Cant logon to WindowsXP, deleted some registry keys

[chloec42 0]

I use Malwarebytes Antimalware regularly

 

http://www.malwarebytes.org/mbam and havent had an infection found

 

in about a year.

Yesterday i scanned after about a month and i saw 12 infections !

 

MBAM said it could not clean a few infections:

 

==============

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 2

Internet Explorer Unknown

 

9/11/2010 11:19:49 PM

mbam-log-2010-09-11 (23-19-49).txt

 

Scan type: Quick Scan

Objects scanned: 94917

Time elapsed: 2 minute(s), 49 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 2

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 4

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}

 

(Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}

 

(Backdoor.Bot) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mp3_audio_codec (Spyware.Zbot) -> Quarantined and

 

deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and

 

deleted successfully.

 

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:

 

\windows\system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data:

 

system32\sdra64.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:

 

\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted

 

successfully.

 

Folders Infected:

C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

 

Files Infected:

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.

C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

=======================

 

So i thought of manually removing the infected Registry keys. (Something i've done many times before)

 

While I was at

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

I saw a key named 'Special Accounts', it looked fishy to my paranoid eyes. Had some 'strange' values in it, None

 

corresponding to my Username (Administrator) or Guest. 3 were somewhat random letters with a ~, and one was '

 

search assistant'. Looked like malware remains of some kind, so, i deleted them all.

 

After that i rebooted, the welcome screen showed up (usually straightaway shows me desktop since there is just one

 

user 'Administrator') with the only user 'Administrator'. When i click it, it shows 'loading your personal

 

settings' for a second. Then it reads 'saving your settings' and stays at the logon screen. Repeated it for 10

 

times. Restarted and repeated. Shut Down and repeated. Always same result.

 

Then i tried the 'Last Know good configuration' in statup options. Still same result.

Tried 'Safe Mode' starts loading then breaks at 'unable to load NTFS.dll'

'Safe mode with networking' same logon screen and same one second login and return to logon screen.

 

I dont know how to login. Can someone please help. Is there a way to remotely add the keys back to my registry. Or

 

some way to correct this problem?

 

Thanks and Regards

 

guptavis