Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 not genuine after using Combofix.


  • This topic is locked This topic is locked
18 replies to this topic

#1 Counter MF

Counter MF

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 17 February 2013 - 01:08 AM

My computer was infected with a redirect virus and tried using MBAM, Spybot, Rootkit killers, etc (All updated).
None of them seemed to fix the problem so I ran Combofix and after Combofix was done it was saying my computer was not genuine.
 
Right now i'm using a different computer because the one thats saying "Windows not genuine" will not connect to the internet even when I redownload the network adapter it does not connect to the internet or even detect when I put the network adapter in.
 
Right now i'm using a different computer because the infected one will not connect to the internet.
 
I never had this problem before on the computer until after using Combofix and I just want to make it go back to the way it was before, before it was saying "Windows not genuine" so if I can do a recovery of the Combofix quarantine and get back the files it deleted then that would be good to see if that fixes the problem.
 
If I can fix this doing it some other way then I would be glad to follow anyones instructions looking to help me.
I have the latest Combofix logs and Quarantined files from the infected computer and will post them.
 
Attached File  Add-Remove Programs.txt   2.81KB   4 downloadsAttached File  ComboFix2.txt   8.66KB   12 downloads

Attached Files


Edited by Elise, 17 February 2013 - 02:17 AM.
Because a log is posted this topic has been moved from Windows 7 to the Malware Removal forum


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 19 February 2013 - 09:14 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Counter MF

Counter MF
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 20 February 2013 - 01:43 AM

Hi m0le, thanks for the reply.

 

I am currently on a different computer other than the infected one which has no access to the internet.

 

I was hoping I could have some help on this problem and have learned a big lesson on using Combofix UNSUPERVISED.

 

I am transfering logs over from the computer that says "Windows not genuine" over to the computer that has internet access.

 

I don't think I have tried scanning it other then trying to activate my windows pc again using the CMD and scanning it that way.

 

I hope doing that hasn't already caused some kind of problem.

 

I have also left this computer turned off for a good while (Never got around to posting this topic) lol.

 

Thanks again for replying and giving valuable time to help me. I will be waiting for the next reply.

 



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 20 February 2013 - 08:02 PM

The first log shows you have been infected by a nasty rootkit. I'm not sure what we are able to do here because your post doesn't explain how far you can boot the machine before the message but we need to be able to boot the system around Windows or before Windows loads.

This tool will boot from the System Recovery area - if you can't get there then just post back

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Scan your computer's memory for errors.
    Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 Counter MF

Counter MF
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 21 February 2013 - 12:20 AM

Here is the first log FRST.txt

 

Hopefully this will show what is going on with the computer and if its fixable.

Attached Files

  • Attached File  FRST.txt   15.14KB   12 downloads


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 22 February 2013 - 06:05 AM

I need to be sure that Windows is genuine before we continue. I am not judging you either way, but I need to be sure that Windows is running a genuine copy.

Please let me know if you are able to run these programs too

Please download Microsoft Genuine Advantage Diagnostic Tool and save it to your desktop.
  • Double click on MGADiag.exe to run it.
  • Click Run when you recieve the Security Warning.
  • Click Continue.
  • The program will now run. The diagnosis may take a several seconds, so please be patient.
  • Once it's complete, click on Copy button near the bottom.
  • Open Notepad. To do this go to Start>>Run>>In the Open field type in: Notepad
  • Click Ok and Notepad shall appear
  • Paste the contents in. To do this right-click and select Paste or Press Ctrl + V
  • Save this file as Validation.txt on your desktop.
  • Please post the contents of Validation.txt in your next reply.

Posted Image
m0le is a proud member of UNITE

#7 Counter MF

Counter MF
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 22 February 2013 - 10:58 PM

Here is that log you wanted.

 

I'm not sure if its going to say its genuine or not genuine but I'm pretty sure Combofix deleted something and that has something to do with the "windows not genuine build 7601".

 

What I had in mind was to restore what Combofix has in the qurantine or what it deleted because I remember it backing up everything on my harddrive before it scanned, like it always does.

 

I just don't know how to give the command to do it, or if I even should.

 

Thanks for the help.

 

 

 

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 24 February 2013 - 06:59 PM

We shouldn't. The last four items on the first Combofix log are infected files and the removal has caused the problem. Restoring them won't help and will just reinfect you too.

The problem it leaves is more of a worry.

Based on the error message I would try the following forum links. See if you can use these fixes to bring the validation back. Both links are being answered by Noel Paton, a moderator on Microsoft's technical forum

Link one

Link two

Please also run aswMBR for me

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#9 Counter MF

Counter MF
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 24 February 2013 - 10:28 PM

Here is a aswMBR log but I couldnt update the definitions because the computer can't access the internet and I have no clue why.

 

I got my product key for my windows but everytime I try to activate, I get a error code message everytime I put it in.

 

At first i had no clue what my product key was because I bought the PC with windows 7 already installed so I got a key finder program called Belarc advisor and got the key.

 

Maybe if we get rid of the rootkit.  it will go back to normal?

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 25 February 2013 - 07:04 PM

Maybe if we get rid of the rootkit.  it will go back to normal?

Unfortunately not. Firstly, it looks like the rootkit is inactive and second this problem can't be reversed by just removing the malware. It's damage which can't be reversed.

For now I want to make sure you're clean before deciding the next step. Please run adwcleaner

Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

Posted Image
m0le is a proud member of UNITE

#11 Counter MF

Counter MF
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 28 February 2013 - 03:42 PM

Hey m0le,

 

Sorry it took me awhile to get this back on here but there ya go looks pretty clean I suppose. lol

 

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 28 February 2013 - 08:00 PM

That just reinforces the view that Combofix disabled a nast rootkit which has left the damage here. I am going to discuss this error with some colleagues, please hold on while I do this.


Edited by m0le, 28 February 2013 - 08:03 PM.

Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 01 March 2013 - 08:36 PM

Hi Counter MF,

I have spoken to a couple of colleagues. They confirm that the validation has been borked by the infection.

What they are saying is that the best way to deal with this is to call Micrrosoft and explain - it's not uncommon for some of these infections to bork validation. There should be a sticker on it with the product key which you can quote and they can verify what has happened by linking to the forum here.
Posted Image
m0le is a proud member of UNITE

#14 Counter MF

Counter MF
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 05 March 2013 - 02:23 PM

I called Microsoft and tried to activate the computer using the key that was already on computer and they said it was being abused and blocked it.

 

Should I even try to explain the infection borked it? Or should I just get another key for this infected computer with a clean install?



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 05 March 2013 - 08:08 PM

I would try and explain the situation to them. They've jumped the gun a bit there I think.

 

A reinstall would be the next step if that's a no-go


Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users