I’ve got a bad ramnit infection on my other computer and when i ran combofix it successfully tackled a winlogon infection, but on reboot i had to activate my copy of windows. I clicked yes to do this and i got to a screen which said my copy was unauthorised and i had to enter my product key.
Seeing as i bought the computer with XP pre-installed and not had serious virus trouble before i’ve never had cause to write it down from My Computer > Properties; that’s assuming it’s legit. I’d post logs for you about the ramnit and all but i can’t get to my start page now. Is there anyway around this? Help much appreciated.
The first thing it says to do is ‘Start Microsoft Internet Explorer, and then visit the following…’
I can’t get to my start page. If i could i would go into My Computer > Properties and see what the product key is. (It’s not stickered on my p.c anywhere) I can’t even do a system restore to before i loaded combofix. Is there anyway i can bypass that WGA screen and get to my start page?
Thanks
In safe mode i’ve got a combofix page which says don’t run any programs til its finished. i’ve also got the usual 'windows is running in safe mode…to proceed in safe mode click yes, to do a system restore click no.
Ok scratch that last post. Essexboy you’re a genius. I can get the start page up in safe mode. I was offered an agreement with sysinternals who/whatever that is. Ok here’s the combo log…
Thanks essexboy. I wanted to talk about the ramnit infection i had but i guess my current problem is still the product key issue. When i got into My computer > properties > general tab i thought the product key was to be found there under your registered name but the number there is not 25 digits so i wondered if there is any way to bypass the windows product activation page that keeps coming up in anything other than safe mode? If a system restore could do it then how could i use combofix to root out the ramnit problem without the whole WGA issue starting up again?
Cheers
When you are in safe mode does safe mode with networking work - as the only way to restore this is to visit the MS pages or ring MS on a freephone number
Both of those methods require that you enter a legit product key and i don’t think i’ve got one. The 20 digit number under my registered name can’t be right and there are no stickers anywhere on the machine. I fear i’m probably just gonna have to buy a new disc and do a fresh install.
I am curious as to what you think of the combo log. When i re-install i want to leave my 60gb D drive and just install over my 20gb C drive. I never had any ramnits or other serious threats on my D drive (though i am removing what few exe’s and dll’s i have on it as a precaution).
When i was trying to disinfect the ramnit virus, AVG couldn’t get rid of the desktoplayer and iexplore exe’s. MBAM caught them and declared them successfully quarantined and deleted but on restart, as you can see from the attached log. it reads no action was taken. I wanted further opinion so i tried avast, avira and kaspersky (uninstalling AV’s where necessary). Avast properly dealt with 3 further ramnits that were still on my machine, Avira found a HTML Rce.gen and Kaspersky found a Heur browser hijacker in my google chrome so this is why i’d like to see if you think combofix would have dealt with anything else lurking beneath.
Combofix is updated almost every day, the author sUBs is given all the undetected malware files that are found by near enough every malware removal forum. CF will miss elements but again they are passed on to him. In effect there are several thousand people working on providing him with data - which is a bigger base than most AV’s have or can afford
I’ve actually just bit the bullet on this one and bought a genuine disc with which to reformat and it looks good so far but i wanted to thank you for your help anyways (you guys are saints!)
I’m still curious though about the ‘no action taken’ message from MBAM after restart from an apparently successful ramnit threat quarantine + deletion. Is this normal? I’ve always rated MBAM but that message made me uncertain as to whether the threats had actually been dealt with?
It will show No Action Taken in the log if you haven’t at that time clicked the Remove Selected button, the log should then shoe Quarantined and Deleted, etc.
:-* THERE IS NOT ANY PROBLEM WITH COMBOFIX !!!
But, be aware of following: Do not run it if is not really necessary !!!
Only as very powerful last measure !!!
It can and probably will remove Windows activation, after reboot, what is obligatory, you can find that is Windows is unregistered !!! You should to register it again !!!
And it will do his job, remove all Trojans, like Keyloggers and all suspicious !!!
(Paradox is so that Windows registration info is Trojan as well, genuine or not ! (It is trojan because it sends all time info about Windows to Microsoft (Automated Spy center, knows also as "Help
Experience Improvement Program! !!! )
Respectfully yours
Prof.Dr. Aleksandar Blagojević Ph.EMD.,Dip.ING
IT PRO, Government - Defence Security Admin. Supervisor, (ICC, ISJ, Courts) Supreme Judge
First you opened the old thread with no reason. Second, here is official ComboFix’s guide, located on BleepingComputer forum: http://www.bleepingcomputer.com/combofix/
It can and probably will remove Windows activation, after reboot, what is obligatory, you can find that is Windows is unregistered !!! You should to register it again !!!
Please provide evidence for this assertion. I shall need a ComboFix log, located at system drive (usual C:\ ). Otherwise, what you're saying is simply not true.
ComboFix shall not target the legit M$ related files nor windows activation tehnology. If FP occurs, trained helper shall spot that and preform the CFScript to restore false detection back on board.