Virus Scan Deleted Critical Startup Files

After running a web-based virus scanning app, I was prompted to clean or delete three trojan horse files. I foolishly chose delete before I saw the clean option. I can no longer boot Windows 2k up at all. I get the dreaded blue screen even after attempting to use all of the safe mode options Windows provides. I've run the repair feature from the Win 2k CD several times now and am sitting in the recovery console trying to figure out if I can just undelete those three files from the recycle bin.

One last point, in my efforts to restore things, I did a full install Win 2K on my c: drive (original version on the d: drive.) If I could see the recycle bin for the "bad" Win 2k installation I could undelete through File Explorer. I just can't find it and can't begin to remember the names of the files I deleted.

Any guidance would be appreciated.

 

The 'recycle bin' will be specific to the user account you were using when you did the deed.

You will need to be set to show hidden files/folders and also to uncheck the block (windows explorer, tools, view) to hide protected operating system files.

At that point, you should see a folder named Recycler and some subfolders inside that have long numeric folder names. One of those should contain the deleted files.

If the above doesn't do it for you, please post the exact error message from the top section of the blue screen. Include the stop code numbers.

 

Error Message

Newt,
From the new instance of Win 2k, I tried to locate the Recycler under the profile I was logged in under in the original version of Win 2K. I was able to use the File Explorer Search feature and find the new Recycler folder but not the old one. I manually went under every folder under the original profile and the only thing I found was four directories with random alpha-numeric names and some xml files under each one.

Here is the blue screen error message:
*** STOP: 0x00000050 (0xED8F0A92, 0x00000000, 0xED8A6051, 0x00000000) PAGE_FAULT_IN_NONPAGED_AREA

Thanks,
Mat

 

Here is what you are dealing with.

There should be at least one dump file generated by the stop error. Look in the General Discussions section for the sticky thread by JoeHobart for running the dump analysis tools. You'll need to create a dump file and post it to allow us to ID the driver (or missing driver) that is most likely causing the issue. It may be possible to just put a new copy in the original OS and have things start working again.

Note that most of the dumps are too large for a single post so you'll probably have to split it.

 

Unable to Create Dump File

I suspect that the rules in Joe's dump file procedure apply if you are able to boot into Windows in Safe Mode and install the debugging application. Since I can't get past the blue screen, I can't install the debugging app. I did try to boot into the new version of Windows, installed the debugging app, rebooted using the old dead version of Windows, got the blue screen, rebooted again into the new version of Windows and I couldn't find that a dump file was generated. I don't think the old version of Windows recognizes that I installed the debugging application in the new version of Windows.

I was able to find some log files but will need to do some gymnastics to transfer them. Are there any that come to mind that would be particularly useful for troubleshooting?

Thanks!
Mat

 

Mat - I'll have to leave this one for a real code-guru expert. The problem is way over my head at this point.

 

Getting the actual dump file out of the pagefile can be problematic. Probably not worth the hassle.

If i were in your shoes, i would go through your c:\recycled and look for files that look like DLLs EXEs and SYS files. Once you find them, look in \windows\system32 and compare against \winfreshinstall\system32 (the new install you just made). If you find any deltas (should be three of them), then there you go.

If that doesnt work, you can follow the scary advice i gave in this post, or just reinstall. http://www.windowsbbs.com/showpost.php?p=210161&postcount=3

 

This is way out of my league but I have a question or two. And questions only.

If the old install was on D: and the new is on C:, how can the new see the old Recycle Bin ? It more than likley does not evne know it is there.

And even if it could be seen to undelete the files, where would they go ?

BillyBob