Hi,
About a week ago I went to a website that I believe caused my computer to get a virus after clicking on a video. I believe this type of trojan has allowed a remote attacker to compromise the Windows 7 system as well as the ESET security system I have.
My computer immediately shut down, and some days later I began to get 2 types of error messages.
The first type were warnings that windows was not authentic and that I need to resolve the issue. After 3 days my computer began to show on the desktop:"Windows 7, Build 7601, This copy of Windows is not genuine." In addition to an error message
that says " You May Be A Victim of Software counterfeiting...," with a link to "resolve the issue." I have had my computer for 3 years, purchased with Windows 7 Home Premium 2009 Service from the manufacturer (Dell).
The Second type of errors, were messages that I need to check Windows security updates. I was unable to update Security Update for Microsoft .NET Framework 4 (KB2633870 and KB2656351), which is suppose to help protect windows
7 from being compromised from remote attacks. I got error codes 667 and 66A respectively for these updates.
I downloaded malware bytes software today and 8 threats were found and quarantined. However, now I am still getting the error messages and the desktop still shows the same "not genuine" message. Below I am including both the MGADiag Report and the Malware
Bytes Quarantine Report (done before the MGADiag Report).
How do I restore my computer to normal?
Thanks!
MGADiag REPORT:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 50
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****
Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=
Windows Product ID: 00371-868-0000007-85132
Windows Product ID Type: 1
Windows License Type: KMS Client
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {4EE50A50-AEC6-4115-8A8C-4733F218607C}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110622-1506
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{4EE50A50-AEC6-4115-8A8C-4733F218607C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-GPDD4</PKey><PID>00371-868-0000007-85132</PID><PIDType>1</PIDType><SID>S-1-5-21-891040175-2667252672-388475644</SID><SYSTEM><Manufacturer>Dell
Inc.</Manufacturer><Model>Inspiron 1545 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A13</Version><SMBIOSVersion
major="2" minor="4"/><Date>20091023000000.000000+000</Date></BIOS><HWID>A11D3407018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL
</OEMID><OEMTableID>WN09 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, VOLUME_KMSCLIENT channel
Activation ID: b92e9980-b9d5-4821-9c94-140f632f6312
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00170-868-000000-03-1033-7601.0000-0162012
Installation ID: 011062100942711302865030406175889924204400544463048735
Partial Product Key: GPDD4
License Status: Notification
Notification Reason: 0xC004F056.
Remaining Windows rearm count: 4
Trusted time: 2/18/2012 2:02:24 AM
Please use slmgr.vbs /ato to activate and update KMS client information in order to update values.
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x80072EE7
HealthStatus: 0x0000000000000000
Event Time Stamp: 1:12:2012 07:40
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: MAAAAAIAAQABAAIAAAABAAAAAgABAAEAeqhmcafHsA7aM0DaKB92DlRthNFqKEbK
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL WN09
FACP DELL WN09
HPET DELL WN09
MCFG DELL WN09
SLIC DELL WN09
SSDT PmRef CpuPm
MALWAREBYTES LOG:
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 573665
Time elapsed: 3 hour(s), 6 minute(s), 58 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 4
HKCR\CLSID\{fe5b2d9d-91b0-b04b-ac20-14a260769687} (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3be2f656-ff20-1afb-ad18-198d548e0a1a} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKCR\CLSID\{3be2f656-ff20-1afb-ad18-198d548e0a1a} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3BE2F656-FF20-1AFB-AD18-198D548E0A1A} (Adware.Adrotator) -> Quarantined and deleted successfully.
Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Windows Update System (Backdoor.IRCBot) -> Data: C:\Users\Kala\AppData\Roaming\taskmgr.exe -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|Windows Update System (Trojan.Backdoor) -> Data: C:\Users\Kala\AppData\Roaming\taskmgr.exe -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
G:\michael\dark-fantasy.exe (Adware.Relevant) -> Quarantined and deleted successfully.
G:\michael\glassedtoo.exe (Adware.Relevant) -> Quarantined and deleted successfully.
(end)
