locked
Windows 7 Showing as Not Genuine Anymore- Identified Virus- What to do? RRS feed

  • Question

  • Hi,

    About a week ago I went to a website that I believe caused my computer to get a virus after clicking on a video. I believe this type of trojan has allowed a remote attacker to compromise the Windows 7 system as well as the ESET security system I have. My computer immediately shut down, and some days later I began to get 2 types of error messages.

    The first type were warnings that windows was not authentic and that I need to resolve the issue. After 3 days my computer began to show on the desktop:"Windows 7, Build 7601, This copy of Windows is not genuine." In addition to an error message that says " You May Be A Victim of Software counterfeiting...," with a link to "resolve the issue."  I have had my computer for 3 years, purchased with Windows 7 Home Premium 2009 Service from the manufacturer (Dell).

    The Second type of errors, were messages that I need to check Windows security updates. I was unable to update Security Update for Microsoft .NET Framework 4 (KB2633870 and KB2656351), which is suppose to help protect windows 7 from being compromised from remote attacks. I got error codes 667 and 66A respectively for these updates.

    I downloaded malware bytes software today and 8 threats were found and quarantined. However, now I am still getting the error messages and the desktop still shows the same "not genuine" message. Below I am including both the MGADiag Report and the Malware Bytes Quarantine Report (done before the MGADiag Report).

    How do I restore my computer to normal?

    Thanks!

    MGADiag REPORT:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 50
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****
    Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=
    Windows Product ID: 00371-868-0000007-85132
    Windows Product ID Type: 1
    Windows License Type: KMS Client
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {4EE50A50-AEC6-4115-8A8C-4733F218607C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.110622-1506
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{4EE50A50-AEC6-4115-8A8C-4733F218607C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-GPDD4</PKey><PID>00371-868-0000007-85132</PID><PIDType>1</PIDType><SID>S-1-5-21-891040175-2667252672-388475644</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1545                   </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A13</Version><SMBIOSVersion major="2" minor="4"/><Date>20091023000000.000000+000</Date></BIOS><HWID>A11D3407018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>WN09   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_KMSCLIENT channel
    Activation ID: b92e9980-b9d5-4821-9c94-140f632f6312
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00170-868-000000-03-1033-7601.0000-0162012
    Installation ID: 011062100942711302865030406175889924204400544463048735
    Partial Product Key: GPDD4
    License Status: Notification
    Notification Reason: 0xC004F056.
    Remaining Windows rearm count: 4
    Trusted time: 2/18/2012 2:02:24 AM
    Please use slmgr.vbs /ato to activate and update KMS client information in order to update values.

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x80072EE7
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 1:12:2012 07:40
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: MAAAAAIAAQABAAIAAAABAAAAAgABAAEAeqhmcafHsA7aM0DaKB92DlRthNFqKEbK

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   DELL    WN09  
      FACP   DELL    WN09  
      HPET   DELL    WN09  
      MCFG   DELL    WN09  
      SLIC   DELL    WN09  
      SSDT   PmRef  CpuPm

     

    MALWAREBYTES LOG:

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 573665
    Time elapsed: 3 hour(s), 6 minute(s), 58 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 4
    HKCR\CLSID\{fe5b2d9d-91b0-b04b-ac20-14a260769687} (Adware.ColorSoft) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3be2f656-ff20-1afb-ad18-198d548e0a1a} (Adware.Adrotator) -> Quarantined and deleted successfully.
    HKCR\CLSID\{3be2f656-ff20-1afb-ad18-198d548e0a1a} (Adware.Adrotator) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3BE2F656-FF20-1AFB-AD18-198D548E0A1A} (Adware.Adrotator) -> Quarantined and deleted successfully.

    Registry Values Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Windows Update System (Backdoor.IRCBot) -> Data: C:\Users\Kala\AppData\Roaming\taskmgr.exe -> Quarantined and deleted successfully.
    HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|Windows Update System (Trojan.Backdoor) -> Data: C:\Users\Kala\AppData\Roaming\taskmgr.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    G:\michael\dark-fantasy.exe (Adware.Relevant) -> Quarantined and deleted successfully.
    G:\michael\glassedtoo.exe (Adware.Relevant) -> Quarantined and deleted successfully.

    (end)

    Saturday, February 18, 2012 7:21 AM

Answers

  • "mekeda7" wrote in message news:c9d53591-8b62-46ab-9931-54f340be9fd6...

    Hi,

    for 3 years, purchased with Windows 7 Home Premium 2009 Service from the manufacturer (Dell).

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 50
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****
    Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=
    Windows Product ID: 00371-868-0000007-85132
    Windows Product ID Type: 1
    Windows License Type: KMS Client
    Windows OS version: 6.1.7601.2.00010100.1.0.048

    Other data-->
    SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1545                   </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A13</Version><SMBIOSVersion major="2" minor="4"/><Date>20091023000000.000000+000</Date></BIOS

     

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_KMSCLIENT channel
    Partial Product Key: GPDD4
    License Status: Notification
    Notification Reason: 0xC004F056.
    Remaining Windows rearm count: 4
    Trusted time: 2/18/2012 2:02:24 AM
    Please use slmgr.vbs /ato to activate and update KMS client information in order to update values.

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x80072EE7

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001

     
     
     
    The installed OS is Win 7 Pro – not Home Premium – using a KMS License.
    KMS Licenses are Volume licenses and require periodic connection to the appropriate server to reactivate against that server. The server is run by the owner of the license, and must have at least 25 machine activated against it.
    If you are not a member of such an organisation, then you are not entitled to use a KMS license, and the install is a counterfeit. In this case, you must revert back to the original supplied OS using the manufacturer’s Recovery media, or purchase a Full Retail license for Pro, and swap the Key into the system.
     
    If you are a member of such an organisation, you should check with your System Administrator – and they will assist.
     
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by Darin Smith MS Monday, February 20, 2012 10:04 PM
    Saturday, February 18, 2012 10:23 AM
    Moderator