Posts by gerbil

" remove a message on login screen".
If it is text, then my post stands.
If it is a graphic of text, then the logon .scr file in system32 has been modified [easy, with the right tool], or replaced [easy also, a reg mod].
You need a response from OP to go further.

If not, you could just download the installer for your x86 SP3 system:
http://download.windowsupdate.com/WindowsUpdate/redist/standalone/7.4.7600.226/WindowsUpdateAgent30-x86.exe
Open the download folder; open a cmd window, and drag the file into the cmd window. Add the parameter /wuforce, so: [below is a copy of my cmd window]; it will self extract, and run the installer. Finally, reattempt to update your system.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Don>D:\Downloads\WindowsUpdateAgent30-x86.exe /wuforce

Hi again.
I think you can safely delete all those adware related issues that ADWCleaner found - run it again, and press Delete button.
The bat command - net stop wuauserv && regsvr32 %windir%\system32\wups2.dll && net start wuauserv - it looks like wuauserv is not installed [the .bat failed on the first part]. M$ have an automated troubleshooter/Fixit at http://go.microsoft.com/?linkid=9830262
You could first check in Services that Automatic Updates [common name wuauserv exists].
If you paste this URL into IE, does it not offer to repair or install the update service?
http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

No, I won't have that, caper... I blew the Vista uninstall updates bit. I do have a W7 machine to learn from... I just prefer my ol XP.
So I bumble through... :). And I shouldn't push in...
Hey, Techno, what service was the problem, if any?

Could you post those logs from ADWCleaner and MWB? Those should give me a clue as to where next.
Being blocked from Google may be as simple as a malware entry in your Hosts file; you can clear it manually by deleting the Google entry and saving the file. Your hosts file is in system32\drivers\etc; drag it into a notepad to edit. To save you may first need to uncheck the Read Only box in hosts' properties.
As a blind first try to enable autoupdates, you might try this: open a cmd window, and paste in...
net stop wuauserv && regsvr32 %windir%\system32\wups2.dll && net start wuauserv
... and hit Enter. Please post a copy of the screen [rclick, select all, copy with Ctrl-C].

ULead... find its launch point and disable it to see if that improves startup performance. It's likely in DocsnSetts\some user\start menu\pgms\startup; if not in one of those folders, then use Technet's Autoruns to locate it.
If you use it regularly, try installing over the top again.
Great that you got the sys running again. Did you use msconfig to isolate the problem service [fastest way is to choose half, then half again, then ha...]?

Lessee, i click the red download button, a box pops with the options, i check one, and hit that Next button, and the dl starts. Down the BR corner.... :)

I think this should give you the guidance you need to remove the message:
http://www.techrepublic.com/blog/window-on-windows/adding-messages-to-windows-7s-logon-screen/4390
Or, if you so wish, you can copy and save the following script to your deskto using notepad; name it cleanlogin.bat.
Double-click it to run it; you will be asked to confirm the steps. It will zero out the two value names, legalnoticecaption and leganoticetext

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticecaption
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext

This one...?
Update for Microsoft .NET Framework 4 on XP, Server 2003, Vista, Windows 7, Server 2008 x86 (KB2836939)
Date last published: 6/11/2013
Download size: 5.5 MB
That bit about AU not working was a bit surplus to the post. I meant for you to grab the KB number and download the installer itself, and to try re-applying it.
http://www.microsoft.com/en-us/download/details.aspx?id=39257

Whoops, my mistake. That was for XP; they changed the system for Vista, and thus Caperjack's post details the correct and only way to remove updates. You could try repeating the updates from Safe Mode with Networking, but you would need the KB number so as to download it. AU won't work if the system thinks it has it already.
Sorry for the confusion.

You might try downloading RKill and ADWCleaner from bleepingcomputer; run RKill first, then without restarting run ADWCleaner and Malwarebytes again.
http://www.bleepingcomputer.com/download/rkill/
http://www.bleepingcomputer.com/download/adwcleaner/

So from Safe Mode, if you look in \Windows, are there $NtUninstallKB.... folders dated yesterday? Open them, open spuninst folder and dclick spuninst.exe.

mmm... but that processor, E6300? Dual core 2.8 GHZ 2m shared L2 Cache 1066 FSB LGA 775 65 W Dual- Core(SLGU9)Processor [pentium] is not going to run in it. 45nm slice. BIOS won't recognise it.

Windows won't load any configuration, including safe mode, whether from hdd or UFD. Booting via USB optical drive fails earlier. Your disks and hdd test as good.
You swapped the memory stick, but that is not as deep a check as running Memtest86+, which by its nature must also involve the CPU and memory controller [incorporated the chipset].
A BIOS virus? That would have to modify the MBR and/or boot sector code to act on your system while it ran? I have no experience of a BIOS virus.... I guess you would clear CMOS with the jumper, flash BIOS code, on first restart in BIOS setup remove the hdd as a boot medium [so it won't read its MBR code], else just first-boot and scan with a bootable AV such as Bitdefender's Rescue cd.
Really, i'd run Memtest first... I suspect a chipset/CPU/memory fault.

If you can log on, then run chkdsk [checkdisk] by rclicking drive, then going Properties, Tools.

Insert your Windows setup UFD/DVD, run through setup past regional preferences page, choose Repair, choose an operating system to repair.
On the Choose A Recovery Tool page click Windows Memory Diagnostic Tool.
For the best tool, get Memtest86+ from http://www.memtest.org/
-you choose the medium to use; it will be bootable directly into Memtest. A 1/2 hour run is going to suffice, I think.

.

Try the memory diagnostic.

Nooo.... it's a malware issue!!
Run RKill by Grinler.
http://download.bleepingcomputer.com/grinler/rkill.com
Follow up with http://download.bleepingcomputer.com/farbar/FSS.exe
Post the log.

Re the removal of this key, O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)...
I consider the proper course to be to restore the file, a part of maintaining system security, and to NOT delete the launch key.
DIMSNTFY.DLL
The Digital Identity Management Service Notification Handler starts via Winlogon Notify and appears in Windows\System3. It's part of a team used to verify digital certificates.
More at http://support.microsoft.com/kb/907247
And again... http://ezinearticles.com/?Dimsntfy-DLL-Errors-Fix---How-To-Repair-The-Dimsntfy-DLL-Error-On-Your-PC&id=5494857
It is actually a protected file, and so must be missing from the cache also.

Sankha, this should do the trick. I have included a link as a way of acknowledging the author of the fix.
Links - http://www.dougknox.com/xp/file_assoc.htm
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"

[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@="{09A63660-16F9-11d0-B1DF-004F56001CA7}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

I played with this on a rainy night. On a test hdd I installed W7 to a new 20GB partition, then used PTEdit to shrink the partition to 18GB [40960000 sectors down to 35156250], setting the total NTFS sector field in the boot sector table to one less, 35356249, writing that, and writing the partition table mod. It booted fine, but TestDisk reported that the head value was now 240 and not 255 as before. PTEdit says it is 255. I'll try to resolve that.
Of course, for your problem, there is a free disk image tool available which does data and not sector copying - if you have space on another hdd that might be your safest solution. Image, perhaps shrink, delete original partition, reimage. Fdisk would clean the confused hdd if necessary.

You might use TestDisk by Grenier to see if it recognises the disk spaces correctly. If it does then you can rewrite the MBR with that information. Its Deep Search might pick up the correct boundary.
If not, then a tool like PTedit32 may be the one to use. For me, it does not do a great job of finding partition boundaries, but you can use it to write them in.... just learn a bit about the rules first, and then put the first boundary where you think it should be.
If it all blows up, I don wanna know.
:)
TestDisk has a good help site. You might [should!!] backup your partiton tables first. Plenty of tools will do that. Use TestDisk to check your backup MBR tables, too. They may not be corrupted.
Don't try to run more than one partition tool at a time, including Window's Disk Mgmt console. They interfere.

Starting, I belive, with XP, only Windows' boot files must be on a primary partition ["system" drive must be primary], but the remainder [the "boot" drive], of the OS may be on a logical volume. W7 has the option of a System Reserved primary for all boot files and loader.
Look, I didn't come up with the system and boot drive labels. M$ did.

Pretty much, just search with this term:-
code: 80072EE2
A couple of links which may help...
http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/windows-update-error-code-80072ee2/fb87f203-69d9-4cd5-bbb1-ba8d0781be3e
http://www.google.com.au/url?sa=t&rct=j&q=code%3A%2080072ee2&source=web&cd=1&ved=0CC0QFjAA&url=http%3A%2F%2Fsocial.technet.microsoft.com%2FForums%2Fen%2Fw7itprosecurity%2Fthread%2F11f7f7e5-a826-4e94-af6a-8f5db3206d22&ei=9fKnUdDAJaewiQeJuIDQAQ&usg=AFQjCNFs3zh7a01XICqzY7g1d4HjSTL26g&bvm=bv.47244034,d.aGc
You're not alone. Btw, you must use IE for Wupdate. Chrome etc just will not work.

Check also what system restore size is set to, and the pagefile specification, if there is one on your D: drive.
A program like MyDefrag will identify the "stolen" space for you.

Seb, after you've finished copying over a reg hive or two, try first starting the sys in Safe Mode.

Eeprom?
Try clnpwd.exe.

Clarity of prose is always a problem when I poste, because i try to be succint. Sometimes.
Yeah.. I coulda said Unload restored the key to its hive file....
Right, because you're having fun... try just copying over the windows.old SYSTEM [modified with no Mounted Devices key] and SOFTWARE hives into your custom W7. Oh, \repair hives are as I said above, made when you installed the OS, or when you do a system backup. So they can be pretty basic.... aged... out of date.... so use the windows.old...\config SYSTEM and SOFTWARE files.
Good luck.

:)
If you loaded, say, \repair\system as RODENT, then when you unload it updates the \repair\system hive with whatever changes you made in registry to RODENT. You won't see a RODENT hive or file anywhere; it's just a tag in registry so that you know where you are, or more importantly, so regedit knows what's where. You will notice that you are given the option to unload any of the system's hive keys under HKLM - it just will not allow it. Which means that you can only unload what you loaded.

Ancient, I'm using IE6 [rarely], but I'm going to guess nothing much has changed... :)
What if you physically edit this key [or sim, for IE10] to reflect your homepage URL?

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

So: "Start Page"="http://www.rottentomatoes.com/m/dogville/"

Or check that it at least reflects the home page that you tried to set?

http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/windows-continually-offers-me-the-same-updates/1d8cb3c6-4288-41ac-9e70-acc6623b16a9
Anything useful there?

MBAM is usually right on top of Vundo. All you have are the two Searchscopes keys, which were removed. GMER looks clean, no suspicious keys or services in DDS.

Hi, again. Life wins over computers, any day.
I rather doubt that explorer.exe was freezing because of an intrinsic problem, it's rather more likely that something it was acting upon was at fault.
Does that make sense? For example, if explorer was building video thumbnails and one file was corrupted, then you might expect it to freeze while it dealt.
And you cannot uninstall explorer; it's one of Windows' basic shells. [Task Manager & cmd are two more shells]. Turn it off [via Task Manager], yes, because it runs as a process.
Delete it, too, cos it's just an exe file in C:\Windows. But most folks freeze themselves when explorer freezes.
Thing is, you can do much of what it does via iexplore.exe [internet explorer], but don't expect a desktop with icons, task bar.

HKEY_USERS\S-1-5-18 System .......... we tend never to touch these.
HKEY_USERS\S-1-5-19 Local service ..." " "
HKEY_USERS\S-1-5-20 Network service ." " "
The S-1-5-21-long string of numbers ...are the security identifiers of the various users who ever had accounts. They contain, among other settings, various user preferences, usernames, passwords [coded] [slightly].
No intermittent freezes would originate there, or any reg key, really. Unless some malware has created hooks to inject its processes into explorer [some do that]. A thing to consider.
Pretty much, I think the freeze problem originates with a corruption in something it encounters while performing a task. Me, I'd try to spot it with …

Is this the type of Java popup to which you refer?

"i have windows 7 and do not want to run java programs" . Perhaps, but the fact that you are seeing that popup means that you are running Java [it is installed on your machine], and that you need to have it run. It is actually programs that run it, whether they are installed or running it from a website.
Yes, that popup can be annoying if something you wish to run contains a host of unsigned applets. Open the Java control panel [click Java in your Windows Control Panel] and in the panel that pops go to security tab and set the slider to High, if it is already at Very High. I don't recommend Medium - some devastating software from rogue websites could cripple your machine. And if it was already set at High then you are trying to run some "cheap" software, the writers of which are not too concerned about trust. It may be fine, but a pest to use. If you do trust it absolutely, then check the Do not Show box.
Leave settings in Advanced tab relating to security where they are.
"but it keeps disabeling computer so i cant use it". What did you mean by that statement?

You forgot already where you honeymooned? Sheesh. Too much of something.
You got bigger problems than hacking someone's email.

I'll run through the procedure. It works.
Open registry with regedit. Highlight either HKLM or HKU [the only keys that allow use of Load/Unload]. Select File > Load.
In the window that pops navigate to Windows.old\Win....\config and select system, press Open. In the box that pops, name it RODENT.
And the system hive loads as RODENT [= windows.old HKLM hive]. You expand RODENT, highlight its MountedDevices key, and delete it.
You finally highlight RODENT, choose File > Unload and BAM! it's done.

"If I Load System from windows.old, I can see that the MountedDevices are different compared to the Current system because the X: drive (preinstallation volume) is not present. I cannot Unload it, though, because it is in use."
-I don't understand this, because i can load my current system file, modify it and then unload it with no question about it being in use, because it is not. Even thought it is the same system hive that my machine is running on. I'm not too silly, I saved a copy beforehand. And I have ERUNT.
I can even name it with the name of an existing key, play with it and unload it again, being careful not to confuse it with the real key. No problem with "in use".
Don't use Export on a Loaded key - some trouble can lie there. If you do get stuck, just shut down normally; the key you Loaded is not saved as a part …

Could i see your TDSSKiller log, please? And you might also run ASWMBR and GMER.
http://www.bleepingcomputer.com/download/aswmbr/
http://www2.gmer.net/download.php

Ha. Okay, it must have worked at some stage, but did not report.
Re hijacks, I'll run through the original OTL again, later.

1. It has to be loaded to be read.
2. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion is where the version is, at valuename ProductName.
3. The OS rebuilds the MountedDevice key, NOT the whole HKLM!! It rebuilds MountedDevices by examining all connected storage device volume identifiers. So you could delete it on the new box, but it would rebuild to virtually the same for your purposes, so no gain. You have to delete it from Windows.old.
4. By "Load, etc, unload the System hive..." I meant to Load Windows.old System hive, name it as RODENT, delete the MountedDevices key, and then Unload the RODENT hive.
5. Whoops. They pulled that for 7 [it is an advanced XP option; I have 7, but prefer to use XP]. Go with ERUNT.

When you ran the first OTL fix it appeared as if some leading characters in lower lines were missing, starting at :Reg.
The second time, it appears as it the command :Reg was missing, so the registry fixes were ignored [the first command picked up was :Files]. :Reg is a necessary command, to be included!
Please run this code in OTL [it will be v quick]:

:Reg
 [HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
 "XMLHTTP_UUID_Default"=-

[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
 "XMLHTTP_UUID_Default"=-

[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
 "XMLHTTP_UUID_Default"=-

[HKU\S-1-5-21-2621160978-2338274801-3040308891-1006\SOFTWARE\Microsoft\Internet Explorer\Main]
 "XMLHTTP_UUID_Default"=-

The other check showed no problems. Are you experiencing any redirections now? You could check with that noahdfear.net link above.

Hmm... you must have been redirected. The link I posted is to this site, http://noahdfear.net, which is VERY safe. ifighi.net I do not know, but Google also does have it as a "damaging" site. Load this URL, http://noahdfear.net/downloads/HAMeb_check.exe into an unaffected computer, download the file and copy it into your sys via UFD [usb key]. I am trying to find why this port is open :"3389:TCP" = 3389:TCP::Enabled:Remote Desktop ... in any event, leaving that port open puts you at risk of automated net scans which search for that port on systems, and download malware into it. Naturally, some malwares like to force it open, eg MBR rootkits. We're checking for them.

Part of that fix did not run; I have put the offending part in a plain text block below - please copy it into OTL's Custom Scans/Fixes as before and then press Run Fix.
Post OTL and HAMeb_check logs.

:Reg
[HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-

[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-

[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-

[HKU\S-1-5-21-2621160978-2338274801-3040308891-1006\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[CREATERESTOREPOINT]

System hive holds all information relative to basic OS and hardware.
Software is all other system software and 3rd party.
Roughly speaking.
Very.
Product key for 7 is encoded, it's in System; you need a software to extract it. I use Magical Jelly Bean and/or Winkeyfinder.exe.
Something I did not think of until I was abed after posting last.... you likely need to delete all reference to previous disk, partition configurations. Windows knows disks and partitions via signatures or volume identifiers and they may have altered with the custom installation. These lists [which reference them to partition labels and names] are in a key in HKLM which can always be safely deleted; Windows just rebuilds it at next system start. It's HKLM\System\CurrentControlSet\MountedDevices. You delete the whole MountedDevices key [fast] or all the value names [slowwww]. To do it, you need to Load the hive into a working system, name it to something unmistakable, unlosable, like umm... RODENT, work on it, then Unload it. It's what I must do when I work with images [clones] of my system. Easy as.
So use the disk and cmd window again, copy from Temp those 7 files into Config [or rename all the .bak files in config], and try to start the sys as it was as a Custom job. Load, etc, unload the System hive..., and back to copying over the "new" Windows.old hives.
Mighta been easier if I'd used del instead of ren, so:
…

That sounds like a bomb. Right. Were you able to recover by reverting to the old hives?

Start OTL. Under the Custom Scans/Fixes paste in the following, then click Run Fix button at top.

:OTL
SRV - (RPCQT) -- C:\WINDOWS\system32\Rpcqt.dll File not found
DRV - (RimUsb) -- System32\Drivers\RimUsb.sys File not found
DRV - (PID_PEPI) -- system32\DRIVERS\LV302V32.SYS File not found
DRV - (pepifilter) -- system32\DRIVERS\lv302af.sys File not found
DRV - (LVUSBSta) -- system32\drivers\LVUSBSta.sys File not found
DRV - (FilterService) -- system32\DRIVERS\lvuvcflt.sys File not found
DRV - (Adfudilslu) --  File not found
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 4B CD 95 18 E7 9B 91 45 94 E3 A2 5F 5B A7 1A 5C  [binary data]
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 4B CD 95 18 E7 9B 91 45 94 E3 A2 5F 5B A7 1A 5C  [binary data]
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 4B CD 95 18 E7 9B 91 45 94 E3 A2 5F 5B A7 1A 5C  [binary data]
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-21-2621160978-2338274801-3040308891-1006\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 4B CD 95 18 E7 9B 91 45 94 E3 A2 5F 5B A7 1A 5C  [binary data]
IE - HKU\S-1-5-21-2621160978-2338274801-3040308891-1006\..\SearchScopes,DefaultScope = 

FF - prefs.js..extensions.enabledAddons: %7B35379F86-8CCB-4724-AE33-4278DE266C70%7D:1.0.8
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll File not found
[2012/04/23 23:24:47 | 000,000,000 | ---D | M] (ALOT Toolbar) -- C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\tvrwenaa.default\extensions\toolbar@alot.com
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [TaskTray]  File not found …

This... "3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop ... is a concern. I'm busy right now, but will get back to you.

Versions. OS vsn is taken from explorer.exe. Then there is the kernal version, ntoskrnl.exe [in system32].....
cmd > ver will tell you the version family.
What exactly happened when you copied in the old hive files and restarted?

Hi. Hijackthis really is not a great tool to be running; the view of your system is very limited. A far better scan can be found here:
==Download OTL from http://oldtimer.geekstogo.com/OTL.exe to your Desktop.

• Double click on the icon to start the application.
• Press Scan All Users, Minimal Output, Standard Registry ALL, check both LOP and Purity boxes, leave other sections as they are.
• Press Run Scan.
  The scan will take maybe 5 minutes; 2 notepads will present [saved to the place from where you ran OTL.exe] - please post both.
  By the way, which browser is affected?

The 7 hive files are DEFAULT SAM SECURITY SOFTWARE SYSTEM COMPONENTS BCD-Template
To do the job, boot from your W7 inst disk. Choose the option to Repair your Computer.
Choose a recovery tool : Command Prompt
Then enter these commands...

cd Windows\System32\Config
md Temp
copy BCD-Template Temp
ren BCD-Template BCD-Template.bak
copy COMPONENTS Temp
ren COMPONENTS COMPONENTS.bak
copy DEFAULT Temp
ren DEFAULT DEFAULT.bak
copy SAM Temp
ren SAM SAM.bak
copy SECURITY Temp
ren SECURITY SECURITY.bak
copy SOFTWARE Temp
ren SOFTWARE SOFTWARE.bak
copy SYSTEM Temp
ren SYSTEM SYSTEM.bak

And then copy in the hives from your Windows.old directory so:
copy C:\Windows.old\System32\Config\Regback\BCD-Template C:\Windows\System32\Config\BCD-Template
and so on for the other 6 hives. Exit and restart.
If it doesn't fire up, then go back in with your disk and delete the newly copied files, then delete the .bak extensions to the old files.

Lessee... just so that you get the correct screen of options, restart your sys and begin pressing F8 as BIOS runs, and you should lob into a black screen Advanced Options Boot Menu with one of them being "Disable automatic restart on system failure". Choose that one. Restart your system. This time it should halt with a blue screen. Please post the two lines at Technical Information [with the Stop Code], and the fault line near the top of the screen.
It may be that you just need to run:
chkdsk /r
from a recovery console to fix your hdd. You can access the RC from your installation disk, or find a downloadable iso. Here is a selection:
http://www.thecomputerparamedic.com/files/rc.iso
http://www.webtree.ca/windowsxp/tools/bootdiscs/xp_rec_con.zip