Inactive Another case of System Check malware

[bdawkins94]

MGA Results

Bobbye,

It seems like everything is fine but that Combofix ran in reduced functionality mode. That only happened after ComboFix asked my to update it to a newer version.

I did not get a RESOLVE option when running MGA.


Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
Windows Product ID: 00371-OEM-8992671-00524
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {BCFBE0DD-A489-4614-9D97-B355ABC201FE}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.111025-1505
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Project Standard 2007 - 100 Genuine
Microsoft Office Visio Standard 2007 - 100 Genuine
2007 Microsoft Office system - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_70AFE6BE-656-80070057_E2AD56EA-815-80070057

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{BCFBE0DD-A489-4614-9D97-B355ABC201FE}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-3248735208-1846752271-3406580854</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Latitude E5400 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A14</Version><SMBIOSVersion major="2" minor="4"/><Date>20090927000000.000000+000</Date></BIOS><HWID>4A423907018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>M09 </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-003A-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Project Standard 2007</Name><Ver>12</Ver><Val>AD79E08D327B586</Val><Hash>TmRGgM1zpAJALyd9ca1G9mqfztQ=</Hash><Pid>89402-707-9054253-63015</Pid><PidType>14</PidType></Product><Product GUID="{90120000-0053-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Visio Standard 2007</Name><Ver>12</Ver><Val>AD79E08D327B586</Val><Hash>TmRGgM1zpAJALyd9ca1G9mqfztQ=</Hash><Pid>89406-707-9054253-63540</Pid><PidType>14</PidType></Product><Product GUID="{91120000-0031-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>2007 Microsoft Office system</Name><Ver>12</Ver><Val>71D10E2BF933DB0</Val><Hash>B9URD1hiEMmjgSYnbet26DZMIj4=</Hash><Pid>89451-OEM-6672867-84009</Pid><PidType>4</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="3A" Version="12" Result="100"/><App Id="53" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700524-02-1033-7600.0000-3292009
Installation ID: 015930606480651762980015012256915050612576053524054872
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 733WD
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 2/8/2012 5:32:17 PM

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000003EFFF
Event Time Stamp: N/A
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\wat\watadminsvc.exe
Tampered File: %systemroot%\system32\wat\watweb.dll
Tampered File: %systemroot%\system32\wat\npwatweb.dll
Tampered File: %systemroot%\system32\wat\watux.exe
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys
Tampered File: %systemroot%\system32\drivers\spldr.sys


HWID Data-->
HWID Hash Current: MAAAAAEAAgABAAIAAAABAAAAAgABAAEA6GFsP8wTgMlaC3zjnDf2BRJ9zAw6mCqF

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL M09
FACP DELL M09
HPET DELL M09
MCFG DELL M09
____ DELL M09
ASF! DELL M09
TCPA
SLIC DELL M09
SSDT PmRef CpuPm

 

[bdawkins94]

MGA Questions

1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows? Win 7 Pro

2. Does it read "OEM Software" or "OEM Product" in black lettering? yes, and it does have an OEM product number and it is a fully validated Win 7

3. Or, does it have the computer manufacturer's name in black lettering? DELL with service tag key on bottom of labtop

4. DO NOT post the Product Key. - ok

 

[Bobbye]

There is some confusion here:

Remaining Windows rearm count: 4" A Rearm is the ability for a user to extend the Activation grace period and all version of Vista and Windows 7 get three 3 rearms, not 4.

The "tampered files" definitely indicate a problem. One of the tampered files:
Tampered File: %systemroot%\system32\wat\watadminsvc.exe is the Windows Activation Technologies Service.

Clearly you can see that the tampered files have been 'tweaked:For instance:
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui

The process above is for the Software Protection Platform Client Extension Dll
But the process has been 'tampered' or 'tweaked' to make it mui' which is Multilingual User Interface So when Microsoft checks the system, it's not recognizing the OS that matches the particular numbers given to the system to identify it.

And you're not going to get a Resolve until or unless the Activation number is used and the files are put back to their original state.

Another one of the files:
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
slui.exe is for the Windows Activation Client> it's changed to slui.exe.mui.

The system can't actually find the correct file to run the Activation.

I'm giving you a very non-technical description. I would like to warn you however, if you want to search this matter out for yourself, be sure you have a good site advisor. I use WOT> Web of Trust which rates sites as red, yellow and green and that mean just what the traffic lights do. You are safe with the site giving the green rating. When you start searching for things that are wrong, there are endless sites offering to 'fix' it for you or give you the download you need. (NOT!). They will all be rated in red and most of the sites in this kind of search are red.

You may want to arm yourself with the
Web of Trust-(WOT) add-on.
=============================================
You might be able to replace the files using the SFC:

System File Checker

• Click on the Start button
• Type CMD.EXEin the Search box
• Right-click on the only file that is found> Select Run as Administrator
• The Elevated Command Prompt window should pop up
• At the Command prompt type SFC /SCANNOW (note space)
• Then Enter.
• Wait for the scan to finish - make a note of any error messages -
• Reboot when finished.

Have you Win 7 OS CD handy.

Run another MGADiag report, and post the results.