Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OTL potentially re-wrote/removed driver files necessary for system boot


  • This topic is locked This topic is locked
42 replies to this topic

#1 DnDer

DnDer

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 14 February 2010 - 05:09 PM

Original topic: http://www.bleepingcomputer.com/forums/ind...=293655&hl= ~Elise

QUOTE
QUOTE
I have Theresa's computer. I will be working with you and posting logs now, but I can not post in the topic since it was made by TheresaG86. Here's what I have to report, though.

When running the OTL software, it prompted for a number of uses of registry key changes and prompting for a windows disc to install the registry entries. The process was continued without doing this because it was a part of the OTL process, I thought, as well as there being no optical drive. Once OTL finished, it required a reboot.

Now the computer reads the following on bootup, black screen with white text:
Windows could not start because the following file is missing or corrupt:
\WINDOWS\AppPatch\drvmain.sdb

You can attempt to repair this file by starting Windows Setup using the original Setup CD-ROM.
Select 'r' at the first screen to start repair.


. . .


There is no optical drive, and the computer did not come with backup discs. How do I pull down the appropriate Windows files from a disc, or how can I give her a fresh install of Windows - which I hope isn't the course of action we need. sad.gif
Hello, thanks for letting me know. This is not what I was counting on ohmy.gif
I reviewed the script with some colleagues here, but there's no way this should have caused such an issue.
Therefore I am going to send a copy of your message to OTL's developper, so he can have a look at it as well.

In the mean time, please check if the Recovery Console is accessible (it should be installed). When starting the computer, you should see a brief screen in which you can choose to boot Windows XP or Windows Recovery Console. Try and see if you can get at the c:\windows prompt (when asked for admin password, press enter if none is set).

Please do NOT attempt any other fixes. Based on what OTL's developper suggests here, I'll ask you to start a separate topic so we can handle this issue properly.

Thanks for your understanding,
regards, Elise


Recovery Console was an option. After the bar loaded, it BSOD'd on me.

STOP: 0x0000007B (0xF7A22524, 0xC0000034, 0x00000000, 0x00000000)

7B Stop Code was one of my first google results. It seems to follow with the error I reported to you just a little while ago for \WINDOWS\AppPatch\drvmain.sdb being missing or corrupted.

I won't attempt other fixes. I would like to brainstorm a minute with you, though. Being as I have no optical drive to even put my personal copy of XP to run a recovery install from, is it possible to boot a live linux distro from a flash drive and drop a copy of the drvmain.sdb (from another flash drive) file into that path? There are plenty of USB ports to work with.

Edited by elise025, 16 February 2010 - 02:51 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 AM

Posted 15 February 2010 - 02:43 AM

Hello DnDer,

I got a reply from OTL's developper. He looked over it and explained to me there is no way OTL could have caused it with the instructions given (the fix).
QUOTE
When running the OTL software, it prompted for a number of uses of registry key changes and prompting for a windows disc to install the registry entries. The process was continued without doing this because it was a part of the OTL process,
According to the developper this is not possibly caused by OTL. The script only instructed to look at two registry keys (related to internet explorer/firefox settings).

It is possible another program caused this. Was the computer rebooted after running Combofix and MBAM (although these two also did not remove anything that could even begin remotely to explain this)? Other malware is most likely excluded (after the OTL fix the computer would have been clean).


Some general information on Asus Recovery partition (lets hope we will not have to use it).
QUOTE
I’d like to give you a brief description of the system recovery utility all notebooks from ASUS come with. You can use it from a special hidden partition on the hard drive by pressing F9 at system startup or from the included Recovery and Driver&Utility discs (to do that, you should press Esc at startup, select Boot from ATAPI CD-ROM Drive and then change the discs as requested). The system will offer four options to you:

1. If none of the following recovery options is selected, the computer will just be rebooted to load Windows (if Recovery is started from the hard drive) or run the bootable disc in the optical drive.

2. The first partition is deleted (the others remain intact) and a new system partition C: will be created.

3. This option removes all the partitions from the hard drive and creates a new system partition C:.

4.This option removes all the partitions from the hard drive and creates two new partitions C: (60% of the drive’s storage capacity) and D: (40%).



Can you please try to create a Hirens Boot CD bootable flash drive?

Instructions are here
This presumes you have already created the CD. See instructions below on how to do that.
  1. Download Hiren's BootCD Iso to the desktop of a clean computer.
  2. Extract the zipped HirensBootCD.zip to your desktop.
  3. Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
  4. Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
  5. Insert a blank CD in your drive.
  6. Press Start. This will burn the image to disc.

After you have created the flashdrive succesfully, please boot from it.

Navigate to the following file: c:\windows\servicepackfiles\i386\drvmain.sdb
Copy this file and paste it in the following folder: c\WINDOWS\AppPatch

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 15 February 2010 - 01:12 PM

I have allowed the options to show hidden files and extensions. I've also allowed the option to show system files. Nothing appears to have been written to my key except the two files (menu, grldr) that I personally copied over. I do not see HBCD folder or autorun.inf on my key. I have also run Grub for DOS twice. I will wipe my key and make an attempt to do it from the beginning again, in case I missed a step.


#4 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 15 February 2010 - 01:15 PM

No, I thought I had made a mistake in selecting the FAT to format my key in, but after knowing I selected the correct FAT32 (as exampled) I still am missing the folder and the autorun files in my exporer window when viewing my key.

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 AM

Posted 15 February 2010 - 01:28 PM

Didn't try it myself, but I think you have to do this smile.gif
QUOTE
Insert the BootCD (9.7 or newer) in the CD Drive and Copy everything from CD to USB Flash Drive


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 15 February 2010 - 01:36 PM

Well that's just cheating if you do it out of order... dry.gif

Let me go do that now.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 AM

Posted 15 February 2010 - 01:42 PM

QUOTE
Well that's just cheating if you do it out of order...
hysterical.gif Believe me, this is only the beginning!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 15 February 2010 - 05:03 PM

In the BIOS, I disabled all startup devices except the external devices under boot priority. My choices were CD-ROM, Hard Drive and External Devices. All the USB Functions are enabled according to the BIOS settings.

I get the option to choose between the recovery console and XP Home when attempting to boot with the boot priority set to USB, then HDD. If I set it to External Devices only, I get the following error: "Reboot and Select proper Boot device or Insert Boot Media in selected Boot device and press a key."

I've double-checked the key. It has the the three files and all 70+ items in the folder. It should boot from the key, correct?

#9 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 15 February 2010 - 09:57 PM

TheresaG86 has an Asus windows recovery DVD, from the sounds of it. I will be picking it up tomorrow. Does that change what we should be doing as far as restoring the sdb file?

#10 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 16 February 2010 - 01:27 AM

I got it up and running. (The trick was to first change the BIOS to boot only to external devices. And [every time] then you have to exit the bios and hold ESC to get the boot menu and select the flash drive.)

The sad thing is that there is no directory C:\WINDOWS\servicepackfiles\i386 to pull the missing file from. I've double-checked my folder settings and I have all the folders, extensions and system files set to be visible. As far as I can tell. But when I try to navigate in the address bar to the above directory, and miniXP tells me that file:////C:/WINDOWS/servicepackfiles/i386/ could not be found, and to check for the path and internet address are correct.

I will have the ASUS DVD in my hands about this time tomorrow (maybe a few hours earlier) to use for whatever we need. Is there nothing else I can look for and try in the meantime, now that I know how to get Hiren's up and running?

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 AM

Posted 16 February 2010 - 02:54 AM

QUOTE
and miniXP tells me that file:////C:/WINDOWS/servicepackfiles/i386/ could not be found
You should use backslashes smile.gif c:\windows................

Does that make any difference?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 16 February 2010 - 03:31 AM

No. I used backslashes. The path you see there is the path that windows returned in its error message telling me that the path I typed doesn't exist.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 AM

Posted 16 February 2010 - 03:41 AM

Does the desktop not have a My Computer icon that you can use to manually browse?

If not, please do a search for the file and let me know if any copies were found (if so, please include the filepath).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 16 February 2010 - 01:55 PM

6 results.

DRVMAIN.SDB -- c:\cmdcons
drvmain.sdb (blue) -- C:\_OTL\MovedFiles\02142010_141423\WINDOWS\$NTUninstallKB951618-v2$
drvmain.sdb -- C:\_OTL\MovedFiles\02142010_141423\WINDOWS\AppPatch
DRVMAIN.SDB -- C:\_OTL\MovedFiles\02142010_141423\WINDOWS\i386
drvmain.sdb (blue) -- C:\_OTL\MovedFiles\02142010_141423\WINDOWS\system32\dllcache
drvmain.sdb -- C:\_OTL\MovedFiles\02142010_141423\WINDOWS\$hf_mig$\KB951618-v2\SP3QFE

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,252 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:12 AM

Posted 16 February 2010 - 02:40 PM

Okay, I relayed this to OTL's developper, because it definitely looks like this file was moved.

In the mean time, can you look for the OTL log in C:\_OTL\Moved Files?

Please post its contents if there.


EDIT ~ In the hope that this was the only file accidentally removed (fingers crossed), please copy the following file in the c\WINDOWS\AppPatch folder.

C:\_OTL\MovedFiles\02142010_141423\WINDOWS\AppPatch\drvmain.sdb

After succesfully doing so, try to reboot normally.

Edited by elise025, 16 February 2010 - 02:44 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users