Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Boot Probs, (re)activation Demands Preventing Login And Lost Wireless Network Adapters After Fixing Worm.win32netbooster With Mbam On Xp ... Help?


  • Please log in to reply
6 replies to this topic

#1 optimistic77

optimistic77

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 25 August 2008 - 08:02 PM

Hello,

I'm new to this site and this is my first post. Hi and thanks for having me. I love what you've done with the place! ;-D

I'm running XP with SP2 on a Toshiba Satellite Pro A100 laptop, equipped for both wired and wireless net access (the latter managed by Intel PROSet) and ended up with this worm - unsurprising since I use P2P software quite a lot. About 10mins after it exploded onto my desktop - without a peep of warning from my AVG freeware I might add - I disconnected my 2 external drives, tried to sever the (wireless) net connection using IntelPROSet and, when that didn't seem to respond, I turned off the wireless adaptor using my machine's hardware switch.

I then went and fired up the house computer to look for help on the web and quickly found http://www.bleepingcomputer.com/forums/t/161001/wormwin32netbooster/, which helped me identify what had happened to my computer. I turned my laptop back on, reconnected to the web, downloaded Malwarebytes' Anti-Malware and continued exactly as Quietman7's post instructed. As I removed all the selected objects I received the same "Malwarebytes' Anti-Malware will now enable Regedit" pop-up Robttt had received and, like him, clicked "OK". (I didn't delete anything in Quarantine.) I then rebooted my computer (although unlike Robttt I don't think I purposely disconnected from the internet first) and found my pc clock had returned, the fake desktop icons were gone and I had access to my control panel again - i.e. all the infection-related changes I had previously noticed were back to normal. I rescanned with MBAM, which found one new object, and I deleted that, then rebooted again.

This is where my path seriously departs from Robttt's ...

Upon rebooting, there was my user account but instead of being able to click and login (which I never have to do anyway - I never created a separate administrator account) I got a pop-up telling me I wouldn't be able to log in unless I activated my copy of Windows (which of course was done a year and a halp ago when the laptop was new). I went through the process but the activation software couldn't connect to the internet, so then I tried the (automated) phone option but that was stymied too (most of the sticker with the authentification code that was on the base of my laptop rubbed off about 6months ago). The only remaining option was to phone Toshiba CustServ, so I put that aside til next business hous.

SO... next I restarted and got into safe mode, at which point an administration account appeared, and I couldn't log into that so I logged in, w/out password as usual, to my own user account. I ran the MBAM scan again - all clear - and then decided to try and finish following Quietman7's suggestions to Robttt and download ATF Cleaner and SUPERAntiSpyware Free, but found IE wasn't connecting to the web. When I opened Intel PROSet, it informed me that no wireless network adapters were installed. I looked for some more advice on the web, couldn't find much but tried, in Add/Remove programs, selecting the Repair option for Intel PROSet. That didn't work, and there I shut down and went to bed.

Next day, I found I was unable to boot up even into Safe Mode, it just kept bringing me back to ordinary XP login and then informing me I'd have to activate windows to log in. I called Toshiba and they were no help - best advice was to use my Windows recovery disc (which is in a nonspecific box in a friend's house in Wales, while I'm in Northern Ireland) and reformat everything, thereby losing everything on my hard drive (~75GB). Since most of it's recently backed up that wouldn't be entirely disastrous, just a bit logistically difficult, and it seemed I had no other options, But after I hung up I tried booting in up in Safe Mode again and 'got in' on the third try!!!

I'm sure something can be done from here: my registry undoubtedly needs repair (and I don't have a purposely made back-up anywhere - yes, I'm kicking myself) but I don't know how or in what way; it's time for situation-specific advice so I don't mess up now, and I'm obviously hesitant to restart and boot up again before I achieve anything worthwhile in case I can't even get back into Safe Mode. Wireless is still a no-go, MBAM scan is still reading no infected objects (just doing a thorough scan now to check that), and I don't know for sure but I've tracked down the relevant cable and I may be able to get cabled net access going, provided that adapter hasn't been uninstalled.

So has anyone got any suggestions, or could advise me from here?? I have no idea if this would be Quietman7's area of expertise, so if I don't hear from him I'd just like to say thanks for getting me this far - I'm guessing I'm now virus free and this is just aftermath. I'm optimistic ;-D. So, any offers?!?!

Many thanks in advance to anyone who can help. And, in the words of Robttt, hope I'm using this site the way you all intended. Cheers and a big fat blessing on your house.

Optimistic, Norn Irn

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:14 PM

Posted 27 August 2008 - 12:36 PM

Sounds like you are getting this "activation message" because MalwareBytes deleted the oembios.dat file which was a false positive as reported here.

If you can boot into safe mode, open MBAM, click on the quarantine tab and select to restore the oembios.dat file. If that does not work, report your issue to the MBAM developers.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 optimistic77

optimistic77
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 27 August 2008 - 04:44 PM

Quietman7, thanks for your reply. I went looking for the oembios.dat file in MBAM quarantine, but it's not there. However, I think it was made available for download by lordpake in that discussion you referred me to. Can I download it from there, transfer with a pen drive and place it where it needs to go on my computer, or does each computer have an individual version of that file? If not and I can use the one posted, can you tell me where I should place it, and whether that will solve the problem with my wireless adapter(s?) and, it now transpires, my sound devices? Apparently there are now none installed on my computer.

Grateful for any further advice you can give me; I've just started an account at Malwarebytes.org so that I can report to the developers, and I'm just waiting for the confirmation email to come through.

One last question actually - should I consider using system restore? There's only one restore point available (I haven't a clue whether that's because I'm in safe mode or because the worm? wiped all out all the previous ones) and it was made on the day of infection, around the time when I was first using Malwarebytes...

Many thanks

Optimistic77

#4 jwh Bob

jwh Bob

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luxembourg
  • Local time:04:14 AM

Posted 27 August 2008 - 07:27 PM

If the problem is the oembios.dat you may want to have a look into this
http://www.bleepingcomputer.com/forums/t/165285/error-code-0x80070002/

rgds

bob

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:14 PM

Posted 28 August 2008 - 09:14 AM

The oembios.dat file goes in this folder: C:\WINDOWS\system32\
A copy of the file can also be found in the C:\I386 folder if you have that available on your drive.

You can always try SR but you may restore the malware too and have to contend with removing it again.

As for your wireless adapter and sound devices you may have to reinstall the drivers.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 optimistic77

optimistic77
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 28 August 2008 - 09:49 AM

Blimey, the problem's completely solved!

The link jwh Bob posted took me to the thread that saved my bacon - articles referenced there were worth looking at for info about the interchangeability of oembios.dat files, but specifically post #6 from miekiemoes:

********************************************************************************
Can you look if there's an oembios.dat file in the C:\Windows\system32\dllcache folder? There should be though...
The dllcache is a hidden system folder, so make sure hidden files and folders are shown:
To do this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

If there's indeed a oembios.dat file there, then you can copy it to the system32 folder
********************************************************************************

I found the .dat file in the dllcache folder, replaced it, rebooted and EVERYTHING is back in working order.
God bless us, every one!!

Thanks Bob for the spot-on rescue, and quietman7 for taking me in the right direction. Take care ;-D

(newly) optimistic

Edited by optimistic77, 28 August 2008 - 09:50 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:14 PM

Posted 28 August 2008 - 10:09 AM

Mieke is one of the best. :thumbsup:

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users