Jump to content

Malwarebytes affects Windows licensing processus


Recommended Posts

Hello to the Malwarebytes team,

I have come across a serious problem after running the Malwarebytes application.

It detected the following trojans in the seperate sequences.

1) Exploit.Drop.GS and Trojan.Ransom.SuGen

I simply executed the cleaning MalwareBytes suggested. It then rebooted.

Here is the log.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 913010306

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18943

2013-01-03 16:11:28

mbam-log-2013-01-03 (16-11-28).txt

Scan type: Quick scan

Objects scanned: 240398

Time elapsed: 8 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Luc Duranleau\AppData\Local\Temp\wlsidten.dll (Exploit.Drop.GS) -> Quarantined and deleted successfully.

C:\Users\Luc Duranleau\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk (Trojan.Ransom.SUGen) -> Quarantined and deleted successfully.

2) Running Malwarebytes again, it found RootKit.0Access

Again, I simply executed the cleaning MalwareBytes suggested. It then rebooted.

Here is the log.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 913010306

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18943

2013-01-03 16:32:15

mbam-log-2013-01-03 (16-32-15).txt

Scan type: Quick scan

Objects scanned: 242891

Time elapsed: 12 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\assembly\GAC\Desktop.ini (Rootkit.0access) -> Delete on reboot.

Problem

At this time, the windows licensing processus have been corrupted and the OS continuously asks me to authenticate my OS with my product key.

All attempts to activate fail. Even Microsoft support failed to reactivate my OS.

Is there something Malwarebytes did that can be recovered so that my licensing processus function proporly?

Thanks for your support,

Luc

Link to post
Share on other sites

  • Staff

Well for one thing you are running and extremely old version of malwarebytes. You have version 1.46 and current version is 1.70

If you have rootkit 0access which i am pretty sure u do because:

C:\Users\Luc Duranleau\AppData\Local\Temp\wlsidten.dll (Exploit.Drop.GS) -> Quarantined and deleted successfully.

is an exploit that can pull it down.

Then you would have all sorts of problems with windows.

Please visit this forum and they will help you clean the computer.

http://forums.malwar...php?showforum=7

If you are a paying customer then you can contact support here:

http://www.malwareby...pport/consumer/

And they will help you with the cleaning.

Nothing in your logs would of affected windows licensing.

Link to post
Share on other sites

Hello,

Thanks for your reply.

I have since cleaned the computer and no longer have the trojans. Used TDSKiller, RogueKiller, ESET and Malwarebytes. Computer is clean.

I have looked at the application event logs and warnings and errors for winlogon occur at around the same time Malwarebytes was executed and the logs

were generated. My guess is that Malwarebytes cleaned an infection but in so doing provoked or indirectly provoked a modification as indicated in this event error.

-

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-Security-Licensing-SLC" Guid="{1FD7C1D2-D037-4620-8D29-B2C7E5FCC13A}" EventSourceName="Software Licensing Service" />

<EventID Qualifiers="16384">12291</EventID>

<Version>0</Version>

<Level>2</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2013-01-03T21:12:43.000Z" />

<EventRecordID>33597</EventRecordID>

<Correlation />

<Execution ProcessID="0" ThreadID="0" />

<Channel>Application</Channel>

<Computer>LEONIDAS</Computer>

<Security />

</System>

<EventData>

<Data>hr=0xC004D301</Data>

</EventData>

</Event>

Hope this helps.

Luc

Link to post
Share on other sites

It is possible that the Software Licensing Service was damaged or removed by the 0Access infection. It is common for that particular infection to break or remove system services when it is removed.

If you follow the instructions above as provided by shadowwar, you will be provided with guided expert assistance in verifying that no infections or traces of infection remain in addition to correcting the problem with the Software Licensing Service and any other system services and system components which may have been damaged by the 0Access infection.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.