This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any way to recover a file that Anti-Rootkit removed?

I used the Anti-Rootkit program and it reported C:\Windows\System32\Drivers\Safeboot.sys
as being bad and it removed it. However, now I can’’’’t boot (even into Safe
Mode). Is there a way to recover this file that SAR removed? I have
full access to the drive by putting it in another computer.

Hoping instead of deleting it… SAR renamed or moved it.

Thanks!

Hugh

This thread was automatically locked due to age.

Parents

0 QC over 13 years ago

Hello Hugh,
Safeboot.sys is not a standard driver - either it belongsed to McAfee's encryption (also heard that it could be part of HP's Protect tools) or it was indeed some malware. If the former a special procedure is required to restore it.
Was this the only threat reported? If you can't remember please try to find sarscan.log and sarclean.log (should be in the %TEMP% directory of the user which has performed the scan or the system %TEMP%). If it was malware and not related to the Safeboot product then changes have been made to the registry which make Windows think it need it.
Christian
:15529
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 QC over 13 years ago

Hello Hugh,
Safeboot.sys is not a standard driver - either it belongsed to McAfee's encryption (also heard that it could be part of HP's Protect tools) or it was indeed some malware. If the former a special procedure is required to restore it.
Was this the only threat reported? If you can't remember please try to find sarscan.log and sarclean.log (should be in the %TEMP% directory of the user which has performed the scan or the system %TEMP%). If it was malware and not related to the Safeboot product then changes have been made to the registry which make Windows think it need it.
Christian
:15529
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data