Posted 05 July 2010 - 10:02 PM
An interesting problem has arisen after a recent virus cleaning. The system is a Dell Dimension 2350. The original OS install was XP Home, according to the product key sticker. Last November, someone wiped the drive and installed XP Pro. Microsoft updates have been successfully installed up to 6/11/10, including a WGA update last December.
MBAM was run first on the system and found some fake AV stuff along with two .exe files labeled rootkits. Seeing that, I decided to run Combofix thinking there may be other rootkit activity that MBAM might have missed. Combofix brought up the notification to install the Recovery Console. I told it to go ahead. Shortly, a box came up "asking" if the installed OS was XP HOME. System properties shows that XP Pro is installed. Seeing this, I clicked "No." Combofix ran it's routine, deleted many entries belonging to Alot toolbar, one random number named .tmp file and an ares.exe file. It rebooted the system and proceeded to create the log file. As the program was finishing up, suddenly the WGA notification popped up above the Taskbar notification area alerting that this version of Windows may be counterfeit.
I noted in the log that wgatray.exe was listed as running but don't know at what point it was determined to be running. I didn't notice anything related to that in the notification area prior to running CF.
Is it possible that CF "awakened" a sleeping counterfeit install? Is it possible that Combofix installed (or I told it to install) the wrong version of the Recovery Console and would that cause a problem with WGA? It seems that if that were the case, the response wouldn't have been instantaneous or would it? I know there's a good chance that whoever installed the XP Pro could have used "any ol'" disk and maybe "tweaked" it a bit but I don't want to insinuate anything until I'm sure that I didn't cause this.
I don't have the CF log available at this moment but could post it tomorrow - 7/6/10 if need be.
This is a close approximation of the last entry in the log, which I thought interesting.
default= usual stuff
multi(0)disk(0)rdisk(0)partition(1)WINDOWS=Microsoft Windows XP Professional/noexecute=optin /fastdetect