Virus wiped out registry?

Hi all.

A friend has brought me her computer.  It won't boot up.  That is, it boots, we see the Win95 screen...then a dos type from stating error reading drive c, abort, retry, fail?

So, I thinking that since she hasn't updated her Norton AV defs since 1998, she probable got a virus and it has wiped out or corrupted the registry.

Naturally, she didn't have any Norton Rescue disks either.  So I used a set of mine.  This worked fine except that it looked for def's on her HD, which naturally being 3 years old are useless.

I figured what I would do is remove her HD from her computer and slave it to my main drive.  Then I can use my version of Norton (which is up to date) to scan it, and hopefully repair the offensive file.

Her's the problem.  When I took out her drive and tried to install it in my box, it tried to boot to it, instead of just being a slave to my drive.  An error came up saying Invalid Boot Disk, please put disk in drive A.

On my back-up drive I can easily switch from master to slave by moving the jumpers.  On this (Quantum Fireball 3.5) drive there doesn't seem to be a way to do that.  There is a port for the ribbon cable, a port for the power source and andother port with 3 little prongs (not circular like the jumpers on my other drive).

Any idea how I can slave this to stop it from being booted to?

OH, and I should mention....my computer is Win 98...this drive is win95......is that going to *F* me up?

TIA
LVL 7
ClassyLinksAsked:
Who is Participating?
 
pbessmanCommented:
You are concerned about Viruses and are risking your system to do so.  How valiant! Anyway, if you are running a different OS you may want to put her drive on your secondary IDE rather than Primary.  This may help.  Hope it does!
0
 
ClassyLinksAuthor Commented:
Right pb....how would I do that?

And IYO how bad could this be?  When I boot up Norton scans my system.  Whenever a file is accessed it scans.....If I slave the drive and then just run Norton on the slave from the master shouldn't I be ok?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
CrazyOneCommented:
Hi Classy umm what pb is suggesting is hook the HD to the ribbon cable your CD ROM is hooked to. But I don't think that will help. We have an HD at work that has no jumpers to set as master or slave and no matter how I hook it up it always insists on being the master. Is it possible you could network the two systems together and then run the virus scanner across the network?


The Crazy One
0
 
ClassyLinksAuthor Commented:
hmmm crazy....she has no network card.  I guess I could swap one of the existing Win95 machines on my lan....but if it won't boot up, it won't be able to sign on to the network, so how can I scan it?
0
 
pbessmanCommented:
You should be able to replace your CD rom with it if it is CABLE SELECT, but more than likely you may need your CD ROM so by attaching it to same cable that your CD is on you should be fine.  You may want it as master with CD ROM as slave.  You will also need to go into BIOS and make sure the drive is detected there first.
0
 
pbessmanCommented:
Is this IDE or SCSI Fireball?

Check here regardless.  Heads up!  Maxtor bought Quantum if you were not aware of this.  http://www.maxtor.com/Maxtorhome.htm
0
 
pbessmanCommented:
Quantums seem to be like IBM drives in the fact that they both have more than just Master/Slave but also their default Cable Select * (Default)


Go here for setup of Fireball lct 20
http://www.maxtor.com/quantum/support/hdd/fireball_lct20_ata_support.htm

Or here for Fireball Plus AS
http://www.maxtor.com/quantum/support/hdd/fireball_plusas_ata_support.htm
0
 
ankurfaujdarCommented:
I thought that your HDD would crashed.
0
 
ClassyLinksAuthor Commented:
Ok...when I look closer at the label on this baby, there is a diagram of what those 3 rectangular pins do! ;-)

One Option reads:
Master default
Slave

The 2nd:
Jumper Storage

The Third:
Cable Select M/S

Which do I need to ensure it boots as slave?
0
 
CrazyOneCommented:
Try jumping the first pin. Is there a jumper on it now?
0
 
CrazyOneCommented:
Looking at he link pb supplied it looks like there should be 4 sets of pins. The first set (next to the power supply) is not used and the second set is for the Slave option.
0
 
CrazyOneCommented:
Sorry Classy I am confusing myself. How are the pins laid out.

P . . . .
C . . . .

. . . . P
. . . . C

PC = Power connector.

P . S . .
C . L . .

. . S . P
. . L . C

SL = Slave

Are the pins laid out like the ones I diagrammed here?

0
 
ClassyLinksAuthor Commented:
Crazy (&pb)....I really appreciate you holding my hand on this one.

I only have 3 pins here.  None with jumpers on.  Using your beautiful description, here is how the diagram looks.

CS DS  SP
 .  |   . = Master (default)
 .  .   . = Slave
 .  .   | = Jumper Storage
 |  .   . = Cable Select M/S

There is only one row of pins....so my jumpers won't fit.
0
 
ClassyLinksAuthor Commented:
Hard to read that with this font setting.

OK...there are three pins, CS, DS, & SP

In my diagram above...a | indicates with a jumper while a . represents a free pin.

I can't test this because the only jumpers I have are for two pins at a time....is there such a thing as a single pin jumper?
0
 
CrazyOneCommented:
Hmmm according to your diagram if all pins are opened then that should make it a slave. And your comment indicates that there is no jumper on any of the pins. This is quite weird. I have had a few disks that had the wrong diagrams for the jumpers and just had to experiment until I found the correct settings. Apparently there is no space above or below those pins that the unused slot of a double pin jumper could sit in the open space.

Also is the drive that is going to be the master setup as the master and not cable select? This can make a difference sometimes.
0
 
ClassyLinksAuthor Commented:
From Pb's link I can tell you that it is a Fireball TM drive....2100 I think.

The Model No is:

2100AT TM21A462 REV 01-B A6B24

All the references I can find indicate that it should have 4 pins...but it only has 3!  How strange this is!
0
 
ClassyLinksAuthor Commented:
My master is definitely set as a master...I usually have a spare 75 Gig slaved to it, which I have removed to this exercise.

There is no way on GGE that a jumper is going to fit on this baby...unless I want to cover two pins at a time.

Ok....let's forget this slave idea for a minute.

I know I can get a dos prompt on this disk.  I've downloaded an exe from Norton to update the virus defs...any idea if it will work from dos mode?
0
 
CrazyOneCommented:
Yeah I agree and that is what is making this even more confusing. Umm is there any way you could take a picture of the HD and scan it to a web page and then provide a link here so we can look at it? :>)
0
 
ClassyLinksAuthor Commented:
GRRRR the exe idea isn't going to work either....file too big for floppy.

Picture....good idea.  Let me see if I can get my scanner up and running.
0
 
CrazyOneCommented:
Sorry I did not see your DOS comment before my last comment. I kind of doubt that will work because a lot of file dependencies involved and versioning issues. But hey it may be worth a try. :>)
0
 
CrazyOneCommented:
Hehehe you keep jumping in there before I have a chance to respond. LOL
0
 
ClassyLinksAuthor Commented:
LOL....somebody's got to drive you, Crazy!

Ok..just scanning the front, back and ports of the drive as well as the label.  Give me a few minutes and I'll come back with a URL.
0
 
ClassyLinksAuthor Commented:
Ok...sorry for the bad images....but I hope you can see enough.

http://classylinks.ca/ee/
0
 
CrazyOneCommented:
I am looking at the pictures now and will get back to you. Definetly does not look like the usual type of jumpers that is for sure. :>)
0
 
ClassyLinksAuthor Commented:
Hurray! I'm not the "CrazyOne"!  I knew they were unusual!

LOL
0
 
CrazyOneCommented:
Hehehe

Well here is a page to start our investigation out with. Take a look at and see what you think. I am still looking into it

http://www.pc-disk.de/pcdisk/h/JUMPERS/771.HTM
0
 
ClassyLinksAuthor Commented:
Ok...the good thing about that link is that it shows the pins as I have here....but it still talks about installing jumpers.....my jumpers are meant to span two pins......is there such a beast as a one pin jumper?
0
 
ClassyLinksAuthor Commented:
hold it...I just reread it....is it saying that those 3 pins are an alternate power input, not jumpers at all?
0
 
ClassyLinksAuthor Commented:
Ok...I found the jumpers!

There were on the bottom of the drive...not in the ports!

I'll remove them now and try this as a slave.

If all goes well....I will return.

8-)
0
 
CrazyOneCommented:
Yeah I just came to the same conclusion. I found a pdf that shows it to be for a 3 pin power connector. This is a real old HD.
0
 
CrazyOneCommented:
Shoot I a was just getting ready to suggest to look at the back side of the disk. Oh well it had been a long time since I have seen a HD like that so I have forgotten about them. Geesh hehehe
0
 
Kyle SchroederEndpoint EngineerCommented:
"Error reading Drive C"...I have a feeling this is a hardware failure, not a virus corrupting the registry.  If a virus corrupted the registry, you would get an error similar to "Windows encountered an error accessing the system registry...." etc.
From your diagram, it looks like you need to put no jumpers on for Slave setting, which would be somewhat unusual.  I have a Quantum Fireball ST 3.5 series drive here, it doesn't show a config for slave, only cable select, master, and park.  Otherwise, I'd put the jumper on the 2nd set of pins (from the data connection).  Just keep switching it (powered down between changes!) until it works.  Slave may be a horizontal setting.

-d
0
 
ClassyLinksAuthor Commented:
Zippidy Do Dah!  It is slaved and Norton is scanning!

The good news...or bad news...is that it found no viruses.

So what could be causing it not to read the registry file?
0
 
pbessmanCommented:
Time for an Upgrade???  What kind of computer did this come out of?  Is there some really important data, or just trying to save the expense of upgrade?
0
 
ClassyLinksAuthor Commented:
The drive is totally intact.  All data seems to be there.

Let me plug it back into her box and tell you EXACTLY the error.
0
 
pbessmanCommented:
So you got it slaved, it may not read the registry file as that may have been an initial issue.  Perhaps you can back up the data you need from this drive and either trash it for one easier to suppotr or reformat and reload after caving vital stuff you need.  I would replace it and keep this drive if you failed to get something off of it.  Maybe you should copy its content to a couple of CDRs.
0
 
pbessmanCommented:
Waiting.
0
 
pbessmanCommented:
I have had some drives with jumpers on bottom makes for fun huh?  Mostly floppy drives though.
0
 
pbessmanCommented:
Where on the bottom?  Between the power and IDE connectors?
0
 
CrazyOneCommented:
Classy set the Quantum back as the maseter and get to a DOS prompt and run this command

scanreg /restore

It could be a corrupted registry. It is a long shot but sometimes it works.

If you can get that disk to get into SafeMode then run scandisk on it who knows maybe the disk is salvageable. If you can get into SafeMode than the problem is probably OS related, if you can't then it is probably a bad HD.
0
 
CrazyOneCommented:
Oh I forgot to say HI pbessman. :>)
0
 
pbessmanCommented:
What is happening to my POSTS they seem to be disappearing.
0
 
pbessmanCommented:
It could be a corrupted registry. It is a long shot but sometimes it works.

This was benefit of 98 isn't this a 95 upgrade from WFW 3.0??
0
 
ClassyLinksAuthor Commented:
Ok...the first error is:

Nav Auto-Protect
Unable to determine the location of the configuration files.

The second is:
Windows Networking
The following error occurred while loading the device VNETSUP
Error 6107: Could not set up instance data

The Third ( and what prompted the registry idea):

Registry Problem
Windows encountered an error accessing the system registry.  You should restore the registry now and restart your computer.

If you ignore this error and shut down your system, you may lose data.

Restoring the registry will replace the faulty registry with a known good backup copy.  However, this backup copy may not contain all of the information recently added ot your system.

When I click the button(Restore from Backup and Restart
Is says Tof finish restoring your registry you must restart, Yes or No.

I choose Yes.

And we go through the cycle over and over again!

I'll try your dos prompt idea now crazy.

0
 
pbessmanCommented:
we see the Win95 screen  No scanreg/erstore as that was for 98 http://support.microsoft.com/support/kb/articles/Q183/6/03.ASP?LN=EN-US&SD=gn&FR=0&qry=scanreg&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=W98

"The information in this article applies to:

Microsoft Windows Millennium Edition
Microsoft Windows 98
Microsoft Windows 98 Second Edition

--------------------------------------------------------------------------------


SUMMARY
This article describes how to customize the Registry Checker tool by manually editing the Windows\Scanreg.ini file. You can also customize the Registry Checker tool (without manually editing Scanreg.ini) by using the SREdit tool included with the Windows 98 Resource Kit. The SREdit tool is located in the Config folder on the Windows 98 CD-ROM. Both the MS-DOS version (Scanreg.exe) and the Windows 98 version (Scanregw.exe) of the Registry Checker tool use settings in the Scanreg.ini file.

 "

0
 
pbessmanCommented:
Hi CrazyOne!
0
 
ClassyLinksAuthor Commented:
scanreg /restore = bad command or file name  8-(

Can't get it into safe mode either

hey pb...just saw your posts now.

The problem is...she has NONE of her disks (OS/Programs) she thought that she could throw them out because she never used them.  Aaaahhh the innocence!

0
 
ClassyLinksAuthor Commented:
Ok...so that command is 98 only.....any ideas for poor ol 95?
0
 
CrazyOneCommented:
Well it does seem that the HD maybe alright. I can't remember with Win95 but the backup of the registry is usually kept stored in a cab file and there usually are several of them usually for 5 different backups. They should be in one of the sub directory of the Window directory.
0
 
pbessmanCommented:
...she has NONE of her disks (OS/Programs) she thought that she could throw them out because
she never used them

So much for having a clean desk.;-)

Happens all the time here.  That is why our IT group no longer leaves software at users desks but in a file cabinet with licenses and stuff it is actually more like a locker as they are filed like books.  Do you know what she had?  Perhaps software needs to be upgraded as well as virus definitions.  
0
 
pbessmanCommented:
There is something as an add on but you would have to keep it current.  

I am familiar with second option and ERU
from http://support.microsoft.com/support/kb/articles/q132/3/32.asp?LN=EN-US&SD=gn&FR=0&qry=registry%20backup%20files&rnk=15&src=DHCS_MSPSS_gn_SRCH&SPR=W95


To back up your registry files, follow these steps:
Restart your computer. Press the F8 key when you see the "Starting Windows 95" message, and then choose Safe Mode Command Prompt Only from the Startup menu.


At the command prompt type the following lines, pressing ENTER after each line:
cd windows
attrib -r -h -s system.dat
attrib -r -h -s user.dat
copy system.dat *.bu
copy user.dat *.bu
NOTE: This procedure assumes you do not have any files named System.bu or User.bu. If you do have files by this name, such as a backup of the System.ini file, select a file name extension that is not currently in use.


Restart your computer.


To restore your registry files, follow these steps:
Restart your computer. Press the F8 key when you see the "Starting Windows 95" message, and then choose Safe Mode Command Prompt Only from the Startup menu.


Type the following lines at the command prompt, pressing ENTER after each line:
cd windows
attrib -r -h -s system.dat
attrib -r -h -s system.da0
attrib -r -h -s user.dat
attrib -r -h -s user.da0
ren system.dat system.daa
ren system.da0 system.da1
ren user.dat user.daa
ren user.da0 user.da1
copy system.bu system.dat
copy user.bu user.dat
NOTE: This procedure assumes you do not have any files named System.daa, System.da1, User.daa, or User.da1. If you do have files by this name, select a file name extension that is not currently in use.


Restart your computer.


Notes:
You may want to back up more than one version of the registry in case the registry becomes damaged but the damage is not detected until later. If you want to do this, when you are following the steps above, replace the .bu extension with .bu1, .bu2, and so on.


If you have more than one hard disk or a network drive is available, you may want to copy the backup files to the other drive so the backup files do not reside in the same location as the original registry files.




Method 2
You can use the Windows 95 Emergency Recovery Utility to create a backup of your system configuration and registry files and restore these files in case a problem should occur.

For information about using the Windows 95 Emergency Recovery Utility, see the following article in the Microsoft Knowledge Base:
Q139437 Windows 95 Emergency Recovery Utility
Additional Information
Windows 95 stores information about the hardware and software in your computer in the System.dat and User.dat files. The System.dat and User.dat files should be treated as a pair. You should back them up together as a pair and restore them together as a pair. These files are hidden, read- only files.

Note that if you are using user profiles, you should also backup the User.dat files located in the following folders
0
 
ClassyLinksAuthor Commented:
sure pb....all would be well if she backed up or use the system utility......I need to go in there and restore it manually now right?

How would I do that?

Crazy:  going to the command prompt and doing a dir/p .....what exactly am I looking for?
0
 
jlausterCommented:
Ah ha,

Beat me to it!
0
 
pbessmanCommented:
Yours is slightly different.
0
 
pbessmanCommented:
Some people I know would just reload 95 over the old one and reassociate files to make everything work.
0
 
jlausterCommented:
I see that now. The link I posted seems to describe your problem to a tee. May be the solution, I hope, for your friend's sake.  :-)
0
 
pbessmanCommented:
describe your problem to a tee?  Considering the fat that the solutions are similar I don't think that was necessary.
0
 
ClassyLinksAuthor Commented:
Great link jlauster....does look like it should work....however it makes me nervous.

Can I jump right ahead to:
Using System.da0
Restore the registry to its state when you last successfully started Windows 95. To do so, follow these steps:
Restart the computer. When you see the "Starting Windows 95" message, press the F8 key, then choose "Safe mode command prompt only" from the Startup menu.


Type the following command to move to the Windows folder
cd \<windows>
where <windows> is the Windows 95 folder. For example, if Windows 95 is installed in the Windows folder, type the following line:
cd \windows



Type the following line:
attrib -s -h -r system.dat



Type the following line:
ren system.dat system.bad



Restart your computer. Windows 95 uses the System.da0 file when it cannot find the System.dat file. If this file works, Windows 95 renames it to System.dat.



Remeber I don't have back-up of the system.dat or the user.dat...but if they are already corrupt that shouldn't matter, right?
0
 
ClassyLinksAuthor Commented:
Ok...I'm trying it step by step.

After the first attempt, I got Unable to open registry...the article refers you to this page: http://support.microsoft.com/support/kb/articles/Q132/0/64.ASP

It's not much help!  

On to the next attempt.
0
 
jlausterCommented:
I think before you attempt to reload Windows, you will want to make a copy of the drive. You may lose the data when the registry is rewritten. This drive may also fail while trying to reinstall. If you are able to reinstall and have the drive booting, you can then copy the data back to the drive.
0
 
ClassyLinksAuthor Commented:
Restoring the system.1st worked!

jlauster actually provided the final link...but crazy & pb helped so much too.

This is my last 50 pts until next week.  Would anyone object if I award these to jl and come back and give crazy & pb 50 pts each next week?
0
 
CrazyOneCommented:
What ever you feel is fair is Classy is OK by me. :>)
0
 
jlausterCommented:
pbessman:

Sorry if you feel I stepped on your toes. In retrospect I should have phrased it with a bit more tact. There was truly no attempt to push the question my way. It just seemed to me that the link was an exact description of Classy's error message. Again, I apologize.

John
0
 
jlausterCommented:
Classy,

Award the question however you feel is fair. Don't really care if I'm in on it or not. Just glad you got it resolved!
0
 
ClassyLinksAuthor Commented:

I hope by now that some of you know my MO....I like to award points where they are due.  Unfortunately...I've been "caught at the end of the month".

50 pts each to the three of you ;-)  Just have to wait a few days.
0
 
jlausterCommented:
I know the MO, and as always, the classy in the handle still fits. As far as I'm concerned, save your points for next months questions. I'll help you when I can, even if it's a zero pointer in the Lounge (where the points really matter).
0
 
pbessmanCommented:
John, What is the lounge?  I usually just look at who needs help and offer it.  I figure hardware is usually a strong suit so I stick with it.  Anyway, Classy do what you think is fair.  The postings seem to get a bit mixed up at the end with all the attention you were getting here.  I had mentioned previously that you may want to make a backup of the hard drive or replace it with a newer one and have your friend keep this as an archive if needed.  If not I am sure she could sell a small drive to someone on Ebay who is just looking to load the Linux OS for a firewall box.
0
 
Kyle SchroederEndpoint EngineerCommented:
Classy:
Did you run a thorough Scandisk on the drive to check for corruption?  I still believe that the hard drive is failing and needs to be replaced; if the backup .da0 files were corrupted and unloadable, then that is even more likely.  The Registry could become corrupted from an untimely reboot while Win95 was running, but it wouldn't damage the backup files.  Please run Scandisk or Norton Disk Doctor on the drive and choose the Surface scan to verify.

-d
0
 
ClassyLinksAuthor Commented:
ok dogstar...starting it now.

Thanks for the reminder.
0
 
ClassyLinksAuthor Commented:
Thanks all!

Points for pbessman, CrazyOne & dogztar are waiting...


(Looks like the HD is going...won't even do a scandisk.  Bought her a new 30G drive today and am installing it now....far cry better than this 2g, eh?)
0
 
jlausterCommented:
But it probably wont be any where near large or fast enough in another 3 years! Thanks Classy.

John
0
 
jlausterCommented:
If you haven't already, you could also try the scandisk from DOS or Safe Mode for a better shot at getting it done.
0
 
pbessmanCommented:
I found a good picture of a drive like yours on this page(notice where the jumpers really are:-)), http://www.maxtor.com/quantum/support/hdd/hdd_faq_support.htm

BTW, Since you are saying it is R.I.P.(resting in pieces) you may want to see if a utility from here can help you salvage the drive.  http://www.maxtor.com/quantum/support/csr/software/softmenu.htm

I know it says MAXTOR, "Maxtor is pleased to announce their merger with Quantum...".  I called them on one of my Maxtor drives that somehow bit the dust.  Perhaps a few too many Various operating systems and having the EZ-BIOS removed one too many times.  It was passing all the tests, but one. Trouble was it would save data, but it would not read the data it had.  It generated a trouble code for my RMA and they replaced it for me as soon as I called them.
0
 
ClassyLinksAuthor Commented:
Thanks pb...downloaded the file...let's see if it does any good.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.