A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » General XP issues or comments
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Edit Registry from DOS



 
 
Thread Tools Display Modes
  #1  
Old July 20th 04, 04:57 PM
snewbury
external usenet poster
 
Posts: n/a
Default Edit Registry from DOS

Hi All,

I am attempting to recover from a Spyware install. I've removed the Spyware installation and most registry entries, however, I couldn't remove the most important one until the file was gone. To only way to remove the software was to boot into DOS and del
ete the file from there since the way it was being loaded was through the WinLogon process.

The problem I have now is that even though the spyware is gone, I can't remove the entry out of the registry, because my system will no longer boot. In it's current state, when the system boots, it looks for the spyware file during the winlogon process, b
ut since it can't find it anymore, the winlogon process blue screens.

Before the spyware software was removed, I was unable to delete the entry in the registry, since every time I deleted the registry entry for the spyware, it would re-enter itself. (It had a hook into the explorer.exe process).

I am now trying to copy the registry from this system to another one so that I can edit it and remove the corrupt entry. I don't know what files the registry consists of, so I was wondering if you could point me to the correct files.

As an alternative, if any of you are aware of DOS tools I can use to edit the registry, I would also be willing to try that. Note that the entries in the registry for the Spyware are preceeded by a null character, so regular registry tools will not even s
ee the entries. I had a heck of a time figuring this out, since essentially the spyware put a null character entry in front of the entire WinLogon registry node. Normal registry tools use the Win32 API, which ignores anything after a null character. In
other words, the entire WinLogon registry node in this case.

At any rate, any suggestions to edit the registry in a non Windows mode, or by copying it to another computer, would be highly appreciated. My understanding is that the spyware was a variation of the VX2 Better Internet software. Nasty stuff to get rid o
f, or even find.

Your help is much appreciated!

Steve.
Ads
  #2  
Old July 20th 04, 05:52 PM
Carey Frisch [MVP]
external usenet poster
 
Posts: n/a
Default Edit Registry from DOS

How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm

[Courtesy of MS-MVP Michael Stevens]

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

------------------------------------------------------------------------------------------

"snewbury" wrote in message:
...

| Hi All,
|
| I am attempting to recover from a Spyware install. I've removed the Spyware installation and most registry
entries, however, I couldn't remove the most important one until the file was gone. To only way to remove the
software was to boot into DOS and delete the file from there since the way it was being loaded was through the
WinLogon process.
|
| The problem I have now is that even though the spyware is gone, I can't remove the entry out of the
registry, because my system will no longer boot. In it's current state, when the system boots, it looks for
the spyware file during the winlogon process, but since it can't find it anymore, the winlogon process blue
screens.
|
| Before the spyware software was removed, I was unable to delete the entry in the registry, since every time
I deleted the registry entry for the spyware, it would re-enter itself. (It had a hook into the explorer.exe
process).
|
| I am now trying to copy the registry from this system to another one so that I can edit it and remove the
corrupt entry. I don't know what files the registry consists of, so I was wondering if you could point me to
the correct files.
|
| As an alternative, if any of you are aware of DOS tools I can use to edit the registry, I would also be
willing to try that. Note that the entries in the registry for the Spyware are preceeded by a null character,
so regular registry tools will not even see the entries. I had a heck of a time figuring this out, since
essentially the spyware put a null character entry in front of the entire WinLogon registry node. Normal
registry tools use the Win32 API, which ignores anything after a null character. In other words, the entire
WinLogon registry node in this case.
|
| At any rate, any suggestions to edit the registry in a non Windows mode, or by copying it to another
computer, would be highly appreciated. My understanding is that the spyware was a variation of the VX2 Better
Internet software. Nasty stuff to get rid of, or even find.
|
| Your help is much appreciated!
|
| Steve.

  #3  
Old July 20th 04, 08:02 PM
Vincent Fatica
external usenet poster
 
Posts: n/a
Default Edit Registry from DOS

Check whether MSGINA.DLL (a likely target) is missing or not authentic.

The registry files are those with no extension (e.g., "software") in
System32\config. In addition, each user has an NTUSER.DAT in his profile
directory.

On Mon, 19 Jul 2004 18:03:05 -0700, "snewbury"
wrote:

Hi All,

I am attempting to recover from a Spyware install. I've removed the Spyware installation and most registry entries, however, I couldn't remove the most important one until the file was gone. To only way to remove the software was to boot into DOS and de

lete the file from there since the way it was being loaded was through the WinLogon process.

The problem I have now is that even though the spyware is gone, I can't remove the entry out of the registry, because my system will no longer boot. In it's current state, when the system boots, it looks for the spyware file during the winlogon process,

but since it can't find it anymore, the winlogon process blue screens.

Before the spyware software was removed, I was unable to delete the entry in the registry, since every time I deleted the registry entry for the spyware, it would re-enter itself. (It had a hook into the explorer.exe process).

I am now trying to copy the registry from this system to another one so that I can edit it and remove the corrupt entry. I don't know what files the registry consists of, so I was wondering if you could point me to the correct files.

As an alternative, if any of you are aware of DOS tools I can use to edit the registry, I would also be willing to try that. Note that the entries in the registry for the Spyware are preceeded by a null character, so regular registry tools will not even

see the entries. I had a heck of a time figuring this out, since essentially the spyware put a null character entry in front of the entire WinLogon registry node. Normal registry tools use the Win32 API, which ignores anything after a null character. In
other words, the entire WinLogon registry node in this case.

At any rate, any suggestions to edit the registry in a non Windows mode, or by copying it to another computer, would be highly appreciated. My understanding is that the spyware was a variation of the VX2 Better Internet software. Nasty stuff to get rid

of, or even find.

Your help is much appreciated!

Steve.


--
- Vince
  #4  
Old July 21st 04, 03:41 AM
Kelly
external usenet poster
 
Posts: n/a
Default Edit Registry from DOS

Steve,

This could have been resolved without all of this,especially from spyware.
I have no idea which steps you took nor which keys you are speaking of,
because of all, you didn't state the most important facts.

In the meantime:

Recover from a Corrupted Registry Preventing Win XP from Starting
http://support.microsoft.com/default...;EN-US;q307545

Recovering XP using the Recovery Console (Line 333) right hand side
http://www.kellys-korner-xp.com/xp_tweaks.htm

--
All the Best,
Kelly

Microsoft-MVP Windows® XP
2004 Windows MVP "Winny" Award

Troubleshooting Windows XP
http://www.kellys-korner-xp.com
http://www.kellys-korner-xp.com/xp_tweaks.htm

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm


"snewbury" wrote in message
...
Hi All,

I am attempting to recover from a Spyware install. I've removed the
Spyware installation and most registry entries, however, I couldn't remove
the most important one until the file was gone. To only way to remove the
software was to boot into DOS and delete the file from there since the way
it was being loaded was through the WinLogon process.

The problem I have now is that even though the spyware is gone, I can't
remove the entry out of the registry, because my system will no longer
boot. In it's current state, when the system boots, it looks for the
spyware file during the winlogon process, but since it can't find it
anymore, the winlogon process blue screens.

Before the spyware software was removed, I was unable to delete the entry
in the registry, since every time I deleted the registry entry for the
spyware, it would re-enter itself. (It had a hook into the explorer.exe
process).

I am now trying to copy the registry from this system to another one so
that I can edit it and remove the corrupt entry. I don't know what files
the registry consists of, so I was wondering if you could point me to the
correct files.

As an alternative, if any of you are aware of DOS tools I can use to edit
the registry, I would also be willing to try that. Note that the entries
in the registry for the Spyware are preceeded by a null character, so
regular registry tools will not even see the entries. I had a heck of a
time figuring this out, since essentially the spyware put a null character
entry in front of the entire WinLogon registry node. Normal registry
tools use the Win32 API, which ignores anything after a null character.
In other words, the entire WinLogon registry node in this case.

At any rate, any suggestions to edit the registry in a non Windows mode,
or by copying it to another computer, would be highly appreciated. My
understanding is that the spyware was a variation of the VX2 Better
Internet software. Nasty stuff to get rid of, or even find.

Your help is much appreciated!

Steve.



 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 12:46 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.