locked
Validation Issue after Malware/Virus attacks RRS feed

  • Question

  • Since being attacked by multiple malware and viruses, I am receiving notifications that my copy of Windows is not genuine. Here is the MGA diagnostic report results.

    Additionally, I read and tried to follow the instructions on similar forums, but get stuck because all the numbers on the Microsoft COA on the bottom of my laptop are worn off, so that I am not able to read them.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {A90D2057-9620-43A3-8E1F-58C8EDEF00F5}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.140303-2144
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Allowed
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[Hr = 0x80070003]
    File Mismatch: C:\Windows\system32\wat\npwatweb.dll[Hr = 0x80070003]
    File Mismatch: C:\Windows\system32\wat\watux.exe[Hr = 0x80070003]
    File Mismatch: C:\Windows\system32\wat\watweb.dll[Hr = 0x80070003]
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{A90D2057-9620-43A3-8E1F-58C8EDEF00F5}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-2358751200-3201132708-273515687</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP G60 Notebook PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>F.3C</Version><SMBIOSVersion major="2" minor="4"/><Date>20090520000000.000000+000</Date></BIOS><HWID>D6873507018400F6</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-MPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: N/A
    HealthStatus: 0x0000000000000000
    Event Time Stamp: N/A
    ActiveX: Not Registered - 0x80040154
    Admin Service: Not Registered - 0x80040154
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: NAAAAAEABAABAAEAAAACAAAAAgABAAEAeqiwYDboHvKWklYQILVM7hSWgjLgtrIlPJJ+KA==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC HPQOEM SLIC-MPC
      FACP HPQOEM SLIC-MPC
      HPET HPQOEM SLIC-MPC
      BOOT HPQOEM SLIC-MPC
      MCFG HPQOEM SLIC-MPC
      SLIC HPQOEM SLIC-MPC
      SSDT HPQOEM SLIC-MP

    Saturday, September 6, 2014 6:07 PM

Answers

  • Your installation shows all the signs of a hackers Activation Exploit - RemoveWAT.

    The machine is not capable of supporting the OEM_SLP Key in use - it was manufactured before the release of Windows7, and the COA sticker would be for Vista.

    You need to reformat and reinstall using legitimate media and Key.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Sunday, September 7, 2014 5:10 AM
    Moderator

All replies

  • I also tried to follow the directions at this link for rebuilding the licensing store, but I was not able to complete the process, because of the information on the COA not being legible anymore.  http://social.microsoft.com/Forums/en-US/fc302165-934e-409e-a193-af2fc3b31b8a/windows-7-not-genuine-after-malware-attack?forum=genuinewindows7
    Saturday, September 6, 2014 8:13 PM
  • Your installation shows all the signs of a hackers Activation Exploit - RemoveWAT.

    The machine is not capable of supporting the OEM_SLP Key in use - it was manufactured before the release of Windows7, and the COA sticker would be for Vista.

    You need to reformat and reinstall using legitimate media and Key.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Sunday, September 7, 2014 5:10 AM
    Moderator