False positive

[Staticguy]

I bought this laptop yesterday (brand new). I did a scan and malwarebytes antimalware free detected 3 threats. I am pretty sure these are false positive. Can you please check it. Logs are attached. Thanks.

logs.txt

[daledoc1]

Hi:

Thanks for the log.

We'll ask the Research Team to take a look and let you know.

Please wait for them to respond.

Thanks again,

 

[Staticguy]

Hi daledoc1 thanks for your reply! I will wait for the Research Team to respond. Thanks.

[thisisu]

Hello Staticguy,

The detection is valid / not a false positive. HackTool.KMS is a name of a Windows cracking tool used to make Windows operating system appear as though it's a legitimate/genuine copy. -> https://www.virustotal.com/en/file/e4f6906c800671eb0dd1c10dac364714902b02fe68ccf6bdb08052bdcdac2543/analysis/1472103275/

[Staticguy]

@thisisu If I delete those detected files, will it cause any serious windows operating system problems? Should I bring this up to the store that I bought it from, they have a computer technician in the store?

[daledoc1]

Hi:

The Windows OS on this "brand new" computer is pirated.

Advice: return the computer for a refund and purchase a computer with a proper, legal version of Windows.

{It appears you've had a similar problem in the past here?}

Thanks,

[Staticguy]

@daledoc1 Thanks I will take this up to the store.

[Porthos]

5 hours ago, daledoc1 said:

The Windows OS on this "brand new" computer is pirated.

Advice: return the computer for a refund and purchase a computer with a proper, legal version of Windows.

From SOMEWHERE else. Never return to that store for ANYTHING.

[Staticguy]

@Porthos: I will be able to return back to the store that I got it from. They will be able to give me my money back by showing them the receipt that they gave to me. After that they will be able to give me a proper, legal version of Windows.

[Porthos]

8 minutes ago, Staticguy said:

After that they will be able to give me a proper, legal version of Windows.

After you have money in hand go somewhere else  and report them to MS.

Could you tell me more about this"store"?

[Staticguy]

@Porthos It's a retail shop named Harvey Norman. Those retail shops that are located inside shopping malls. So far I had 2 laptops all of them are bought from there and non of them had this problem. pirated copies of Windows can be bought from small (not popular shops/asian shops (no disrespect to Asians), but it's true they sell pirated copies of windows and sell it for a well discounted price.

@Porthos also I found more info about this malware  SppExtComObjPatcher.exe and one of the links that i had researched is here http://www.eightforums.com/system-security/28460-what-sppextcomobj-exe.html and one of the user wrote this " I can only tell you that I have it on my Win 8 machine, it appears to be a legitimate part of the OS, and I think it might have something to do with KMS Licensing for Microsoft Products (like MS office) but I'm not sure because I do not have any MS Office products on my machine. Good luck. "

I myself I don't have any MS Office installed...

Anyways, I will take this up to the store and will talk with one of the technician inside the store and see what he says.

[Staticguy]

Today I went to the store, but I didn't take my laptop with me. I had my usb with the log.txt file and I showed them. They said it shouldn't be a pirate/illegal Windows OS. My laptop had HDD and that store was offering to upgrade from HDD to SSD. She said to me that, something had got wrong during the upgrade from HDD to SSD and she said to bring my laptop for further analysis. At some day next week, I will bring my laptop to that store so they can do analysis about this.

[daledoc1]

On 8/25/2016 at 8:11 AM, Porthos said:

After you have money in hand go somewhere else  and report them to MS.

IMHO you are wasting your time with a dishonest shop (especially if it's the same one from which you purchased a computer with a cracked OS in the past here).
They are exploiting unsuspecting customers like you, some of whom might be attracted by "good deals" and a low price.

M$ has a vigorous anti-piracy policy.  While we cannot predict their response to your specific report, there have been many cases where the customer reporting the fraud/piracy has been provided by M$ with a complimentary, legal Windows license.

Just a friendly suggestion,

[Staticguy]

@daledoc1 : The link that you gave and my statement  "I had a similar experience. Many years ago I bought a computer back then it was Windows 98 SE and I then bought Windows XP cd. The computer was properly licensed but the Windows XP cd was cracked/pirated. I then, went on to install it and it caused a major havoc out of my windows 98 SE computer (which was properly licensed) and used to get tons of pop ups and malware".

That Windows 98 SE and the Windows XP cd that I bought was from Bangkok, Thailand and me and my family moved from Bangkok to New Zealand. I have been living in New Zealand since 2003-present.

 

[daledoc1]

OK, thanks for the clarification.
I merely mentioned it because you seem to have had bad luck with your computer purchases.  That's all.

The information from @thisisu and the recommendations regarding your current situation would still stand, however.

Eventually, the illegal Windows OS will most likely run afoul of MS activation servers and you will be out of luck.

So we suggest returning the computer for a refund ASAP and purchasing elsewhere one with a legit version of Windows.
Another option, as suggested by @Porthos, would be to report the problem to MS; they may reward your piracy report with a valid license.
Doing so would help to prevent this unscrupulous seller from victimizing other customers.

https://www.microsoft.com/en-us/piracy/reporting/default.aspx
https://www.microsoft.com/en-us/piracy/reporting/faq.aspx

Of course, it's up to you.

Thank you again,

[Staticguy]

@daledoc1: Since coming to New Zealand I had only 1 bad luck in buying a laptop. I bought a laptop from here which was on display, because they didn't have a brand new one (packed). Since then I bought a new one (windows 7) still running good so I then decided to get another laptop (windows 10).

Thanks for all the help and advice guys. Really do appreciate it 

[Staticguy]

Hello guys! Just came back home from the technician from the shop. They said it's got nothing to do about the Windows OS, it is a geniune copy of windows that those detections that you see are safe to delete and it's part of MS Office and since you didn't have any MS Office software pre-installed you have nothing to worry about. My reply#11 states that from the link that I provided and here's a quote from that link 

" " I can only tell you that I have it on my Win 8 machine, it appears to be a legitimate part of the OS, and I think it might have something to do with KMS Licensing for Microsoft Products (like MS office) but I'm not sure because I do not have any MS Office products on my machine. Good luck. "

[AdvancedSetup]

Hello @StatticGuy

Delete the files and reboot the workstation a few times. Then run MBAM again and check for updates and run a new Threat Scan and post the scan log.

Next, let's get a bit more information from the computer to see how it's doing.

 

 

Please read the following and post back the 3 requested logs as an attachment.
 
Diagnostic Logs
 
Thanks

[Staticguy]

@AdvancedSetup I didn't delete the files from MBAM I did a full system scan with Trend Micro Maximum Security 10 (latest version) and it detected only one file.

Detection name is: TROJ_GEN.R0C1COEEP16

Affected file is: C:\Windows\System32\SppExtComObjPatcher.exe

Trend Micro didn't detect the other 2 files that MBAM did according to the first log that I posted. After that, I opened up MBAM, checked for updates, I did a another threat scan, and it didn't find anything.

Uh... one problem. I tried to run Farbar Recovery Scan Tool first Microsoft SmartScreen filter blocked it and i then said run it anyway and after that Trend Micro blocked this tool from running it. What should I do. This is my first time running this tool.

[AdvancedSetup]

Restart the computer, then rescan and remove what MBAM finds. It is not a false positive regardless of what your friends at the computer shop are telling you.

You need to either disable the the smart filter or use another browser to download the tool. It is safe and only scans to post logs of what is running on your system

 

[Staticguy]

@AdvancedSetup I restarted my laptop and the tool worked. nothing came up from SmartScreen filter and from Trend Micro. I also did another scan from MBAM it says CLEAN. Here are the logs from Farbar

Addition.txt

FRST.txt

[AdvancedSetup]

Overall it looks good. No immediate signs of an infection, however there are other issues on the system that you may with to see if your IT Support can assist with as this appears to be a business computer.

 

 

Application errors:
==================
Error: (08/30/2016 01:14:44 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Error: (08/27/2016 05:03:37 PM) (Source: Windows Search Service) (EventID: 3104) (User: )
Description: Enumerating user sessions to generate filter pools failed.

System errors:
=============
Error: (08/30/2016 04:47:04 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 

Error: (08/30/2016 04:47:02 PM) (Source: TPM) (EventID: 15) (User: )
Description: The device driver for the Trusted Platform Module (TPM) encountered a non-recoverable error in the TPM hardware, which prevents TPM services (such as data encryption) from being used. For further help, please contact the computer manufacturer.

Error: (08/30/2016 02:47:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The tmumh service failed to start due to the following error:
The revision level is unknown.

 

Thanks

 

 

[Staticguy]

@AdvancedSetup yes this operating system in an Enterprise version. I will let them know about these other issues. Thanks.

[Porthos]

On 8/26/2016 at 0:11 AM, Staticguy said:

It's a retail shop named Harvey Norman. Those retail shops that are located inside shopping malls.

@StaticguyYou cant get the Enterprise version legally in a retail shop. Those are only sold to volume license customers.

Edited August 30, 2016 by Porthos

[Staticguy]

@Porthos I should have mentioned this before. My laptop package says "Windows 10 Home" but when I turn on my laptop and type about Windows it says "Windows 10 Enterprise". Few hours ago, I went to harvey norman website and had a online chat with a tech representative and told me to go to the shop and tell them what you told me. so I went to the shop and I told them what I told to the tech representative. The tech was confused and couldn't come up with an answer why the package name is different to the name on the laptop. So they checked the S/N number to the package and the S/N number on the laptop and it's a match. While I was with the tech in the shop, she phoned to the manufacturer "ACER" and they told them what i told the tech at the shop. The Acer support tech told the tech from the shop that we don't sell Pro/home versions anymore. The name on the package can say home/Pro but once you turn on the computer it says Enterprise.

This came straight from the horses's mouth  aka ACER support tech. The tech and the customer (me) shouldn't be worried or concerned about anything. It's just how we (manufacturer) work and etc etc. We put the same name "Enterprise" for all laptops even though the package says different home/Pro

I can't remember the exact word and such it's too tech for me 

 

I guess HP, ASUS, Acer works differently from each other.