TechSpot

[Closed] Windows activation key

By a4007035
May 28, 2011
  1. Dear Sir/Madam,

    I was doing the 7 step guide for the pc at my parents' home.

    I downloaded Mbam and ran a quick scan. It came up with several infections so I selected everything and clicked 'remove selected'. Then when I went to restart my pc on the restart it was asking for a windows activation key. This copy of windows xp was a pre released test version so I don't have the key. I restarted the pc in safe mode and went onto to Mbam. I restored all the infected files and restarted the pc and it was working fine. I tried logging on today and now it's asking for this windows activation key. I went on Mbam (in safe mode) but there is nothing to restore now. I ran a quick and full scan and there was one file infected. Removing this does not solve the problem.

    I wish I hadn't have run Mbam in the first place as the pc was at least working without it. Now I don't know what to do. I can't even start the pc in safe mode with networking without it asking for this key.

    Btw system restore was turned off.

    Can anyone help?

    Gavin
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Pre-release for Windows XP was a lot of years ago. Somewhere along the line, the full, final version would have had to replace this version.

    You won't be able to get an activation key for this version. I suggest you purchase a full version if still available.

    It's not likely Mbam removed anything that would cause a legitimate OS to revert back like this.

    Did you save the Mbam log> If you did,paste it in your next reply.
     
  3. a4007035

    a4007035 TS Member Topic Starter Posts: 84

    Combofix

    Is there no way that this can be rectified with a combo fix? I can see from the Mbam logs that the registry has been modified and that files have been deleted from the registry.

    The pc was working fine for years. And I thought I would just try and clear it up a bit as my parents don't know much about malware. And now I've got this problem.

    Gavin
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Gavin, why did you try to run the steps in the preliminary removal thread in the first place?

    You must have been having problems already or you wouldn't have run them. What were those problems?

    And how is it that about 9 years after Windows XP came out in full release that there are no Restore Points?

    Repeating> if you have the Mbam log, let me see it. And NO- Combofix isn't going to fix an activation problem that you think was caused by some removal by Malwarebytes. Mbam legitimately removes Registry entries if they are infected. I have no idea of the amount or type of infection the program found.

    You can recover the Mbam log: It will will be named like this: You should look for the first one you ran:

    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    If I can see this, I may have some idea of what was found and removed.
     
  5. a4007035

    a4007035 TS Member Topic Starter Posts: 84

    The PC was running slowly and I felt it could be sped up by clearing a few things using the TFC and suspected it may be due to malware.

    I think that system restore was just turned off all the time to free up memory

    I will post logs of the 2 Mbam scans I did
     
  6. a4007035

    a4007035 TS Member Topic Starter Posts: 84

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6694

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    27/05/2011 21:16:46
    mbam-log-2011-05-27 (21-16-46).txt

    Scan type: Quick scan
    Objects scanned: 136276
    Time elapsed: 4 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\WINDOWS\system32\antiwpa.dll (PUP.Wpakill) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa (PUP.Wpakill) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\antiwpa.dll (PUP.Wpakill) -> Delete on reboot.
     
  7. a4007035

    a4007035 TS Member Topic Starter Posts: 84

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6694

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    28/05/2011 13:14:06
    mbam-log-2011-05-28 (13-14-06).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 174175
    Time elapsed: 12 minute(s), 12 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\antiwpa.dll (PUP.Wpakill) -> Quarantined and deleted successfully.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The infected files were found with WPA Kill. This kills the Activation and makes windows genuine.[/b]
    It's a hacktool> HackTool:Win32/Wpakill and HackTool:Win32/Wpakill.dll are a series of tools that attempt to disable or bypass WPA (Windows Product Activation) by altering Windows OS files.

    Commonly distributed files are WPA_Kill.exe and antiwpa.dll, and they are often packaged in a self-extracting RAR archive file (aka RarSfx). It is recommended that you do not run any of these files, as they might contain additional malicious or potentially unwanted files.

    So yes, Mbam did cause the activation 'problem.' It removed the tool that was used to steal the operating system. You didn't have restore points set. It cannot be restored.

    This thread is closed.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...