Answered by:
Windows 7 Showing as Not Genuine Anymore- Identified Virus- What to do?

Question
-
Hi,
About a week ago I went to a website that I believe caused my computer to get a virus after clicking on a video. I believe this type of trojan has allowed a remote attacker to compromise the Windows 7 system as well as the ESET security system I have. My computer immediately shut down, and some days later I began to get 2 types of error messages.
The first type were warnings that windows was not authentic and that I need to resolve the issue. After 3 days my computer began to show on the desktop:"Windows 7, Build 7601, This copy of Windows is not genuine." In addition to an error message that says " You May Be A Victim of Software counterfeiting...," with a link to "resolve the issue." I have had my computer for 3 years, purchased with Windows 7 Home Premium 2009 Service from the manufacturer (Dell).
The Second type of errors, were messages that I need to check Windows security updates. I was unable to update Security Update for Microsoft .NET Framework 4 (KB2633870 and KB2656351), which is suppose to help protect windows 7 from being compromised from remote attacks. I got error codes 667 and 66A respectively for these updates.
I downloaded malware bytes software today and 8 threats were found and quarantined. However, now I am still getting the error messages and the desktop still shows the same "not genuine" message. Below I am including both the MGADiag Report and the Malware Bytes Quarantine Report (done before the MGADiag Report).
How do I restore my computer to normal?
Thanks!
MGADiag REPORT:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 50
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****
Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=
Windows Product ID: 00371-868-0000007-85132
Windows Product ID Type: 1
Windows License Type: KMS Client
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {4EE50A50-AEC6-4115-8A8C-4733F218607C}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110622-1506
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{4EE50A50-AEC6-4115-8A8C-4733F218607C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-GPDD4</PKey><PID>00371-868-0000007-85132</PID><PIDType>1</PIDType><SID>S-1-5-21-891040175-2667252672-388475644</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1545 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A13</Version><SMBIOSVersion major="2" minor="4"/><Date>20091023000000.000000+000</Date></BIOS><HWID>A11D3407018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>WN09 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, VOLUME_KMSCLIENT channel
Activation ID: b92e9980-b9d5-4821-9c94-140f632f6312
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00170-868-000000-03-1033-7601.0000-0162012
Installation ID: 011062100942711302865030406175889924204400544463048735
Partial Product Key: GPDD4
License Status: Notification
Notification Reason: 0xC004F056.
Remaining Windows rearm count: 4
Trusted time: 2/18/2012 2:02:24 AM
Please use slmgr.vbs /ato to activate and update KMS client information in order to update values.Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x80072EE7
HealthStatus: 0x0000000000000000
Event Time Stamp: 1:12:2012 07:40
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: MAAAAAIAAQABAAIAAAABAAAAAgABAAEAeqhmcafHsA7aM0DaKB92DlRthNFqKEbKOEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL WN09
FACP DELL WN09
HPET DELL WN09
MCFG DELL WN09
SLIC DELL WN09
SSDT PmRef CpuPmMALWAREBYTES LOG:
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 573665
Time elapsed: 3 hour(s), 6 minute(s), 58 second(s)Memory Processes Detected: 0
(No malicious items detected)Memory Modules Detected: 0
(No malicious items detected)Registry Keys Detected: 4
HKCR\CLSID\{fe5b2d9d-91b0-b04b-ac20-14a260769687} (Adware.ColorSoft) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3be2f656-ff20-1afb-ad18-198d548e0a1a} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKCR\CLSID\{3be2f656-ff20-1afb-ad18-198d548e0a1a} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3BE2F656-FF20-1AFB-AD18-198D548E0A1A} (Adware.Adrotator) -> Quarantined and deleted successfully.Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Windows Update System (Backdoor.IRCBot) -> Data: C:\Users\Kala\AppData\Roaming\taskmgr.exe -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|Windows Update System (Trojan.Backdoor) -> Data: C:\Users\Kala\AppData\Roaming\taskmgr.exe -> Quarantined and deleted successfully.Registry Data Items Detected: 0
(No malicious items detected)Folders Detected: 0
(No malicious items detected)Files Detected: 2
G:\michael\dark-fantasy.exe (Adware.Relevant) -> Quarantined and deleted successfully.
G:\michael\glassedtoo.exe (Adware.Relevant) -> Quarantined and deleted successfully.(end)
Saturday, February 18, 2012 7:21 AM
Answers
-
"mekeda7" wrote in message news:c9d53591-8b62-46ab-9931-54f340be9fd6...
Hi,
for 3 years, purchased with Windows 7 Home Premium 2009 Service from the manufacturer (Dell).
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 50
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****
Windows Product Key Hash: xgsndMkYdJsYmUng0qIJ/thx+HI=
Windows Product ID: 00371-868-0000007-85132
Windows Product ID Type: 1
Windows License Type: KMS Client
Windows OS version: 6.1.7601.2.00010100.1.0.048
Other data-->
SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1545 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A13</Version><SMBIOSVersion major="2" minor="4"/><Date>20091023000000.000000+000</Date></BIOSLicensing Data-->
Software licensing service version: 6.1.7601.17514Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, VOLUME_KMSCLIENT channel
Partial Product Key: GPDD4
License Status: Notification
Notification Reason: 0xC004F056.
Remaining Windows rearm count: 4
Trusted time: 2/18/2012 2:02:24 AM
Please use slmgr.vbs /ato to activate and update KMS client information in order to update values.Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x80072EE7
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
The installed OS is Win 7 Pro – not Home Premium – using a KMS License.KMS Licenses are Volume licenses and require periodic connection to the appropriate server to reactivate against that server. The server is run by the owner of the license, and must have at least 25 machine activated against it.If you are not a member of such an organisation, then you are not entitled to use a KMS license, and the install is a counterfeit. In this case, you must revert back to the original supplied OS using the manufacturer’s Recovery media, or purchase a Full Retail license for Pro, and swap the Key into the system.If you are a member of such an organisation, you should check with your System Administrator – and they will assist.
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth- Marked as answer by Darin Smith MS Monday, February 20, 2012 10:04 PM
Saturday, February 18, 2012 10:23 AMModerator