Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


WGA notification started after ComboFix ran

  • Please log in to reply
1 reply to this topic

#1 DrummerDean


  • Members
  • 3 posts
  • Local time:08:24 PM

Posted 05 July 2010 - 10:02 PM

An interesting problem has arisen after a recent virus cleaning. The system is a Dell Dimension 2350. The original OS install was XP Home, according to the product key sticker. Last November, someone wiped the drive and installed XP Pro. Microsoft updates have been successfully installed up to 6/11/10, including a WGA update last December.
MBAM was run first on the system and found some fake AV stuff along with two .exe files labeled rootkits. Seeing that, I decided to run Combofix thinking there may be other rootkit activity that MBAM might have missed. Combofix brought up the notification to install the Recovery Console. I told it to go ahead. Shortly, a box came up "asking" if the installed OS was XP HOME. System properties shows that XP Pro is installed. Seeing this, I clicked "No." Combofix ran it's routine, deleted many entries belonging to Alot toolbar, one random number named .tmp file and an ares.exe file. It rebooted the system and proceeded to create the log file. As the program was finishing up, suddenly the WGA notification popped up above the Taskbar notification area alerting that this version of Windows may be counterfeit.
I noted in the log that wgatray.exe was listed as running but don't know at what point it was determined to be running. I didn't notice anything related to that in the notification area prior to running CF.
Is it possible that CF "awakened" a sleeping counterfeit install? Is it possible that Combofix installed (or I told it to install) the wrong version of the Recovery Console and would that cause a problem with WGA? It seems that if that were the case, the response wouldn't have been instantaneous or would it? I know there's a good chance that whoever installed the XP Pro could have used "any ol'" disk and maybe "tweaked" it a bit but I don't want to insinuate anything until I'm sure that I didn't cause this.
I don't have the CF log available at this moment but could post it tomorrow - 7/6/10 if need be.
This is a close approximation of the last entry in the log, which I thought interesting.

default= usual stuff
[Operating systems]
multi(0)disk(0)rdisk(0)partition(1)WINDOWS=Microsoft Windows XP Professional/noexecute=optin /fastdetect


BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,112 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:24 PM

Posted 06 July 2010 - 06:17 PM


Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Since you have run ComboFix, please include the ComboFix log in the new topic. Please be sure to include a description of your computer issues and what you have done to try to resolve them.

If you cannot produce any of the other logs, then please create the new topic anyway, include the information that you were unable to produce the other logs and why and include the ComboFix log along with a description of your computer issues.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users