Edit Registry from DOS

[Guest]

Hi All,

I am attempting to recover from a Spyware install. I've removed the Spyware installation and most registry entries, however, I couldn't remove the most important one until the file was gone. To only way to remove the software was to boot into DOS and delete the file from there since the way it was being loaded was through the WinLogon process.

The problem I have now is that even though the spyware is gone, I can't remove the entry out of the registry, because my system will no longer boot. In it's current state, when the system boots, it looks for the spyware file during the winlogon process, but since it can't find it anymore, the winlogon process blue screens.

Before the spyware software was removed, I was unable to delete the entry in the registry, since every time I deleted the registry entry for the spyware, it would re-enter itself. (It had a hook into the explorer.exe process).

I am now trying to copy the registry from this system to another one so that I can edit it and remove the corrupt entry. I don't know what files the registry consists of, so I was wondering if you could point me to the correct files.

As an alternative, if any of you are aware of DOS tools I can use to edit the registry, I would also be willing to try that. Note that the entries in the registry for the Spyware are preceeded by a null character, so regular registry tools will not even see the entries. I had a heck of a time figuring this out, since essentially the spyware put a null character entry in front of the entire WinLogon registry node. Normal registry tools use the Win32 API, which ignores anything after a null character. In other words, the entire WinLogon registry node in this case.

At any rate, any suggestions to edit the registry in a non Windows mode, or by copying it to another computer, would be highly appreciated. My understanding is that the spyware was a variation of the VX2 Better Internet software. Nasty stuff to get rid of, or even find.

Your help is much appreciated!

Steve.

 

[Guest]

XP doesnt have DOS just a DOS prompt. You can also just
choose run from the start menu and enter regedit.

-----Original Message-----
Hi All,

I am attempting to recover from a Spyware install. I've

removed the Spyware installation and most registry
entries, however, I couldn't remove the most important
one until the file was gone. To only way to remove the
software was to boot into DOS and delete the file from
there since the way it was being loaded was through the
WinLogon process.

The problem I have now is that even though the spyware

is gone, I can't remove the entry out of the registry,
because my system will no longer boot. In it's current
state, when the system boots, it looks for the spyware
file during the winlogon process, but since it can't find
it anymore, the winlogon process blue screens.

Before the spyware software was removed, I was unable to

delete the entry in the registry, since every time I
deleted the registry entry for the spyware, it would re-
enter itself. (It had a hook into the explorer.exe
process).

I am now trying to copy the registry from this system to

another one so that I can edit it and remove the corrupt
entry. I don't know what files the registry consists of,
so I was wondering if you could point me to the correct
files.

As an alternative, if any of you are aware of DOS tools

I can use to edit the registry, I would also be willing
to try that. Note that the entries in the registry for
the Spyware are preceeded by a null character, so regular
registry tools will not even see the entries. I had a
heck of a time figuring this out, since essentially the
spyware put a null character entry in front of the entire
WinLogon registry node. Normal registry tools use the
Win32 API, which ignores anything after a null
character. In other words, the entire WinLogon registry
node in this case.

At any rate, any suggestions to edit the registry in a

non Windows mode, or by copying it to another computer,
would be highly appreciated. My understanding is that
the spyware was a variation of the VX2 Better Internet
software. Nasty stuff to get rid of, or even find.

 

[Carey Frisch [MVP]]

How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm

[Courtesy of MS-MVP Michael Stevens]

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

------------------------------------------------------------------------------------------


| Hi All,
|
| I am attempting to recover from a Spyware install. I've removed the Spyware installation and most registry
entries, however, I couldn't remove the most important one until the file was gone. To only way to remove the
software was to boot into DOS and delete the file from there since the way it was being loaded was through the
WinLogon process.
|
| The problem I have now is that even though the spyware is gone, I can't remove the entry out of the
registry, because my system will no longer boot. In it's current state, when the system boots, it looks for
the spyware file during the winlogon process, but since it can't find it anymore, the winlogon process blue
screens.
|
| Before the spyware software was removed, I was unable to delete the entry in the registry, since every time
I deleted the registry entry for the spyware, it would re-enter itself. (It had a hook into the explorer.exe
process).
|
| I am now trying to copy the registry from this system to another one so that I can edit it and remove the
corrupt entry. I don't know what files the registry consists of, so I was wondering if you could point me to
the correct files.
|
| As an alternative, if any of you are aware of DOS tools I can use to edit the registry, I would also be
willing to try that. Note that the entries in the registry for the Spyware are preceeded by a null character,
so regular registry tools will not even see the entries. I had a heck of a time figuring this out, since
essentially the spyware put a null character entry in front of the entire WinLogon registry node. Normal
registry tools use the Win32 API, which ignores anything after a null character. In other words, the entire
WinLogon registry node in this case.
|
| At any rate, any suggestions to edit the registry in a non Windows mode, or by copying it to another
computer, would be highly appreciated. My understanding is that the spyware was a variation of the VX2 Better
Internet software. Nasty stuff to get rid of, or even find.
|
| Your help is much appreciated!
|
| Steve.

 

[Vincent Fatica]

Check whether MSGINA.DLL (a likely target) is missing or not authentic.

The registry files are those with no extension (e.g., "software") in
System32\config. In addition, each user has an NTUSER.DAT in his profile
directory.

 

[Kelly]

Steve,

This could have been resolved without all of this,especially from spyware.
I have no idea which steps you took nor which keys you are speaking of,
because of all, you didn't state the most important facts.

In the meantime:

Recover from a Corrupted Registry Preventing Win XP from Starting
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307545

Recovering XP using the Recovery Console (Line 333) right hand side
http://www.kellys-korner-xp.com/xp_tweaks.htm

 

[Alex Nichol]

I am attempting to recover from a Spyware install. I've removed the Spyware installation and most registry entries, however, I couldn't remove the most important one until the file was gone. To only way to remove the software was to boot into DOS and delete the file from there since the way it was being loaded was through the WinLogon process.

The problem I have now is that even though the spyware is gone, I can't remove the entry out of the registry, because my system will no longer boot. In it's current state, when the system boots, it looks for the spyware file during the winlogon process, but since it can't find it anymore, the winlogon process blue screens.

Before the spyware software was removed, I was unable to delete the entry in the registry, since every time I deleted the registry entry for the spyware, it would re-enter itself. (It had a hook into the explorer.exe process).

Do not try to edit the registry manually. Instead use system restore to
go back to an earlier undamaged one. Boot with the F8 key to the menu,
take
Safe Mode - Command Prompt

and give
C:\Windows\System32\restore\rstrui.exe
to launch System restore and restore to earlier point

 

[NobodyMan]

removed the Spyware installation and most registry
entries, however, I couldn't remove the most important
one until the file was gone. To only way to remove the
software was to boot into DOS and delete the file from
there since the way it was being loaded was through the
WinLogon process.
is gone, I can't remove the entry out of the registry,
because my system will no longer boot. In it's current
state, when the system boots, it looks for the spyware
file during the winlogon process, but since it can't find
it anymore, the winlogon process blue screens.
delete the entry in the registry, since every time I
deleted the registry entry for the spyware, it would re-
enter itself. (It had a hook into the explorer.exe
process).
another one so that I can edit it and remove the corrupt
entry. I don't know what files the registry consists of,
so I was wondering if you could point me to the correct
files.
I can use to edit the registry, I would also be willing
to try that. Note that the entries in the registry for
the Spyware are preceeded by a null character, so regular
registry tools will not even see the entries. I had a
heck of a time figuring this out, since essentially the
spyware put a null character entry in front of the entire
WinLogon registry node. Normal registry tools use the
Win32 API, which ignores anything after a null
character. In other words, the entire WinLogon registry
node in this case.
non Windows mode, or by copying it to another computer,
would be highly appreciated. My understanding is that
the spyware was a variation of the VX2 Better Internet
software. Nasty stuff to get rid of, or even find.

XP doesnt have DOS just a DOS prompt. You can also just
choose run from the start menu and enter regedit.

Better to say XP has a Command Prompt. DOS prompt implies you are
accessing MS-DOS via the command line - and as you noted, XP doesn't
have MS-DOS.

 

[Incognitus]

Better to say XP has a Command Prompt. DOS prompt implies you are
accessing MS-DOS via the command line - and as you noted, XP doesn't
have MS-DOS.

Did you ever wonder why WinXP cmd prompt mem command doesn't know that?

From a mem command using cmd: "MS-DOS resident in High Memory Area".

 

[u4ria]

I am facing the same problem..the spyware does not allow me to window
GUI explorer.exe , even in the task manager I am not able to start
new tasks it hangs.

Kindly tell me how to edit services, first to kill the msvrl.dll an
then to remove it from services from DOS prompt


-
u4ri

 

[Doug Knox MS-MVP]

Open a Command Prompt window. Once there, enter CD \Windows

Then enter COPY EXPLORER.EXE MyEXPLORER.EXE

Then enter MyExplorer.exe

A regular Windows Explorer window should open.

To disable the service in question, if it is a service, click Start, Run and enter SERVICES.MSC Locate the Service, double click it, click Stop and set it to Disabled.

 

[Alex Nichol]

I am facing the same problem..the spyware does not allow me to windows
GUI explorer.exe , even in the task manager I am not able to start a
new tasks it hangs.

Kindly tell me how to edit services, first to kill the msvrl.dll and
then to remove it from services from DOS prompt.

I'd suggest approaching this from system restore. Boot, hitting F8 as
the BIOS information goes to a black screen, before the Windows logo,
take Safe Mode - Command prompt.

That will load in a way that ought to prevent a 'foreign' service
loading. Then the command
C:\Windows\System32\restore\rstrui.exe
should load the System Restore GUI and allow restore back to a time
before the infection