[Closed] Windows activation key

[a4007035]

Dear Sir/Madam,

I was doing the 7 step guide for the pc at my parents' home.

I downloaded Mbam and ran a quick scan. It came up with several infections so I selected everything and clicked 'remove selected'. Then when I went to restart my pc on the restart it was asking for a windows activation key. This copy of windows xp was a pre released test version so I don't have the key. I restarted the pc in safe mode and went onto to Mbam. I restored all the infected files and restarted the pc and it was working fine. I tried logging on today and now it's asking for this windows activation key. I went on Mbam (in safe mode) but there is nothing to restore now. I ran a quick and full scan and there was one file infected. Removing this does not solve the problem.

I wish I hadn't have run Mbam in the first place as the pc was at least working without it. Now I don't know what to do. I can't even start the pc in safe mode with networking without it asking for this key.

Btw system restore was turned off.

Can anyone help?

Gavin

 

[Bobbye]

windows xp was a pre released test version

Pre-release for Windows XP was a lot of years ago. Somewhere along the line, the full, final version would have had to replace this version.

You won't be able to get an activation key for this version. I suggest you purchase a full version if still available.

It's not likely Mbam removed anything that would cause a legitimate OS to revert back like this.

Did you save the Mbam log> If you did,paste it in your next reply.

 

[a4007035]

Combofix

Is there no way that this can be rectified with a combo fix? I can see from the Mbam logs that the registry has been modified and that files have been deleted from the registry.

The pc was working fine for years. And I thought I would just try and clear it up a bit as my parents don't know much about malware. And now I've got this problem.

Gavin

 

[Bobbye]

Gavin, why did you try to run the steps in the preliminary removal thread in the first place?

You must have been having problems already or you wouldn't have run them. What were those problems?

And how is it that about 9 years after Windows XP came out in full release that there are no Restore Points?

Repeating> if you have the Mbam log, let me see it. And NO- Combofix isn't going to fix an activation problem that you think was caused by some removal by Malwarebytes. Mbam legitimately removes Registry entries if they are infected. I have no idea of the amount or type of infection the program found.

You can recover the Mbam log: It will will be named like this: You should look for the first one you ran:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

If I can see this, I may have some idea of what was found and removed.

 

[a4007035]

Gavin, why did you try to run the steps in the preliminary removal thread in the first place?

The PC was running slowly and I felt it could be sped up by clearing a few things using the TFC and suspected it may be due to malware.

And how is it that about 9 years after Windows XP came out in full release that there are no Restore Points?

I think that system restore was just turned off all the time to free up memory

I will post logs of the 2 Mbam scans I did

 

[a4007035]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6694

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

27/05/2011 21:16:46
mbam-log-2011-05-27 (21-16-46).txt

Scan type: Quick scan
Objects scanned: 136276
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\antiwpa.dll (PUP.Wpakill) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa (PUP.Wpakill) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\antiwpa.dll (PUP.Wpakill) -> Delete on reboot.

 

[a4007035]

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6694

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

28/05/2011 13:14:06
mbam-log-2011-05-28 (13-14-06).txt

Scan type: Full scan (C:\|)
Objects scanned: 174175
Time elapsed: 12 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\antiwpa.dll (PUP.Wpakill) -> Quarantined and deleted successfully.

 

[Bobbye]

The infected files were found with WPA Kill. This kills the Activation and makes windows genuine.[/b]
It's a hacktool> HackTool:Win32/Wpakill and HackTool:Win32/Wpakill.dll are a series of tools that attempt to disable or bypass WPA (Windows Product Activation) by altering Windows OS files.

Commonly distributed files are WPA_Kill.exe and antiwpa.dll, and they are often packaged in a self-extracting RAR archive file (aka RarSfx). It is recommended that you do not run any of these files, as they might contain additional malicious or potentially unwanted files.

So yes, Mbam did cause the activation 'problem.' It removed the tool that was used to steal the operating system. You didn't have restore points set. It cannot be restored.

This thread is closed.