recovering from corrupt \WINDOWS\SYSTEM32\CONFIG\SYSTEM

In a nutshell, I am working on my bosses laptop (dell latitude), it was/is? infected with the TDSS nasty. I started working through the Read & Run me First . The next day I went to turn it on and got the message "Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SOFTWARE press r to repair.

So I followed the recovery instructions here: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q307545

It is now back up in windows, and I am trying to do step 2 to copy what was her registry before using system restore. I am not sure if the TDSS cleared her restore points or if it was always shut off, but the only System/Volume Information/restore/RPx folder that wasn't made after the repair has no shapshot folder to access the _REGISTRY_MACHINE_SYSTEM

When I first got her computer it started making a Data Backup folder, I thought at the time it was from a windows update that didn't get to finish installing. In that folder is a System.1st file, would I be safe to use that in the recovery to copy it as the current file?
I probably make no sense, I am scatterbrained from toasting the bosses computer :-o
Thanks, Marie

 

do you have your windows disk?

 

What I have is the Dell windows reinstallation disk (that is what I ran the repair console with). I think the registry that is in place now is what would be on the disk (it was from the c/windows/repair).
I would just go through and redo the settings to make things as they were but most of the hardware is not installed and it says only one can install at a time and one is in process. What that could be I have no clue, even letting it sit for some time nothing installs. I can't get it to recognize a jump drive to save her data in case things go south again.

 

You should start by starting the repair console and running "chkdsk c: /r" without the quotes.

 

oh my, I found another help thing that said just the windows\system32\config\system file needed to be from windows\repair. So I went to the consule and put the original sam software security and default files back (reversing the process from the windows help). I want to go back to the consule to try the above post and it now asks for an admin password. I went to set up to make one and it still wont recognize it, so it restarts to the black SOD. it previously just took 'enter' *I should not be doing this with this headthumping sinus cold*

 

I know there are some password removal programs out there, but I can't seem to find it. Doesn't Majorgeeks have anything?

 

I am still looking around majorgeek to find anything to help, it now wont go into safemode I am not getting a command prompt to do anything at the moment.

 

Thanks,
the only xp disks I can find are reinstallation disks.

It still won't go into safe mode (it loads a few files then just sits), and it wont take an administrator password in the recovery concole even if I set or clear it in the F2 setup.

Am I at the point that I just need to reinstall xp? Will her files still be there if I do, she has some files for church that neither of us saved before all this happened.

 

a site I found using google.

http://www.petri.co.il/forgot_administrator_password.htm

It was recommended in the yahoo answers http://answers.yahoo.com/question/index?qid=20060707085656AAoF2eS

I have not tried the programs listed in the article. I would only use them if wipe/reload is your only option. You might want to scan them for viruses when you DL them also, even though I believe they are legit. I guess you would call me overly cautious.

I would also note that my firefox addon web-of-trust that uses input from other firefox web-of-trust users to rate trustworthiness of websites gave me a green (best) rating for the website.

 

thanks, those look helpful.
I may be being dense but I still can't get a command prompt from recovery or safe to try following the instructions, am I missing something?

 

Setting a password in F2 is probably a power-on password not a Windows password. I guess you said you tried leaving it blank for Administrator password in Recovery Console[that is what you meant from it used to take <enter> ]?

I've been thinking about exploring the steps you followed in the MS article but haven't had a chance yet. They are abit complicated and easy to confuse, as you are experiencing. I'm afraid it is too easy to get one command wrong to try to jump in now without having tried it myself on my own computer.

I would try your installation disk to see if you get the option for a Non Destructive repair as described in this article. You are looking for the screen as seen in #7.

 

Thanks for all the help.
Sach2 I really thought that link was the golden ticket. I started on it fresh today and it duplicates the steps up to screen 5, then goes to delete partitions instead of the non-distructive repair screen in 7 (bummer). The reinstall disc I am using is from am older xp computer but it includes SP2, would it even be worth it to hunt down a newer xp disc?

 

I think you probably have a branded computer xp disc that doesn't include the repair option. The newness of the disc doesn't really matter just that it is a Windows branded XP disc.

Hiren's boot CD can get you into the files on your HD and let you execute Recovery Console commands but I am not sure what you can do with no Rp# folders to choose from.

Hiren's doesn't give you USB support so it won't be of use to copy your files. Maybe a different Linux live CD that has USB support would allow you to get your files off the laptop.

If you have a plan for recovery console and want to try the Hiren's I can guide you through the menu's to get to the dos with NTFS command prompt.

 

Thanks a bunch, I am attempting to download Hiren's, I have made numerous attempts varying from 7% complete to 96% complete before it zooms to say it is done and won't extract because the files are missing. But I am going to try until I get it, so any help around it would be much appreciated it looks a tad overwhelming.

Somewhere in the journey of reading info I read that a Dell reinstall disc is specific to the model it is packaged with, whether that is true or not I have no clue but dell does offer a replacement reinstall disc so I requested one for this machine. Although I am hoping Hiren's will have the touch before it gets here.
Thanks
Marie

 

I never used the link I provided previously, if you are still having trouble then Try this link click free user and there will be a 60 second wait period.

 

I just used the original link and it worked for me. Unzipped no problem. You don't need the keyboard patch because that is for non-US English keyboards. You will need imgburn to burn the iso file to CD. Use the Write image option and select the slowest speed your burner allows.

 

The second link work first time, I have Hiren's burned to a disc. I haven't started yet incase there is something funky I should know first.
THANKS

 

Plug in your USB flash drive
Reboot computer using the CD.
Allow it to start from Cd, click yes anywhere it doesn't auto load.
From menu #9 (more)
#5 NTFS tools
#3 Paragon Mount Everything

Drive C: will probably be your USB
Drive E: will probably be your laptops WINDOWS partition.

You can use the R>dir e: [to get a list of files to verify this is your Windows partition]
R>dir c: [to verify this is your flash drive]

Any commands you were going to run in Recovery console can be run after typing R>e: [to change you to the WINDOWS partition]

*******
Copy e:\filename.ext C:\filename.ext should work to get things onto your Flash
********
My own note would be to make a second copy of your tmp folder that held your original Security software hardware etc. files before doing/undoing anything.
***********
And not to confuse things this link Tim mentioned is a bit clearer than the original MS one. But don't let that alter your plan if you are using the MS article since you have copied /moved 5 files not just the 3 mentioned in this link.

 

I got her files copies to my jump, it uses xxcopy so I had to brush up on that. After I put the reinstall disc in and the repair option (screen 7) was now there in reinstall XP so I followed the Langa non-destructive rebuild link given earlier.

I am getting a bit worried, it did not do an auto reboot as the instructions said it would and it skipped screens 11 & 12 (entering product key). It has been on screen 13 since last night, which predicts 35 minutes left. I did reboot this morning and it prompted that step up was continuing and went right back to screen 13 (installing devices) and just sits there.
I am not sure if this is ok, I was really hoping to leave for holiday tonight but need to have it working and back to her. Should I just let it keep going in screen 13 hoping that it is making some progress.
thanks