locked
WGA 'Not Genuine Windows' incident - tampered file: sppcext.dll RRS feed

  • Question

  • Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-*****-*****-DWMM8
    Windows Product Key Hash: O3eL2X8KiGWwUaaVHKgJmIGgBVA=
    Windows Product ID: 55041-007-1583173-86048
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.004
    ID: {E21125B5-4687-4B02-B1B7-00BEFFA24998}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.9.42.0
    Signed By: Microsoft
    Product Name: Windows 7 Enterprise
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.111118-2330
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional Plus 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: xxx.xxx.xxx:80
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{E21125B5-4687-4B02-B1B7-00BEFFA24998}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.004</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-007-1583173-86048</PID><PIDType>6</PIDType><SID>S-1-5-21-1909850139-2672102887-3176005707</SID><SYSTEM><Manufacturer>Dell Inc.                </Manufacturer><Model>OptiPlex 745                 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.                </Manufacturer><Version>2.4.1 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070821000000.000000+000</Date></BIOS><HWID>75CE3D07018400F6</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B8K    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>55B91242E6E4D88</Val><Hash>wNAeysl+G0ugEMMiNWEuGpAotok=</Hash><Pid>89409-708-6706887-65670</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Enterprise edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
    Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 55041-00172-007-158317-03-1033-7601.0000-0822012
    Installation ID: 019923062835351813659500250614402721672300582371254531
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: DWMM8
    License Status: Licensed
    Remaining Windows rearm count: 1
    Trusted time: 3/23/2012 9:33:00 AM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x0000000000000040
    Event Time Stamp: 3:20:2012 11:36
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui


    HWID Data-->
    HWID Hash Current: LgAAAAEAAwABAAEAAAABAAAAAQABAAEA6GHIgPzzTmu2hi73QD5Y6UI9lOyA1w==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   DELL    B8K   
      FACP   DELL    B8K   
      HPET   DELL    B8K   
      BOOT   DELL    B8K   
      MCFG   DELL    B8K   
      SSDT   DELL  st_ex
      ASF!   DELL    B8K   
      SLIC   DELL    B8K   


     

    Friday, March 23, 2012 1:46 PM

Answers

  • "CompVet" wrote in message news:eaee405a-d22c-4114-b015-0d7ee30a94e6...

    On another PC which does not have the symptoms and has been deployed for much longer than the problematic PCs, the file dates are the same for the respective files.

    Not sure how to comply with your request for hashes...

    Not needed, if you have the same dates on a functional machine.
    (I just wish I knew what install disk they came from - perhaps it's a Volume only thing)
    The direct file permissions are correct, as far as I can see, so there must be something else amiss - the error message on the file mismatch is one that would occur if the Cryptographic service was disabled (but that would also flag a lot of other files if that was the case), from which I infer that there's a certificate awry somewhere.
    The filename doesn't appear in the registry except where you expect from conducting searches on it, so there's nothing easy to look for there.
     
    The only thing I can think is to pass you on to MS WGA support for assistance.
     
    WGA Support can be found here-

    North America: http://support.microsoft.com/contactus/cu_sc_genadv_master?ws=support&ws=support#tab4

    Outside North America:
    http://support.microsoft.com/contactus/?ws=support#tab0

    Please let us know if (and how) MS manage to fix the
    problem without a repair install of the OS - it would be useful for future
    reference!

     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, March 23, 2012 4:42 PM
    Moderator

All replies

  • "CompVet" wrote in message news:cc78862e-e352-4a97-8488-b1665983b2aa...

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-*****-*****-DWMM8
    Windows Product Key Hash: O3eL2X8KiGWwUaaVHKgJmIGgBVA=
    Windows Product ID: 55041-007-1583173-86048
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.004

    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100

    Other data-->
    SYSTEM><Manufacturer>Dell Inc.                </Manufacturer><Model>OptiPlex 745                 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.                </Manufacturer><Version>2.4.1 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070821000000.000000+000</Date></BIOS

     

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Enterprise edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
    Partial Product Key: DWMM8
    License Status: Licensed
    Remaining Windows rearm count: 1
    Trusted time: 3/23/2012 9:33:00 AM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x0000000000000040
    Event Time Stamp: 3:20:2012 11:36
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
      SLIC   DELL    B8K   


     

    (two of these in 10 minutes has to be a record! - have you had any malware incidents lately?)
     
    Since this is a MAK License, you should consult your System Admin for assistance -
     
    Having said that, the problem is caused by the highlighted errors above.
     
    Please run some disk checks -
    running CHKDSK and SFC
    type in the Search box
    CMD.EXE
    right-click on the only file that is found
    Select Run as Administrator
    - the Elevated Command Prompt window should pop up
    At the Command prompt, type
    CHKDSK C: /R
    and hit the Enter key
    You will be told that the drive is locked, and the CHKDSK will run at he next boot - hit the Y key, and then reboot. The chkdsk will take a few hours depending on the size of the drive, so be patient!

    After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) - then run the SFC

    SFC -System File Checker - Instructions
    Click on the Start button
    type in the Search box
    CMD.EXE
    right-click on the only file that is found
    Select Run as Administrator
    - the Elevated Command Prompt window should pop up
    At the Command prompt, type

    SFC /SCANNOW

    and hit the Enter key
    Wait for the scan to finish - make a note of any error messages - and then reboot.

    run another MGADiag report, and post the results.
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, March 23, 2012 2:04 PM
    Moderator
  • The MGADiag report I has posted was performed after the CHKDSK & SFC. I had read other posts prior to creating a new thread. I have reached out to the Corporate contact for assistance. FWIW - I am a System Admin...

    No malware incidents. There seems to be a rash of these incidents after the March MS Updates, has any correlation been made as of yet?

    Friday, March 23, 2012 2:10 PM
  • "CompVet" wrote in message news:5af0075b-bbab-467a-aec2-414f25486b3b...

    The MGADiag report I has posted was performed after the CHKDSK & SFC. I had read other posts prior to creating a new thread. I have reached out to the Corporate contact for assistance. FWIW - I am a System Admin...

    No malware incidents. There seems to be a rash of these incidents after the March MS Updates, has any correlation been made as of yet?

    OK - in that case,
    open an Elevated Command Prompt window, and run the following commands
     
    ICACLS C:\Windows\System32\sppcext.* /T
    ICACLS C:\Windows\SysWOW64\sppcext.* /T
    DIR C:\Windows\sppcext.* /S
     
    Copy and paste the results to your response.
     
    There's always a minor blip in the curve after a batch of updates - it may show that something has previously affected systems in some way that isn't obvious until a file is updated, but then becomes a problem.
    It's rarely enough that we get to see a significant increase in problems sufficient to identify a specific cause in the forums here.
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, March 23, 2012 2:25 PM
    Moderator
  • Here's the results:


    C:\Users\Administrator>icacls c:\windows\system32\sppcext.* /T
    c:\windows\system32\sppcext.dll NT SERVICE\TrustedInstaller:(F)
                                    BUILTIN\Administrators:(RX)
                                    NT AUTHORITY\SYSTEM:(RX)
                                    BUILTIN\Users:(RX)

    c:\windows\system32\en-US\sppcext.dll.mui NT SERVICE\TrustedInstaller:(F)
                                              BUILTIN\Administrators:(RX)
                                              NT AUTHORITY\SYSTEM:(RX)
                                              BUILTIN\Users:(RX)

    c:\windows\system32\LogFiles\WMI\RtBackup\sppcext.*: Access is denied.
    Successfully processed 2 files; Failed processing 1 files

    C:\Users\Administrator>icacls c:\windows\syswow64\sppcext.* /T
    c:\windows\syswow64\sppcext.dll NT SERVICE\TrustedInstaller:(F)
                                    BUILTIN\Administrators:(RX)
                                    NT AUTHORITY\SYSTEM:(RX)
                                    BUILTIN\Users:(RX)

    c:\windows\syswow64\en-US\sppcext.dll.mui NT SERVICE\TrustedInstaller:(F)
                                              BUILTIN\Administrators:(RX)
                                              NT AUTHORITY\SYSTEM:(RX)
                                              BUILTIN\Users:(RX)

    Successfully processed 2 files; Failed processing 0 files

    C:\Users\Administrator>dir c:\windows\sppcext.* /S
     Volume in drive C is OSDisk
     Volume Serial Number is 76A7-C94D

     Directory of c:\windows\System32

    07/13/2009  09:41 PM         1,203,712 sppcext.dll
                   1 File(s)      1,203,712 bytes

     Directory of c:\windows\System32\en-US

    11/21/2010  02:24 AM            17,408 sppcext.dll.mui
                   1 File(s)         17,408 bytes

     Directory of c:\windows\SysWOW64

    07/13/2009  09:16 PM         1,111,552 sppcext.dll
                   1 File(s)      1,111,552 bytes

     Directory of c:\windows\SysWOW64\en-US

    11/21/2010  02:24 AM            17,408 sppcext.dll.mui
                   1 File(s)         17,408 bytes

     Directory of c:\windows\winsxs\amd64_microsoft-windows-s..clientext.resources_3
    1bf3856ad364e35_6.1.7600.16385_en-us_c2382769078e1059

    11/21/2010  02:24 AM            17,408 sppcext.dll.mui
                   1 File(s)         17,408 bytes

     Directory of c:\windows\winsxs\amd64_microsoft-windows-security-spp-clientext_3
    1bf3856ad364e35_6.1.7600.16385_none_28bbe77bcacffbe4

    07/13/2009  09:41 PM         1,203,712 sppcext.dll
                   1 File(s)      1,203,712 bytes

     Directory of c:\windows\winsxs\x86_microsoft-windows-s..clientext.resources_31b
    f3856ad364e35_6.1.7600.16385_en-us_66198be54f309f23

    11/21/2010  02:24 AM            17,408 sppcext.dll.mui
                   1 File(s)         17,408 bytes

     Directory of c:\windows\winsxs\x86_microsoft-windows-security-spp-clientext_31b
    f3856ad364e35_6.1.7600.16385_none_cc9d4bf812728aae

    07/13/2009  09:16 PM         1,111,552 sppcext.dll
                   1 File(s)      1,111,552 bytes

         Total Files Listed:
                   8 File(s)      4,700,160 bytes
                   0 Dir(s)  34,353,311,744 bytes free

    Friday, March 23, 2012 2:46 PM
  • "CompVet" wrote in message news:1cec227c-d1fc-404e-acb9-c4992fd9fc0a...

    Here's the results:


    C:\Users\Administrator>icacls c:\windows\system32\sppcext.* /T
    c:\windows\system32\sppcext.dll NT SERVICE\TrustedInstaller:(F)
                                    BUILTIN\Administrators:(RX)
                                    NT AUTHORITY\SYSTEM:(RX)
                                    BUILTIN\Users:(RX)

    c:\windows\system32\en-US\sppcext.dll.mui NT SERVICE\TrustedInstaller:(F)
                                              BUILTIN\Administrators:(RX)
                                              NT AUTHORITY\SYSTEM:(RX)
                                              BUILTIN\Users:(RX)

    c:\windows\system32\LogFiles\WMI\RtBackup\sppcext.*: Access is denied.
    Successfully processed 2 files; Failed processing 1 files

    C:\Users\Administrator>icacls c:\windows\syswow64\sppcext.* /T
    c:\windows\syswow64\sppcext.dll NT SERVICE\TrustedInstaller:(F)
                                    BUILTIN\Administrators:(RX)
                                    NT AUTHORITY\SYSTEM:(RX)
                                    BUILTIN\Users:(RX)

    c:\windows\syswow64\en-US\sppcext.dll.mui NT SERVICE\TrustedInstaller:(F)
                                              BUILTIN\Administrators:(RX)
                                              NT AUTHORITY\SYSTEM:(RX)
                                              BUILTIN\Users:(RX)

    Successfully processed 2 files; Failed processing 0 files

    C:\Users\Administrator>dir c:\windows\sppcext.* /S
    Volume in drive C is OSDisk
    Volume Serial Number is 76A7-C94D

    Directory of c:\windows\System32\en-US

    11/21/2010  02:24 AM            17,408 sppcext.dll.mui
                   1 File(s)         17,408 bytes

    11/21/2010  02:24 AM            17,408 sppcext.dll.mui
                   1 File(s)         17,408 bytes

    Directory of c:\windows\winsxs\amd64_microsoft-windows-s..clientext.resources_3
    1bf3856ad364e35_6.1.7600.16385_en-us_c2382769078e1059

    11/21/2010  02:24 AM            17,408 sppcext.dll.mui
                   1 File(s)         17,408 bytes

    Directory of c:\windows\winsxs\x86_microsoft-windows-s..clientext.resources_31b
    f3856ad364e35_6.1.7600.16385_en-us_66198be54f309f23

    11/21/2010  02:24 AM            17,408 sppcext.dll.mui
                   1 File(s)         17,408 bytes

         Total Files Listed:
                   8 File(s)      4,700,160 bytes
                   0 Dir(s)  34,353,311,744 bytes free

     
     
     
    That's the second case where I've seen these dates on an sppcext.dll.mui - the apparent filesize is correct, but the date looks wrong, and all instances are affected.
    It's almost as if they are from a Beta build of the OS.
    the proper dates are either 12/04/2011 or 14/07/2009
    please run SHA-1 or MD5 hashes on them and compare with a similar but functional machine
    On my machine (SP1 updated from RTM, dated 14/07/2009) I get
     
    MD5 - b787b6f4b644a0ef0a8ad97098415d16
    SHA-1 - dd0279234d339a706444fa85c255f0cf5d7f22d0
     
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, March 23, 2012 4:03 PM
    Moderator
  • On another PC which does not have the symptoms and has been deployed for much longer than the problematic PCs, the file dates are the same for the respective files.

    Not sure how to comply with your request for hashes...

    Friday, March 23, 2012 4:29 PM
  • "CompVet" wrote in message news:eaee405a-d22c-4114-b015-0d7ee30a94e6...

    On another PC which does not have the symptoms and has been deployed for much longer than the problematic PCs, the file dates are the same for the respective files.

    Not sure how to comply with your request for hashes...

    Not needed, if you have the same dates on a functional machine.
    (I just wish I knew what install disk they came from - perhaps it's a Volume only thing)
    The direct file permissions are correct, as far as I can see, so there must be something else amiss - the error message on the file mismatch is one that would occur if the Cryptographic service was disabled (but that would also flag a lot of other files if that was the case), from which I infer that there's a certificate awry somewhere.
    The filename doesn't appear in the registry except where you expect from conducting searches on it, so there's nothing easy to look for there.
     
    The only thing I can think is to pass you on to MS WGA support for assistance.
     
    WGA Support can be found here-

    North America: http://support.microsoft.com/contactus/cu_sc_genadv_master?ws=support&ws=support#tab4

    Outside North America:
    http://support.microsoft.com/contactus/?ws=support#tab0

    Please let us know if (and how) MS manage to fix the
    problem without a repair install of the OS - it would be useful for future
    reference!

     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, March 23, 2012 4:42 PM
    Moderator
  • Thanks for the efforts! I expect to be in contact with the WGA folks 'soon'. I'll share what I can.
    Friday, March 23, 2012 4:59 PM
  • You're welcome - good luck!

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Friday, March 23, 2012 5:08 PM
    Moderator