Please help if you can.

Win XP Home SP2 on Advent 7081 Laptop was full of Malware, after 10 hours of Hijackthis and some registry deletions finally was happy except for the nasty ntos.exe which Hijackthis couldn't delete.

Then, instead of modifying the key HKLM\SOFTWARE\Microsoft\Windows T\CurrentVersion\WinlogonUserinit <System>\userinit.exe,<System>\ntos.exe and deleting just the ntos, I deleted the whole key!

Now Windows boots, logs in to an empty screen (mouse pointer operable), (safe mode too). I backed up the registry before this deletion but cannot now see or access the folder. I had disabled System Restore prior to this.

Thought to do a Repair/Install but it will not boot from the Windows CD (The CD/DVD drive has been working fine and the first boot device in BIOS is set to CD/DVD, also disabled the second (HDD) and third device (Network) to force the CD to boot. The Windows CD boots on my desktop. I'm out of ideas, suggestions appreciated.

Bill.

I'm Ok

Can you toss us a link to your malware cleaning so we can see what you did?

You should boot to Recovery Console, and add the key back to the registry. You're going to need familiarity with using the Recovery Console to do this.

If you backed up your registry first (you did this right?), then simply import the key into the hive.

Another reason, not to clean the registry. Let professionals or anti-malware tools do this stuff. I can't stress that enough!

J.
j e r u v y a t y a h o o d o t c o m

Hya Jeruvy

Thanks for your reply, much appreciated.

"Let professionals or anti-malware tools do this stuff. I can't stress that enough!" Yep, the professional from PC World, advised me to delete the key! Though I agree, I still shouldn't have done it.

That said - "If you backed up your registry first (you did this right?), then simply import the key into the hive." Well, maybe not totally correctly, I just exported the file from Regedit to a new folder.

"You're going to need familiarity with using the Recovery Console to do this." I totally agree, I have no experience with this, a helpful link would be appreciated. But since it wouldn't boot from the XP CD, could I have used RC?

"so we can see what you did?" I don't really want to go there again, I started work on the laptop yesterday morning and my pal needed it back for lunchtime today!

It was hardly booting with all services disabled and Task Manager, USB's screwed - but if you really want to know...

This thing had at least seven Rogue products (in the rogue list at Spyware Warrior). Eventually, ran AVG (6 eliminations) HijackThis (roughly 16 deletions), Safe Mode many times killing processes) using the tool in HijackThis Config and deleting migrating files ex System32 to Windows prefetch, each time running CCleaner and probably twenty reboots more.

The problem remains, is now to fix it now!

Cheers.

Bill.

I'm Ok

Can you still do a search when your computer starts up?... By the sounds of things the blank screen means your desktop hasn't loaded?

Can you right-click on the taskbar and select "new task"? type in explorer.exe, does your desktop come back?

Can you click on start > search and search for all files in your computer?... type in *.reg and search(this searches for all registry exports, the file extension should be .reg by default), does the backed up registry key you created appear?... if it does you should be able to double click it to restore.

Keep in mind you will still need to go back and modify the registry to remove the offending entry.

You "cannot boot from CD" - Why?

Go into your BIOS to enable booting from CD.

"Yep, the professional from PC World, advised me to delete the key! Though I agree, I still shouldn't have done it."

Did he not advise you to backup the registry first? Did he not at least advise you to backup this specific key in case all goes south?

In many cases, failing to fix this in Recovery Console means a complete rebuild.

Not knowing what you did prior to this problem, especially since you went to PC World seems a bit strange to me? Why can we not see what you did?

J.
j e r u v y a t y a h o o d o t c o m