Jump to content

Can't login to XP after running MBAM


Recommended Posts

Hi

Running XP Pro with Wave fingerprint security on a Dell Latitude D830.

I ran MBAM on Friday to remove a winspywareprotect infection. Seemed to be successful, but now can't get into Windows (even in safe mode). Here what happens:

- (as usual) switch on and pre-boot authentication asks for password or fingerprint

- (as usual) provide fingerprint or password to start loading windows

- (as usual) wave dialogue asks for fingerprint to logon to user (I'm the only user)

- provide fingerprint and get message - "a device attached to the system is not functioning"

- if I use Ctrl+Alt+Del and provide another fingerprint, I get either that same message or "invalid user logon credentials"

I guess the virus removal took some other elements with it?

Spent 5 hours with Dell Support (ran hardware diagnostics - no problems, tried to run windows safe mode - not possible) - final suggestion was format and reinstall + loss of data. The wave website http://www.wavesys.com/support/ETS-Support-Vista/index.html has some detailed support info, but as far as I can see it assumes that you have windows running.

I can retrieve my data by running Knoppix from a CD and copying data files to an external hard drive, BUT I'd really like to find a way to repair what MBAMremoved, if possible.

Be grateful for any help - thanks.

Link to post
Share on other sites

  • Staff

If you can , get us the most recent log from here :

C:\Documents and Settings\*****YOUR USERNAME GOES HERE*****\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

In that log will be what was detected and removed .

One problem that could have happened is that malware made part of your OS dependant on it so once it was gone it acted like an actual critical part of the OS was missing .

There is also a way to take a recent copy of your registry from a restore point and swap it in using a boot disk . If you had system restore shut off before this happened then this will not be an option .

Link to post
Share on other sites

Thanks.

There are 3 logs attached - the final one shows everything as being clear.

mbam_log_7_18_2008__11_13_46_.txt

mbam_log_7_18_2008__11_21_20_.txt

mbam_log_7_18_2008__11_23_05_.txt

I'm pretty sure system restore was active - do you think it's worth giving that a try?

Rgds

mbam_log_7_18_2008__11_13_46_.txt

mbam_log_7_18_2008__11_21_20_.txt

mbam_log_7_18_2008__11_23_05_.txt

Link to post
Share on other sites

  • Staff

Yes , but I might just have some better magic .

Please get me this file (Z: is whatever drive letter you have for your hard drive from the boot disk) :

Z:\WINDOWS\system32\config\system

There will be several files named system , e need the one with no extension .

I am going to fix that registry hive for you , send it back , have you replace the one that is bad with the one I fixed and then report back if all is well again .

From what I can tell you got hit with a known bug in 1.20 . 1.22 is the current version and this bug has been corrected .

Link to post
Share on other sites

  • Staff

Registry data type bug confirmed .

I have corrected it and the system hive I am sending you back should allow you to boot .

Delete the existing system file and replace it with the one I sent you .

The current version of MBAM no longer suffers from this bug , sorry for the inconvenience .

Link to post
Share on other sites

  • Staff

Yes , that is the disk .

Do the following steps :

Boot system with install disk in your optical drive .

Tap F12 once a second untill the boot menu appears .

Select boot from CD .

If "press any key to boot from CD" appears press any key before it disappears .

A setup process will now happen , it will take between 2 and 10 minutes .

After setup you will end up at a screen where you can press "r" or enter , press "r" at this screen .

You may be asked several questions at this point like which install to use and for your password . If you do not have a password but are asked for one anyway just press enter .

Once you get to the prompt type exactly these lines :

del c:\windows\system32\config\system <press enter>

exit <press enter>

At this point your system will reboot .

The file should be gone now and you should be able to place the file I corrected for you into the config folder .

This will not damage your data in case you were wondering .

If this fails I have 3 more options to fix this without putting your data at risk .

Link to post
Share on other sites

  • Staff

mmmm , that should have worked but it did get us a step in the right direction , a repair install should now work .

Do the same steps to get to the screen you pressed "r" last time but this time do not press "r" , instead press "enter" .

At the next screen press F8 .

The screen after that will be the XP install screen .

This is critical , make sure that the option to press "r" to repair is what you see . If you do not exit out and report back .

If you do go ahead and press "r" to repair your install , it will not damage you applications ot data but will overwrite the OS at certian locations , your current error included .

If "r" is not an option and im not around this will set you up for a fix that is sure to work but is way more involved .

Get back to the windows XP install screen and press enter to install .

Choose to keep the same file system (do NOT format) .

Do not use the same windows folder , install into a defferent folder , windowsx is what ill use in the next instructions so that would be a good choice .

The screen where you need to tell windows not to overwrite your windows folder will say "press "l" to delete" , this is the place you need to choose the option to select a different folder .

DO NOT ATTEMPT TO ACTIVATE THIS INSTALL .

This will be a work install that we will use to fix the damaged one , once we are done it will be removed .

If you need to do the second option let me know and ill get the steps together to extract a copy of your registry from a restore point .

Link to post
Share on other sites

  • Staff

You will be asked a few questions along the way , one of them will be to enter the key on the sticker on the side of the case , that is likely the hardest part .

Once it is done (and it allows you back to your desktop) the first thing you have to do is to reinstall SP3 and the rest of the windows updates as most of these will have been undone by the repair .

At that point you should be 100% fixed .

Link to post
Share on other sites

  • Staff

OK , email sent .

I removed some of the LSA packages that your OS will look for and left the critical ones .

If this does not work then your OS is non standard in a way I have not seen and we will need to do the install into windowsx and restore a copy of your registry from restore .

Link to post
Share on other sites

Same problem as before - "a specified authentication package is unknown" followed by a c000021a fatal system error. System shut down.

Now re-trying windows repair - I noticed a "press f2 to run automated system recovery" message flash up during the process - I guess that's a blind alley?

Link to post
Share on other sites

  • Staff

I need to see what Dell setup so I can learn why what should work does not .

From your boot disk get me the following file :

C:\System Volume Information\_restore{34A59BDE-A099-47A4-8C51-3EE1F85BBEC7}\RP5\snapshot\_REGISTRY_MACHINE_SYSTEM

restore{34A59BDE-A099-47A4-8C51-3EE1F85BBEC7} -> this wil noty match your number but will be the same format .

RP5 -> there will be many of these , you want the one created a day before all the trouble started .

Link to post
Share on other sites

  • Staff

I have not used that software before .

If there is nothing in SVI then restore was off and no restore points are available .

When I get back I will take the first system hive you sent me and see what I can do with it , the answer about the missing authentication has to be in there .

Link to post
Share on other sites

  • Staff

Email sent .

I made a few more changes to your LSA key based on comparing the two control sets .

The problem here is that the two control sets have very different into in this key and from what I can tell both of them were wrong so I had to take what looked correct from each .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.