Malware·2,748 discussions

XP startup stuck at greeting page

Locked

I’m working on a system that was recently infected with that “fake” AV virus. It is a Dell running Win XP multimedia edition (whatever that is…) with mirrored SATA hard drives. For some reason Dell thought it necessary to use their own driver for the drive array. The problem – computer owner ran a real AV program to clean it up and when the real AV program finished and wanted to reboot to complete the cleanup the reboot hung at the greeting page where you choose the user to log in as – we had only one user here so we had not been using the greeting page. You click on user name and it appears to be logging in, then promptly logs user right back out again, it does this even in safe mode. I have tried to boot using an XP CD and going into repair mode but because of the proprietary driver for the HD I don’t have access to the HD. Have downloaded the driver and am putting it on a floppy, hopefully the XP setup program will recognize the USB floppy drive.
I have connected one of the drives to another system and had no problems accessing it then did an integrity check on it. Also did a very thorough virus scan of it and removed 27 more virus files. What I am trying to figure out is there a way to access the system registry on one of these drives with it slaved on another computer? I used to do that in Win2K and Win 98′ but the one time I tried it on an XP system several years ago I hosed the registry of the system I was using to cleanup the other hard drive and really don’t want to do that again.
Thanks

Topic

Clarifications

In reply to XP startup stuck at greeting page

Clarifications

MBR

In reply to XP startup stuck at greeting page

Did you try a fixboot and fixmbr with the drive running as the system partition? Even though it did make it to the profile, it could still be an issue (as I have seen in the past).
When you boot in safe mode can you login with the admin account and see if creating a new profile helps?

just fixed a couple with this problem

In reply to MBR

You need to boot to a Windows XP CD, select R to repair. Once you get to the command prompt, you need to copy (expand) userinint.ex_ (from windows cd to the c:\windows\system32\wsaupdater.exe (in copying it to another filename (wsaupdater.exe.)

Here is a much better explanation

http://support.microsoft.com/kb/892893

If this does not solve the problem, you need to boot with BartPE, and goto regedit, load the SOFTWARE HIVE from the c:\, then edit the WINLOGIN entry to point to wsaupdater.

I know this is vague, for more detail google fixing wsaupdater….

This is a nasty bug to remove, I spent hours on this last nite, but the (registry fix) was what ulitmatelt worked for me.

Thanks, not there yet

In reply to just fixed a couple with this problem

I’m still trying to access the hard drive(s) on the machine they were originally setup on.
It is a Dell just a little over 4 yrs old and the customer didn’t get the disks/install media with it(my parents! If they had asked I would have told them spend the extra 10$ and get the disks!).
It has an Intel Matrix Storage chipset with the drives mirrored, the driver on Dell’s website is 9 months newer than this system and of course don’t work. I called Dell’s so-called tech support and talked with an overly polite guy in India who you could tell was just reading from scripts and/or troubleshooting flowcharts. Man I miss the days when we talked to people who were REAL techs (not the condescending prix either) who knew the machines you were calling on. Anyway I digress, the guy in India assured me the drivers on the website were tested and would surely work, I told him no they don’t I had tried them, re-downloaded them and tried them again. Then he wanted to sell me either the Media kit that should have come with the system in the first place or different solution support packs – guaranteed to help me fix the computer.

Well I decided to take a different track here on finding the correct driver, I went to Intel’s website. There I found numerous drivers, downloaded and tried one last night that at first appeared to be a close match. It didn’t work but I am fixing to go back & search some more.

At this point I can’t even do a re-install of Winders unless I turn off the RAID mirroring. If I can ever get to where I can access the drives on their native machine I’ll be able to try y’all’s suggested fixes!
Thanks

If you want to safely get in the registry

In reply to XP startup stuck at greeting page

Download UBCD4Win and build a PE image.
You can boot from the CD and use their remote registry editor.

Yup, or

In reply to If you want to safely get in the registry

if you have a Winternals CD from the good old days.

You’ll need to point the winlogon reg key to the correct file.

That is a cool tool!

In reply to If you want to safely get in the registry

Got it downloaded over the weekend and actually accessed the HD w/o needing to add any other drivers for the drive array.
Now I just need to play with it a bit so I can figure out what’s wrong with this computer.

I tried the “userinit.exe” trick suggested earlier (tried two different versions) with no change in ability to login into the desktop.
From what I’ve read the version, whether Home, Media Center or Pro shouldn’t make a difference but service pack level might, does anyone know for sure?
Thanks
Joey

Also try

In reply to That is a cool tool!

combofix;

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Just had to fix a nasty that started as Internet security 2010

Clean the restore points and don’t miss the recycle files. After I thought I had it all, Your PC Protector popped in.

A one two with Combofix, malwarebytes, and an updated AV finally killed them. (well plus a little manual cleaning.

That worked Really Well!

In reply to If you want to safely get in the registry

The computer in question is now fixed and once I am 100% sure it is virus free I am making the restore disks!!!
The UBCD4Win was a great tool, I was able to use the default build to fix another computer prior to this one. I had a little trouble getting the correct RAID driver into it for this particular computer. I think I stated in a previous post that Dell’s website had the wrong driver listed and it took several tries to get the correct one downloaded from Intel’s site. The people at UBCD4Win were a great help in getting the driver configured properly for the PE environment and once we did that I was able to use the tools included to roll back the registry to a couple days before the computer was infected.
Just an FYI, the Disk did boot the computer without any problem on the first/default configuration and several of the tools included were able to access the RAID volume but the PE environment would “bluescreen” right away.

[Author]

Replies