Registry problem!!!

Hi
I've just recieved help in the Malware Removal Forum and I hope someone in this forum can help in getting my daughter's laptop completely back to normal. I've been told to post here for the last prob.

Here it is: On reboot this is the message that pops up every time

Thanks in advance to whoever can help.

 

start>run typein
msconfig

Look at the startup tab, but don't change anything.

Post the list you see as a text file, you will have to copy and paste the entries into notepad.

 

Thanks studiot for your response.

Unfortunately there wasn't the option of cut & paste, so I typed it.
(I even tried to PrintScreen and was unsuccessful - maybe I'm doing it wrong? The PrintScreen button on this laptop has "PrtSc" at the top of the button and "SysRq" at the bottom, do I just hit that button? I've tried combinations, eg with Shift, Ctrl, still no go.)

I will attach the Startup list. Thanks

 

Thanks plodr for that copy/paste tip.

 

You have a commendably short startup list.



There is nothing in there to be calling the popup.

So a few more things.

Firstly I would guess that Chas & Co had you run Ccleaner at some point.
Try running it again using scan for and then fix issues.

If this doesn't help then a couple more questions

In add remove programs, expanded to show updates (tickbox at top) do you have Microsoft update

KB40987?

Secondly how many user accounts do you have? Does the problem happen on all of them?

 

Hi again studiot.
I will run CCleaner again as instructed and see how it goes.

No, only updates from KB88...

My daughter only has one account at the Login Screen. That being said, I noticed during malware removal, I think while I was in SafeMode, that there was the usual Admin account AND two "Monique" accounts, which I thought odd.

When I remembered to check this in Normal Mode, there was only one "Monique" account and a Guest account, which was turned off.:confused

Just a question... in the Startup tab of msconfig, the second entry doesn't have a Startup Item name or a Command path just a ticked box and the Location? Do you know what this could be, why would that information be blank?:confused

Another thing, AVG Antivirus just ran a scan and the file C:\WINDOWS\system32\drivers\etc\hosts couldn't be scanned because of a reading error? Could something suspicious be the cause of an antivirus program not being able to scan the hosts file?

Thanks again.

 

soundmanager will be in the normal windows location for .exe files I expect (c:\windows) It is nothing to worry about.

I can't recommend strongly enough that you set up the two account system for the future. Most (Over 75%) of malware need to be in an administrator environment to activate. So the rule is

Never surf the net as an administrator.

Set up an account to administrate the computer, call it your dog's name or the boss or something, you can't use the word 'administrator'
Log on to this new account and demote the monique account to limited user by going to User Accounts in the Control Panel.
That way you will preserve all the monique user settings and data.
You don't need to set a password but it might be a good idea for a child's laptop against 'friends'. The Windows password does not protect at all on the internet, only against persons with physical access to the laptop.

If Ccleaner doesn't help with what must be a broken link in the registry, there is a fix which involves creating a new admin account. Let me know if the new account also shows the warning message or not.

 

I created the new admin account and yes I still get the same error message.

 

Also, to rule out any apps that is causing this issue, you can run msconfig, and uncheck "load startup items". press ok, then okay to reboot. See if this still brings up there error.

or

Check the event viewer.

Click START, then RUN, the type in:

eventvwr.msc (press enter)

Check both application and system, to determine where the error shows up.

Btw, does the error show up in safe mode.

Can you take a screen shot of said error and post it here?

 

Thanks theefool for your advice and time.

Event Viewer showed a problem, which definitely could be the cause. I will attach the screen shot as well as the original Registry error message.

 

You said originally that this error occurs on boot (which is when you would expect it).

Can you confirm from the timings that any of the event viewer errors, ID 7, are conincident with the appearance of this message? I doubt they are connected.

The next procedure is multistage and therefore longer. It involves deleting and recreating ntuser.dat for the monique account.

A) boot to your new admin account

B) create a temporary folder Atemp, is easy to find again.

c) copy c:\documents and settings\monique\ntuser.dat to c:\atemp

d) delete c:\documenta and settings\monique\ntuser.dat

e) log off admin and log onto monique. This will recreate ntuser.dat for monique

f) log off off monique and log on to admin

g) copy saved ntuser.dat back from atemp to c:\documents and settings\monique\ yes to overwrite.

h) shut down and restart.

Does this do the business?

 

Hi again studiot.

You're right, they're not connect.

Did this and when I got so far as logging into 'Monique' - "loading your settings", it seemed to hang and then the hard drive light went off. I assumed that it s**t itself.

So I restarted and logged into admin again and was reversing what I did, when I went to paste the ntuser.dat file back to it's original location a message came up that there was already a ntuser.dat file there and did I want to replace it.

The original was over 7000KB, while the 'new' one was just over 200MB - AM I GUILTY OF IMPATIENCE/'JUMPING THE GUN'?? This 'new' file, was that the result of the computer in the middle of writing a new ntuser.dat file for Monique?

If so... I admit I'm an idiot.:heli

 

Hopefully a reboot will fix all this. Don't forget you have the original ntuser.dat safely stored in atemp. (yes?) so you can do this as many times as you like. Windows should recreate ntuser.dat any time it finds it 'missing'.

 

Thanks mate, I'll have another go in the morning. It's 11pm and one of my fav old programs is on that I can't miss... Columbo.

 

tec's of the world unite!

 

studiot, when I tried to copy ntuser.dat once again this is the error message I'm getting? The other login account isn't running and no programs are running that I can see - I'm repeating the process just as I did before but now it won't let me!!!!! Any ideas why this message is coming up now?

http://img184.imageshack.us/img184/3082/02122008140625tn0.jpg

Here are the processes running at the moment, if that helps?

http://img240.imageshack.us/img240/5139/02122008145303ve8.jpg

 

I didn't want to go here as we are getting into some really geeky terrority.

http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&displaylang=en