26 replies to this topic

[rguilbert]

Hi
Running XP Pro with Wave fingerprint security on a Dell Latitude D830.
I ran MBAM on Friday to remove a winspywareprotect infection. Seemed to be successful, but now can't get into Windows (even in safe mode). Here what happens:
- (as usual) switch on and pre-boot authentication asks for password or fingerprint
- (as usual) provide fingerprint or password to start loading windows
- (as usual) wave dialogue asks for fingerprint to logon to user (I'm the only user)
- provide fingerprint and get message - "a device attached to the system is not functioning"
- if I use Ctrl+Alt+Del and provide another fingerprint, I get either that same message or "invalid user logon credentials"

I guess the virus removal took some other elements with it?

Spent 5 hours with Dell Support (ran hardware diagnostics - no problems, tried to run windows safe mode - not possible) - final suggestion was format and reinstall + loss of data. The wave website http://www.wavesys.c...ista/index.html has some detailed support info, but as far as I can see it assumes that you have windows running.

I can retrieve my data by running Knoppix from a CD and copying data files to an external hard drive, BUT I'd really like to find a way to repair what MBAMremoved, if possible.

Be grateful for any help - thanks.

[nosirrah]

If you can , get us the most recent log from here :

C:\Documents and Settings\*****YOUR USERNAME GOES HERE*****\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

In that log will be what was detected and removed .

One problem that could have happened is that malware made part of your OS dependant on it so once it was gone it acted like an actual critical part of the OS was missing .

There is also a way to take a recent copy of your registry from a restore point and swap it in using a boot disk . If you had system restore shut off before this happened then this will not be an option .

[rguilbert]

Thanks.

There are 3 logs attached - the final one shows everything as being clear.
 mbam_log_7_18_2008__11_13_46_.txt   5.16K   109 downloads
 mbam_log_7_18_2008__11_21_20_.txt   1.2K   91 downloads
 mbam_log_7_18_2008__11_23_05_.txt   829bytes   86 downloads

I'm pretty sure system restore was active - do you think it's worth giving that a try?

Rgds

[nosirrah]

Yes , but I might just have some better magic .

Please get me this file (Z: is whatever drive letter you have for your hard drive from the boot disk) :

Z:\WINDOWS\system32\config\system

There will be several files named system , e need the one with no extension .

I am going to fix that registry hive for you , send it back , have you replace the one that is bad with the one I fixed and then report back if all is well again .

From what I can tell you got hit with a known bug in 1.20 . 1.22 is the current version and this bug has been corrected .

[nosirrah]

edit to add

I am PMing you my email in case forum restrictions dont allow a file of that size .

Make sure to zip before you attach .

[rguilbert]

Thanks Bruce. Zipped file exceeds upload max, so I'll email to you right away.

regards

Richard G

[nosirrah]

Registry data type bug confirmed .

I have corrected it and the system hive I am sending you back should allow you to boot .

Delete the existing system file and replace it with the one I sent you .

The current version of MBAM no longer suffers from this bug , sorry for the inconvenience .

[rguilbert]

Thanks for the fix - but I can't delete or rename the old file. Is there a way around that?

[nosirrah]

How are you getting to it ?

A boot disk should allow you to delete it .

If not I need to know if you have an install disk . If you do we can delete that file from recovery console .

[rguilbert]

I'm using Knoppix from a boot CD

I also have the original Windows XP CD (not sure if that's what you'd call an install disk)

[nosirrah]

Yes , that is the disk .

Do the following steps :

Boot system with install disk in your optical drive .
Tap F12 once a second untill the boot menu appears .
Select boot from CD .
If "press any key to boot from CD" appears press any key before it disappears .
A setup process will now happen , it will take between 2 and 10 minutes .

After setup you will end up at a screen where you can press "r" or enter , press "r" at this screen .
You may be asked several questions at this point like which install to use and for your password . If you do not have a password but are asked for one anyway just press enter .
Once you get to the prompt type exactly these lines :

del c:\windows\system32\config\system <press enter>
exit <press enter>

At this point your system will reboot .
The file should be gone now and you should be able to place the file I corrected for you into the config folder .


This will not damage your data in case you were wondering .

If this fails I have 3 more options to fix this without putting your data at risk .

[rguilbert]

Successfully copied, but on reboot I got the message "a specified authentication package is unknown" followed by a c000021a fatal system error. System shut down

[nosirrah]

mmmm , that should have worked but it did get us a step in the right direction , a repair install should now work .

Do the same steps to get to the screen you pressed "r" last time but this time do not press "r" , instead press "enter" .
At the next screen press F8 .
The screen after that will be the XP install screen .
This is critical , make sure that the option to press "r" to repair is what you see . If you do not exit out and report back .
If you do go ahead and press "r" to repair your install , it will not damage you applications ot data but will overwrite the OS at certian locations , your current error included .


If "r" is not an option and im not around this will set you up for a fix that is sure to work but is way more involved .
Get back to the windows XP install screen and press enter to install .
Choose to keep the same file system (do NOT format) .
Do not use the same windows folder , install into a defferent folder , windowsx is what ill use in the next instructions so that would be a good choice .
The screen where you need to tell windows not to overwrite your windows folder will say "press "l" to delete" , this is the place you need to choose the option to select a different folder .
DO NOT ATTEMPT TO ACTIVATE THIS INSTALL .
This will be a work install that we will use to fix the damaged one , once we are done it will be removed .

If you need to do the second option let me know and ill get the steps together to extract a copy of your registry from a restore point .

[rguilbert]

Bruce - found R for repair and it's copying files... assuming that goes OK, what are the next steps (if you're around for a while, I'll let you know as soon as it finishes.

[nosirrah]

You will be asked a few questions along the way , one of them will be to enter the key on the sticker on the side of the case , that is likely the hardest part .

Once it is done (and it allows you back to your desktop) the first thing you have to do is to reinstall SP3 and the rest of the windows updates as most of these will have been undone by the repair .

At that point you should be 100% fixed .

[rguilbert]

Finished install, but I keep getting "a specified authentication package is unknown" followed by automatic reboot...

[nosirrah]

Im going to rebuild your system hive again and strip ot what is not needed , this should work but might disable your fingerprint logon .

[rguilbert]

Thanks - disabling fingerprints is fine for now. I can always reset later (I hope!).

[nosirrah]

OK , email sent .

I removed some of the LSA packages that your OS will look for and left the critical ones .

If this does not work then your OS is non standard in a way I have not seen and we will need to do the install into windowsx and restore a copy of your registry from restore .

[rguilbert]

Same problem as before - "a specified authentication package is unknown" followed by a c000021a fatal system error. System shut down.


Now re-trying windows repair - I noticed a "press f2 to run automated system recovery" message flash up during the process - I guess that's a blind alley?