2 weeks ago.

I have never had to use this system and frankly I want to be extra certain that I am proceeding correctly so that I don't lose any of my data.

Should I try to get into my system somehow (?) and back-up some of those files BEFORE I do the full-image restore?

Can someone please detail this for me, like you were talking to a little child, so I can move forward?

Also, I now have no Internet access at home, I'm using the public library to try to get some help, so if I don't come back to the thread right away it's only b/c my library session has ended and I can't log on again until tomorrow.

Please help me if you can.

Thank you!

-- I should add that I bought the boxed version retail - and have never made a recovery disk as I thought the cd acts as one. Hope that's so.
Also, the version I have is 11, purchased last April.

-- ALSO, since the malware is presumably still there ... Will I just end up corrupting my back-up by restoring it?

 

Definitely copy your data before you do anything else. In your situation with all the malware on the drive, the best way to do this is to get ahold of a bootable BartPE cd. When you boot with this cd, using the A43 File Management feature, you will get to an interface like Windows Explorer so you can copy all your data to, say, and external drive.

The retail version cd is a bootable True Image cd and can function as the Rescue CD - this is not the same as the BartPE cd.

If the malware was present when you made that backup image two weeks ago it will be still there when you restore the Image. But at least your system should boot after the restore and you can then run some anti-malware scan programs to get rid of them.

Good Luck.

 

After completion of post 2 above, you can follow the guides listed on line 2 of my signature below.

 

You can try and do a chkdsk c: /f, this might be able to get your computer to boot again so you can continue to run malware repairs.

As long as your backup is clean(no malware on it) it will overwrite your current hard drive or partition. This will get rid of any malware. The times that I had to restore due to a malware problem, no malware survived the restore.

If your backup also has malware, then you might have to a clean install or continue doing malware repairs.

If you don't have internet access due to your computer is not running, see if you can get a linux livecd, that will get you back on the internet without installing on your hard drive.

http://forums.afterdawn.com/forum_view.cfm/166

 

Thel easiest way to back up everything that you might want on your hard drive is to boot from the CD in the TI box and make a new image of your drive.

After that, you can restore the image from two weeks ago.

You won't want to restore the entire image of the infected disk, but after restoring your good image, you can mount the image of the infected drive and copy out all the data files that you need.

The best part is that you might forget something copying individual files, but you have the entire disk with the image, so everything is still available.

 

jmk makes a good point about making an Image of the drive as it is now - malware and all.

 

Thank you, thank you. What a blessing to get back here and find real help.

I'll proceed as follows w the help of link provided by GroverH:


- use CD and make image of system as it is now
- restore image from two weeks ago
- grab the files I need from system 'now'

Deal with what's next once I am back up and running and see if the malware is still there.

I'm on my way to a friend's where I can be online and work on the computer at the same time. Right now I'm at the library. I'll be back. Thank you, thank you.

 

Let us know how the recovery works out - and when you stop feeling crazed.

 

Hehe. Yes, I'm not *always* crazed (only my opinion though)...

Okay. I'm here now and not quite sure what I'm doing.

I'm reading through the how to backup guide - and it says create a recovery disk. But I dont need one b/c I have the retail CD.

So, I'm going to boot with the CD in the drive ... and THEN attach my external hard drive to make the back-up of the current system? I don't want to somehow write over my previous (good) back-up image.

 

Normally, you connect the external drive first and then boot to the CD. When you create the new backup, make sure to use a different filename than the original so you don't overwrite it.

After the backup is created, I would make sure both it and the original one Validate successfully before you try to restore. This will take extra time, but it will let you know if TI can successfully read the images.

 

Thanks MudCrab. It's backing up now. 1hr40 min. remaining.

I put external drive in after I booted w the CD. It did recognize it when I got to the screen showing drives and I created a folder and file there to do this back-up.

I asked for auto-validate on this back-up when it is finished.

How do I validate the previous back-up that I made?

I'm still going through the pdf's beginner guides.

 

Good. Hopefully, it will be successful.

On the Pick a Task screen of TI (the main screen), just select the Validate Backup Archive option and follow the steps.

 

Thank you.

The back-up status was 1 hr. 40 minutes, then 2 hrs, then 3 hrs, and now is showing 4 hours remaining.

Is that normal?

 

The time remaining shouldn't be increasing at this point unless something is wrong. Can you tell if the backup is still in process (computer drive access light on, USB light showing farily constant access, etc.)?

When you previously created the backup, was it from TI in Windows or using TI booted to the TI CD?

It is still saying it's backing up and not that it's working on the Validation, correct? Once the Validation begins, don't count on the time remaining to be accurate.

 

Hi. It shows 'Create Full Backup Archive' Current operation progress 3/4 done, total progress: about 1/4 done. Now it reads '6 hours remaining'.

The light for the Maxtor HD is flashing - that means working.

There is no light on my cd drive - where the acronis cd is. (Correction - CD drive does show that it is working).

I created the previous backup from within windows. that is, if I understand the question ... I was working in windows, put in the acronis cd and the Maxtor hard drive, and did a full backup. (I do show a full back-up on the HD for that date -- although I didn't validate it when I did it.)

Q: Should I cancel this and start it again ... (How do I safely cancel?)

Remember I have only blue screen with error message on Windows....

1) plug in hard drive
2) put in acronis cd
3) boot system

Is this how I should proceed? I have to leave my friend's soon (and thus lose Internet connection) as he works nights and needs to sleep.

Thank you!


--- MudCrab: Can you tell if the backup is still in process (computer drive access light on, USB light showing farily constant access, etc.)?

When you previously created the backup, was it from TI in Windows or using TI booted to the TI CD?

It is still saying it's backing up and not that it's working on the Validation, correct? Once the Validation begins, don't count on the time remaining to be accurate. ---

 

Oooh. It's now verifying -- shows 9 days remaining!

 

Your time problem sounds like a USB problem.

This could be either that you ahve plugged the drive in and the port is acting as USB1.1 or it really is USB1.1 rather than 2.0. It could also be that the rescue CD doesn't have the correct drivers for your machine.

Obviously don't interrupt anything at this moment, but it would be worth checking - Is your USB on the PC v2.0?

If you have the drive plugged into a front USB socket, try (next time) using one on the back of the computer.

Don't have any external USB hubs or card readers attached, and definitely don't run the external drive through one whilst using TI.

Colin

 

Here's the status at the moment:

It finished the back-up and validated the archive. I also validated my previous archive (2 weeks old).

Next, I wanted to explore archive but could not figure out how to do that. It tells me to just 'open' from tree directory. But can't figure out how to get to tree directory. I have 0 windows capability. Only blue screen w error.

I would like to explore that back-up archive (current system) before I try to restore the other one.

Q: How can I explore the archive?

I can't figure out how to get the external hard drive running before booting with the acronis disk.

I can turn the computer on --- it goes through the copyright motions, shows some F key options, starts the window icon then goes to blue screen/error message.

Q: What is the best sequence for me to follow in order to do the restore?

- Plug in external hard-drive (all my USB ports are 2.0)
- Turn on machine --- so it will recognize the external hd
- Turn off machine
- Boot w Acronis

Please help me with those details. I'm at public library, have about an hour on this machine.

Thank you.

 

With the standard TI CD, you can't Explore or Mount images (you can only do it with TI running in Windows). So, if you want to Explore the image, you'll need TI installed in Windows on another computer and then connect the USB drive so you can access the file.

To do the restore, you just need to connect the USB drive and boot to the TI CD. You don't need to turn off the computer inbetween.

Once TI is running, you'll need to select the Restore option and follow the steps... select the image to restore (on your USB drive), select the destination partition (on your internal drive), etc.

 

MudCrab - Thank you. That's clear.

To explore the image on other machine, does the other machine need to be same OS - ie: XP or does that matter?

Sorry for the simple questions, but I need to inch forward so I don't do anything that can't be reversed.

Thx.

 

The version of TI needs to be the same or newer. Windows can be XP or Vista.

 

Could I just install my CD on their machine temporarily - would that accomplish the same thing?

Or would that violate single-use license?

 

It probably would be a violation of the license agreement. However, if you do this, make sure to uninstall it from the other computer after you're done.

Another option would be to install the trial version of TI. That would be completely legal.

Keep in mind that installing TI and uninstalling it can cause problems on some computers. You don't want to end up with the other computer messed up. In cases like this, I always recommend that a backup is created before you install so you can revert if something goes wrong.

 

Thanks. I would have to do this on a friend's computer. They don't have Internet. Also, I don't want to cause any problems for them.

It looks like I will have to take my chances and proceed to restore the back-up I have from two weeks ago, and then try to recover files from the current back-up.

Thank you.

 

I am back ... to say a big "Thank You" to everyone who helped me in this thread. I really appreciate it. A special thanks to MudCrab who was quick on the draw with responses when I was sitting at libraries and using friends' machines.

I resolved my problem by:
- Doing a full current image
- Re-installing XP and grabbing the back-ups it gave me
- Backing up those back-ups onto an external drive
- Restoring my past full image (with the added bonus of 'extra functionality' 'cause I'd re-installed windows) .....

While I watched the screen, with bated breath, a hush came over the room, a pit started to form in my stomach ...

And voila! All my data, settings, everything were miraculously restored in front of my eyes.

I *love* ATI.

Once again, thanks so much.