Answered by:
Validation Issue after Malware/Virus attacks

Question
-
Since being attacked by multiple malware and viruses, I am receiving notifications that my copy of Windows is not genuine. Here is the MGA diagnostic report results.
Additionally, I read and tried to follow the instructions on similar forums, but get stuck because all the numbers on the Microsoft COA on the bottom of my laptop are worn off, so that I am not able to read them.
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-788W3-H689G-6P6GT
Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
Windows Product ID: 00371-OEM-8992671-00008
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {A90D2057-9620-43A3-8E1F-58C8EDEF00F5}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.140303-2144
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Allowed
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\npwatweb.dll[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watux.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watweb.dll[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{A90D2057-9620-43A3-8E1F-58C8EDEF00F5}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-2358751200-3201132708-273515687</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP G60 Notebook PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>F.3C</Version><SMBIOSVersion major="2" minor="4"/><Date>20090520000000.000000+000</Date></BIOS><HWID>D6873507018400F6</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-MPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Not Registered - 0x80040154
Admin Service: Not Registered - 0x80040154
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: NAAAAAEABAABAAEAAAACAAAAAgABAAEAeqiwYDboHvKWklYQILVM7hSWgjLgtrIlPJJ+KA==
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x0
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC HPQOEM SLIC-MPC
FACP HPQOEM SLIC-MPC
HPET HPQOEM SLIC-MPC
BOOT HPQOEM SLIC-MPC
MCFG HPQOEM SLIC-MPC
SLIC HPQOEM SLIC-MPC
SSDT HPQOEM SLIC-MPSaturday, September 6, 2014 6:07 PM
Answers
-
Your installation shows all the signs of a hackers Activation Exploit - RemoveWAT.
The machine is not capable of supporting the OEM_SLP Key in use - it was manufactured before the release of Windows7, and the COA sticker would be for Vista.
You need to reformat and reinstall using legitimate media and Key.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. - Proposed as answer by Kamin of Ressik Monday, September 8, 2014 1:21 PM
- Marked as answer by Noel D PatonModerator Sunday, September 14, 2014 7:35 AM
Sunday, September 7, 2014 5:10 AMModerator
All replies
-
I also tried to follow the directions at this link for rebuilding the licensing store, but I was not able to complete the process, because of the information on the COA not being legible anymore. http://social.microsoft.com/Forums/en-US/fc302165-934e-409e-a193-af2fc3b31b8a/windows-7-not-genuine-after-malware-attack?forum=genuinewindows7Saturday, September 6, 2014 8:13 PM
-
Your installation shows all the signs of a hackers Activation Exploit - RemoveWAT.
The machine is not capable of supporting the OEM_SLP Key in use - it was manufactured before the release of Windows7, and the COA sticker would be for Vista.
You need to reformat and reinstall using legitimate media and Key.
Noel Paton | Nil Carborundum Illegitemi CrashFixPC | The Three-toed Sloth No - I do not work for Microsoft, or any of its contractors. - Proposed as answer by Kamin of Ressik Monday, September 8, 2014 1:21 PM
- Marked as answer by Noel D PatonModerator Sunday, September 14, 2014 7:35 AM
Sunday, September 7, 2014 5:10 AMModerator