Trying to repair registry - can't overwrite SAM and default

[djbeard83]

Last weekend I started getting fake pop up ads telling me my computer was
infected and to download antivirus software. I did not click on any of them
and instead ran Malwarebytes' Anti-Malware off of a memory stick. It scanned
my computer and ID'd many infected files, went to repair them, then prompted
me to restart. After restarting the same problem existed, so I ran the
Anti-Malware again and a few minutes into the scan the screen went into a DOS
prompt saying that windows\system32\config\system was missing or corrupt.
Now this screen comes up every time I boot.

Today I tried following the steps here:
http://support.microsoft.com/kb/307545/. I successfully copied the default,
sam, security, software, and system files into a backup folder as it states,
then deleted the originals, then copied the files from the repair directory
(although I had to add .bak to my system file in the repair folder). This
worked fine except for the default and SAM files - here it asked me if I
wanted to overwrite the existing file (which I had already deleted), and when
I entered Y I received the message "File could not be copied." When I look
at the system32\config directory the security, software, and system files all
show a date of 3/26/06 (the dates that were in my repair directory, so these
were successfully copied over), but default shows 11/16/09 and SAM shows
11/17/09, which was the last day I successfully booted Windows. I have not
done anything further yet.

My questions are:
Why were SAM and default not deleted when I thought they were and why can't
they be overwritten?
Because these two files appear to have been altered while my computer was
infected, are they the cause of the problem?
What should I do next?
Is there still a chance of recoverying my data at some point?

Thanks for any help.

 

[Charles W Davis]

Have you tried doing a System Restore to a previous time when the system
worked correctly?

 

[Jose]

Last weekend I started getting fake pop up ads telling me my computer was
infected and to download antivirus software.  I did not click on any ofthem
and instead ran Malwarebytes' Anti-Malware off of a memory stick.  It scanned
my computer and ID'd many infected files, went to repair them, then prompted
me to restart.  After restarting the same problem existed, so I ran the
Anti-Malware again and a few minutes into the scan the screen went into aDOS
prompt saying that windows\system32\config\system was missing or corrupt. 
Now this screen comes up every time I boot.

Today I tried following the steps here:http://support.microsoft.com/kb/307545/.  I successfully copied the default,
sam, security, software, and system files into a backup folder as it states,
then deleted the originals, then copied the files from the repair directory
(although I had to add .bak to my system file in the repair folder).  This
worked fine except for the default and SAM files - here it asked me if I
wanted to overwrite the existing file (which I had already deleted), and when
I entered Y I received the message "File could not be copied."  When I look
at the system32\config directory the security, software, and system filesall
show a date of 3/26/06 (the dates that were in my repair directory, so these
were successfully copied over), but default shows 11/16/09 and SAM shows
11/17/09, which was the last day I successfully booted Windows.  I havenot
done anything further yet.

My questions are:
Why were SAM and default not deleted when I thought they were and why can't
they be overwritten?
Because these two files appear to have been altered while my computer was
infected, are they the cause of the problem?
What should I do next?
Is there still a chance of recoverying my data at some point?

Thanks for any help.

Usually when one sees the windows\system32\config\system was missing
or corrupt message, the system will not boot on the HDD, so what
method did you use to boot to enable you to run the copy parts of
KB307545?

Do you have floppies, a bootable XP installation CD, a bootable XP
Recovery Console CD, a bootable system recovery type CD from your
hardware vendor, are you booting from some recovery partition on your
HDD or none of the above.

What part (1, 2 or 3) and step of KB307545 is failing?

If I would ever to want to implement KB307545 after receiving that
message, I would always run:

chkdsk /r

first.

RSVP.

 

[PA Bear [MS MVP]]

You've got lots more work to do!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

Microsoft PCSafety provides home users (only) with no-charge support in
dealing with malware infections such as viruses, spyware (including unwanted
software), and adware.
https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

Also available via...

Consumer Security Support home page
https://consumersecuritysupport.microsoft.com/

Otherwise...

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

2b. Vista or Win7=> Run this scan instead:
http://onecare.live.com/site/en-us/center/whatsnew.htm

3. Now run a thorough check for hijackware, including posting requested logs
in an appropriate forum, not here.

Checking for/Help with Hijackware:
• http://mvps.org/winhelp2002/unwanted.htm
• http://inetexplorer.mvps.org/tshoot.html
• http://www.mvps.org/sramesh2k/Malware_Defence.htm
• http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[Pegasus [MVP]]

Last weekend I started getting fake pop up ads telling me my computer was
infected and to download antivirus software. I did not click on any of
them
and instead ran Malwarebytes' Anti-Malware off of a memory stick. It
scanned
my computer and ID'd many infected files, went to repair them, then
prompted
me to restart. After restarting the same problem existed, so I ran the
Anti-Malware again and a few minutes into the scan the screen went into a
DOS
prompt saying that windows\system32\config\system was missing or corrupt.
Now this screen comes up every time I boot.

Today I tried following the steps here:
http://support.microsoft.com/kb/307545/. I successfully copied the
default,
sam, security, software, and system files into a backup folder as it
states,
then deleted the originals, then copied the files from the repair
directory
(although I had to add .bak to my system file in the repair folder). This
worked fine except for the default and SAM files - here it asked me if I
wanted to overwrite the existing file (which I had already deleted), and
when
I entered Y I received the message "File could not be copied." When I
look
at the system32\config directory the security, software, and system files
all
show a date of 3/26/06 (the dates that were in my repair directory, so
these
were successfully copied over), but default shows 11/16/09 and SAM shows
11/17/09, which was the last day I successfully booted Windows. I have
not
done anything further yet.

My questions are:
Why were SAM and default not deleted when I thought they were and why
can't
they be overwritten?
Because these two files appear to have been altered while my computer was
infected, are they the cause of the problem?
What should I do next?
Is there still a chance of recoverying my data at some point?

Thanks for any help.

If I was in your situation then I would follow this path because it is
guaranteed to give you a stable, robust installation within a few hours:
1. Remove the hard disk.
2. Connect it as a slave disk to some other PC.
3. Save your data, including your EMail files.
4. Put the disk back.
5. Re-install Windows onto a freshly formatted disk.
6. Restore your data.
7. Install a good virus scanner and keep it up-to-date.
8. Practise safe hex.
9. Review your backup philosophy. Important files must *always* be kept in
at least two independent places. A 2.5" disk in an external USB case is a
highly effective but low-cost backup medium. If you do not change your
approach to backing up your files now then you might lose the lot next time
something goes wrong.

About point 2: Post again if you do not have access to another PC. There are
other ways of saving your files.

You can, of course, spend many hours in an attempt to repair your damaged
installation. Since you had a large number of infected files, it success is
uncertain and the result is likely to be less than satisfactory. Best to
bite the bullet now.

 

[djbeard83]

Thanks for your input. I've been planning for months to buy a new PC over
Thanksgiving while I'm visiting a no-sales-tax state, so once I get it set up
and see how many files I had backed up I'll reevaluate how much time I want
to invest in restoring the old PC. How does one connect a HD as a slave
drive?

 

[djbeard83]

I was booting off of the Windows DVD from HP, and I got most of the way
through Part 1, Step 5 of KB307545 (got error messages trying to copy SAM and
default).

 

[djbeard83]

No, I haven't tried that.

Have you tried doing a System Restore to a previous time when the system
worked correctly?

 

[djbeard83]

Thanks for replying - I will see how current my backup harddrive was and if
my potential data loss doesn't look too bad before diving too far into this.

 

[Pegasus [MVP]]

Thanks for your input. I've been planning for months to buy a new PC over
Thanksgiving while I'm visiting a no-sales-tax state, so once I get it set
up
and see how many files I had backed up I'll reevaluate how much time I
want
to invest in restoring the old PC. How does one connect a HD as a slave
drive?

Google is your friend. Type the following words into a Google search box and
you will be pleasantly surprised:

tutorial connect slave disk

 

[Jose]

I was booting off of the Windows DVD from HP, and I got most of the way
through Part 1, Step 5 of KB307545 (got error messages trying to copy SAMand
default).

Is the DVD from HP some sort of system recovery CD or is it just plain
bootable Windows XP installation CD? They are not the same, often
confused and usually on a store bought system, you will not get a
bootable XP Installation CD.

Perhaps you are booting HPs version of the Recovery Console - or maybe
it is not the Recovery Console at all, but some HP tool.

If you are not 100% sure, you be 100% sure by making a bootable XP
Recovery Console CD without needing any XP media, then do your
copying.

You can make a bootable XP Recovery Console CD by downloading an ISO
file and burning it to a CD.

The bootable ISO image file you need to download is called:

xp_rec_con.iso

Download the ISO file from here:

http://www.mediafire.com/?ueyyzfymmig

Use this free and easy program to create your bootable CD:

http://www.imgburn.com/

It would be a good idea to test your bootable CD on a computer that is
working.

You may need to adjust the computer BIOS settings to use the CD ROM
drive as the first boot device instead of the hard disk. These
adjustments are made before Windows tries to load. If you miss it,
you will have to reboot the system again.

When you boot on the CD, follow the prompts:

Press any key to boot from CD...

The Windows Setup... will proceed.

Press 'R' to enter the Recovery Console.

Select the installation you want to access (usually 1: C:\WINDOWS)

You may be asked to enter the Administrator password (usually empty).

You should be in the C:\WINDOWS folder. This is the same as the C:
\WINDOWS folder you see in explorer.

RC allows basic file commands - copy, rename, replace, delete, cd,
chkdsk, fixboot, fixmbr, etc.

From the command prompt window run the chkdsk command on the drive
where Windows is installed to try to repair any problems on the
afflicted drive.

Running chkdsk is fine to run even if it doesn't find any problems.

Assuming your boot drive is C, run the following command:

chkdsk C: /r

Let chkdsk finish and correct any problems it might find. It may take
a long time to complete or appear to be 'stuck'. Be patient. If the
HDD light is still flashing, it is doing something. Keep an eye on
the percentage amount to be sure it is still making progress.

Using this CD, you can use attrib to change any file properties that
could prevent copying - remove read only, etc. Copy your files now.
Before copying in files of the same name, make sure the old one is
really gone first, not read only, not hidden so it just looks like it
is gone, etc.

It sounds like you are trying to copy on the top of existing read only
files that you think are deleted but they are not deleted and that
will not work.

 

[Paul]

Thanks for your input. I've been planning for months to buy a new PC over
Thanksgiving while I'm visiting a no-sales-tax state, so once I get it set up
and see how many files I had backed up I'll reevaluate how much time I want
to invest in restoring the old PC. How does one connect a HD as a slave
drive?

If you ever need to connect a hard drive from another computer, there
are a couple kinds of options. You can use a USB to IDE or USB to SATA
adapter. (IDE and SATA being the two drive interface types you'd usually
run into.) The advantage of this kind of kit, is all the ugly bits
stay outside the computer. This hookup is intended for
temporary usage, like running the hard drive sitting on your desktop,
long enough to copy off the data. The drive should be situated so
it doesn't overheat (air should be able to get at it). The drive
should also be secure enough that you can't knock it over. The
performance of this method, operates at up to 30MB/sec, suitable
for an occasional backup.

http://www.newegg.com/Product/Product.aspx?Item=N82E16812200155

You can also connect a drive internally, to a ribbon cable, for the
older IDE drives. Connecting a drive directly inside the computer,
means a slightly higher transfer rate. One of my drives can manage
about 95MB/sec on a good day. So if the performance of USB2 irritates
you, then a more direct connection can do a better job. But this
requires taking the side off the computer (or using an ESATA port
on the back of the computer, if available).

http://www.pcguide.com/byop/diagrams/figure95.jpg

SATA uses slightly different connectors. The SATA data cable is
thin and operates at a high speed, to make up for the thinness.

http://cache.gizmodo.com/assets/images/4/2008/08/sata33.jpg

With SATA, there are no jumper considerations. It is a relatively
easy product to deal with. The only exception, is hooking a
SATA drive to a VIA chipset, where you should use the Force150
jumper on the back of the drive. Most of the time, you don't
have to think about what you're doing.

With IDE (ribbon cable), the cable has two positions, suitable
for two hard drives. The connector on the end is the first one
you're supposed to use. If the cable is only going to have the
one drive on it, connect the drive to the end of the cable.
The middle connector is only used, if two drives are present.

The ribbon cable type drives, make extensive use of jumpers,
so you absolutely have to make sure the jumpers are correct.
Two drives jumpered "Cable Select" can be removed, without
needing to fool around too much. That is why "Cable Select" was
invented, so companies like Dell could jumper all their stuff
one way. It allows mix and match. It requires an 80 wire cable
that supports Cable Select. (They make 40 wire cables as well,
and that might not be Cable Select ready.)

Other jumper alternatives are termed "Master" and "Slave",
where you can have one of each. You can have a Master by itself,
or Master plus a Slave.

The back of a drive could have positions for Cable Select (CS),
Master (MA) or Slave (SL). It is up to you, to ensure the
correct combination of jumperings, is used when the drives
are installed. If using Master and Slave style jumpering,
there may be a need to adjust them, as you add and remove
drives. So you have to keep your wits about you.

That's a quick guide.

The above USB kit may look ugly and complicated, but
you'll get to like it after a while. The user manual
for the Startech device is available, so you can have
a look before you buy.

http://www.startech.com/Data/ProductManuals/USB2SATAIDE.pdf

Paul