Jump to content

Boot Probs, (re)activation Demands Preventing Login And Lost Wireless Network Adapters After Fixing Worm.win32netbooster With MBAM On Xp ... Help?, He


Recommended Posts

Hello, I hope I'm posting this in the right place. Can anyone help?

I'm running XP with SP2 on a Toshiba Satellite Pro A100 laptop, equipped for both wired and wireless net access (the latter managed by Intel PROSet) and ended up with this worm - unsurprising since I use P2P software quite a lot. About 10mins after it exploded onto my desktop - without a peep of warning from my AVG freeware I might add - I disconnected my 2 external drives, tried to sever the (wireless) net connection using IntelPROSet and, when that didn't seem to respond, I turned off the wireless adaptor using my machine's hardware switch.

I then went and fired up the house computer to look for help on the web and quickly found http://www.bleepingcomputer.com/forums/topic161001.html, which helped me identify what had happened to my computer. I turned my laptop back on, reconnected to the web, downloaded Malwarebytes' Anti-Malware and continued exactly as Quietman7's post instructed. As I removed all the selected objects I received the same "Malwarebytes' Anti-Malware will now enable Regedit" pop-up Robttt had received and, like him, clicked "OK". (I didn't delete anything in Quarantine.) I then rebooted my computer (although unlike Robttt I don't think I purposely disconnected from the internet first) and found my pc clock had returned, the fake desktop icons were gone and I had access to my control panel again - i.e. all the infection-related changes I had previously noticed were back to normal. I rescanned with MBAM, which found one new object, and I deleted that, then rebooted again.

Upon rebooting, there was my user account but instead of being able to click and login (which I never have to do anyway - I never created a separate administrator account) I got a pop-up telling me I wouldn't be able to log in unless I activated my copy of Windows (which of course was done a year and a halp ago when the laptop was new). I went through the process but the activation software couldn't connect to the internet, so then I tried the (automated) phone option but that was stymied too (most of the sticker with the authentification code that was on the base of my laptop rubbed off about 6months ago). The only remaining option was to phone Toshiba CustServ, so I put that aside til next business hous.

SO... next I restarted and got into safe mode, at which point an administration account appeared, and I couldn't log into that so I logged in, w/out password as usual, to my own user account. I ran the MBAM scan again - all clear - and then decided to try and finish following Quietman7's suggestions to Robttt and download ATF Cleaner and SUPERAntiSpyware Free, but found IE wasn't connecting to the web. When I opened Intel PROSet, it informed me that no wireless network adapters were installed. I looked for some more advice on the web, couldn't find much but tried, in Add/Remove programs, selecting the Repair option for Intel PROSet - that didn't work. I then discovered that there are no longer any sound devices installed either, or if there are they're not working properly. At that point I shut down and went to bed.

Next day, I found I was unable to boot up even into Safe Mode, it just kept bringing me back to ordinary XP login and then informing me I'd have to activate windows to log in. I called Toshiba and they were no help - best advice was to use my Windows recovery disc (which is in a nonspecific box in a friend's house in Wales, while I'm in Northern Ireland) and reformat everything, thereby losing everything on my hard drive (~75GB). Since most of it's recently backed up that wouldn't be entirely disastrous, just a bit logistically difficult, and it seemed I had no other options, but after I hung up I tried booting in up in Safe Mode again and 'got in' on the third try!!!

I'm sure something can be done from here: my registry undoubtedly needs repair (and I don't have a purposely made back-up anywhere - yes, I'm kicking myself) but I don't know how or in what way; it's time for situation-specific advice so I don't mess up now, and I'm obviously hesitant to restart and boot up again before I achieve anything worthwhile in case I can't even get back into Safe Mode. Wireless is still a no-go, MBAM scan is still reading no infected objects (did a thorough scan to check that), and I don't know for sure but I've tracked down the relevant cable and I may be able to get cabled net access going, provided that adapter hasn't been uninstalled.

I posted all this on the bleepingcomputer.com forums, and Quietman7 replied to my post today, as follows:

********************************************************************************

**************

Sounds like you are getting this "activation message" because MalwareBytes deleted the oembios.dat file which was a false positive as reported here [link to http://www.malwarebytes.org/forums/index.p...amp;#entry25841].

If you can boot into safe mode, open MBAM, click on the quarantine tab and select to restore the oembios.dat file. If that does not work, report your issue to the MBAM developers.

********************************************************************************

**************

Well, the oembios.dat file wasn't there in quarantine, so here I am to report my issue to the developers. I hope this is at least the right place to do so!! Can anyone suggest anything at this stage??

Incidentally, I noticed that a .zip of the oembios.dat file was made available for download by lordpake in that topic Quietman7 referred me to. Can I download it from there, transfer with a pen drive and place it where it needs to go on my computer, or does each computer have an individual version of that file? If not and I can use the one posted, can you tell me where I should place it, and whether that will solve the problem with my wireless adapter(s?) and my sound devices? And I just asked Quietman7 about using system restore (although there's only one restore point available and it was made on the day of infection, around the time when I was first using Malwarebytes) but now system restore has apparently been suspended "because there is not enough disk space available on the system drive ©". It says I should ensure at least 200MBs of free disk space are available, but 4.33 GB are available on that drive. Huh??!?

Grateful for any help you can give me,

(not-quite-so) Optimistic

Link to post
Share on other sites

  • Root Admin

Well for now until I can research it more, or someone else posts further information. You should NOW create a NEW user account that has Admin rights while you're still in the system.

So do you have access to an XP CD ?

You could also try this tool from Microsoft if you have access to another computer with a CD/DVD burner.

Microsoft Diagnostics and Recovery Toolset

30 day evaluation of the Microsoft Diagnostics and Recovery Toolset. This product provides powerful, intuitive tools that help administrators recover PCs that have become unusable, and easily identify root causes of system issues.

But as you say, you may not want to shut down or reboot quite yet until a definitive answer is provided as to the possible root cause/repair.

.

Link to post
Share on other sites

Incidentally, I noticed that a .zip of the oembios.dat file was made available for download by lordpake in that topic Quietman7 referred me to. Can I download it from there, transfer with a pen drive and place it where it needs to go on my computer, or does each computer have an individual version of that file?

I for one have absolutely no idea. Though the file in my system has modification date in 2001, which would suggest this might be a file all systems have.

Link to post
Share on other sites

I for one have absolutely no idea. Though the file in my system has modification date in 2001, which would suggest this might be a file all systems have.

On my system the file modification date is 2006. So, it may not be a universal file.

Link to post
Share on other sites

Blimey, the problem's completely solved!

In my bleepingcomputer.com thread, Quietman7 answered:

********************************************************************************

The oembios.dat file goes in this folder: C:\WINDOWS\system32\

A copy of the file can also be found in the C:\I386 folder if you have that available on your drive.

********************************************************************************

and a random passerby (jwh Bob) added

********************************************************************************

If the problem is the oembios.dat you may want to have a look into this:

http://www.bleepingcomputer.com/forums/topic165285.html

********************************************************************************

That link took me to the thread that saved my bacon - articles referenced there were worth looking at for info about the interchangeability of oembios.dat files, but specifically post #6 from miekiemoes:

********************************************************************************

Can you look if there's an oembios.dat file in the C:\Windows\system32\dllcache folder? There should be though...

The dllcache is a hidden system folder, so make sure hidden files and folders are shown:

To do this:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

If there's indeed a oembios.dat file there, then you can copy it to the system32 folder

********************************************************************************

I found the .dat file in the dllcache folder, replaced it, rebooted and EVERYTHING is back in working order.

God bless us, every one!!

Thanks everyone for your input. Take care ;-D

(newly) optimistic

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.