Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Error Code: 0x80070002


  • Please log in to reply
9 replies to this topic

#1 jwh Bob

jwh Bob

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:09:01 PM

Posted 24 August 2008 - 06:37 PM

Hi there!

This happens on an XP Pro SP2, who had some problems with trojans - at least Virtumonde, Vundo and maybe some others with more generic names. Cleaned with AVG 7.5 and afterwards AVG 8 and Spybot Search & Destroy.

The PC worked fine during a day and today I scanned it with Malwarebytes' Anti-Malware which still found:
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\oembios.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\BMb30115ec.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMb30115ec.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


But after rebooting I got this error:

"A problem is preventing Windows from accurately checking the license for this computer. Error Code: 0x80070002"

Now I can only go into safe mode...

Found this: http://support.microsoft.com/kb/310794/en-us
CAUSE
This issue can occur if one of the following conditions is true:
• The default security provider in Windows XP has been changed.
• The system drive letter has changed.

There is no system drive letter changed - still drive C
Don't know what is a "default security Provider" but went to see after
HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\Providers
HKEY_USERS\S-1-5-20\Software\Microsoft\Cryptography\Providers

in both I can't find the folders Cryptography\Providers

and now I don't know what to do...

Thanks for your help

Bob

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:01 PM

Posted 26 August 2008 - 09:51 AM

Hi,

The reason why you are getting this error is because MalwareBytes deleted the oembios.dat file which was actually a false positive.
Also read here: http://www.malwarebytes.org/forums/index.p...amp;#entry25841
So, since you are able to boot into safe mode, Open MBAM, click on the quarantine tab and select to restore the oembios.dat file.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:09:01 PM

Posted 26 August 2008 - 11:48 AM

Mieke, thanks for your reply!

Guess I'm in deep trouble now as the quarantine has only the 5 Registry Keys, but no trace of

Files Infected:
C:\WINDOWS\system32\oembios.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\BMb30115ec.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMb30115ec.txt (Trojan.Vundo) -> Quarantined and deleted successfully



I'm not sure if I understood all from the malwarebytes forums - should I go and try a system restore in safe mode?

Bob

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:01 PM

Posted 26 August 2008 - 12:05 PM

Yes, you can try that, but I'm afraid that won't solve your issue. But if you don't try...

If that still fails, then read here:

http://windowsitpro.com/article/articleid/...p-computer.html

skip step 3, 4 and 5 there, since we already know it's the oembios.dat file missing from your system32 folder.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:09:01 PM

Posted 27 August 2008 - 03:39 AM

You're right Mieke, "restore" didn't bring me any further.

The article on windowsitpro.com says to copy the missing file from another XP "preferably as the same service pack and hotfix level"
The PC has XP PRO SP2 in French with IE7 , mine are all with Windows in English XP PRO or XP Home, SP2 with IE6 - should I try anyway to copy oembios.dat from one of them?

The article further suggests to "Expand the missing files from the Windows XP CD-ROM". There is no Windows CD with this PC, I have only XP Home CD's from other PC's. Don't know what "expand" means here.

I found this http://www.tomshardware.co.uk/forum/58055-...ng-windows-from written in 2005:
"saying that in the Windows/I386 folder there is a backup called OEMBIOS.DA_."
I can't find that file on this PC

Still lost...

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:01 PM

Posted 27 August 2008 - 04:06 AM

Can you look if there's an oembios.dat file in the C:\Windows\system32\dllcache folder? There should be though...
The dllcache is a hidden system folder, so make sure hidden files and folders are shown:
To do this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

If there's indeed a oembios.dat file there, then you can copy it to the system32 folder

Expand means, the files on your cd are "packed", so you have to expand them first.
For that, you need the expand command via the command prompt. For example:

expand c:\i386\oembios.da_ c:\windows\system32\oembios.dat (this in case if there's a c:\i386\oembios.da_ file, so the command expands the file to the system32 folder)

It could also be possible that you have a C:\Windows\I386 folder instead where the OEMBIOS.DA_ file is present (as you see, this one does need to get expanded since it's shown as OEMBIOS.DA_.
In case you have it there, from start > run, type cmd to launch the command prompt and then type:

expand c:\Windows\i386\oembios.da_ c:\windows\system32\oembios.dat

Keep in mind, we need the oembios.dat, not oembios.bin, not oembios.cat etc...

The PC has XP PRO SP2 in French with IE7 , mine are all with Windows in English XP PRO or XP Home, SP2 with IE6 - should I try anyway to copy oembios.dat from one of them

No, I won't risk that. In case none of above worked and there are no copies of oembios.dat or oembios.da_ present on your computer,
Can you contact anyone with a French XP Pro SP2 and ask to mail you the oembios.dat?
Mine is dutch, so I can't help you with that unfortunately.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:09:01 PM

Posted 27 August 2008 - 04:46 AM

Mieke,

Again you saved my day, week and more :thumbsup:

Hidden Files & Folders were indeed hidden and after I'd changed this I found the oembios.dat in the C:\Windows\system32\dllcache folder, copied it and Windows is up again

HURRAY!

I'll run now a Malwarebytes (updated...) scan and see what else happened after the restore.

I'll probably post you a final report tonite.

Thanks for your patience and all

bob

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:01 PM

Posted 27 August 2008 - 05:30 AM

Good to hear. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jwh Bob

jwh Bob
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:09:01 PM

Posted 27 August 2008 - 05:50 PM

Guess we're done!

at the end Zonlabs got Windows Genuine Advantage trying to go on the Internet. I was fed up with this PC and not in the mood to see new problems, so I didn't allow it...

Thanks for all and have a nice evening

bob

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:01 PM

Posted 28 August 2008 - 12:13 AM

You're most welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users