locked
Windows 7 Genuine Problem After Cleaning Malware RRS feed

  • Question

  • I had a malware infection last week that caused my PC to crash.  After much effort, I believe I have a clean system but am now having system issues.  I keep getting a notice saying my Windows 7 in not genuine (it is) and I get error messages when I run System Restore or System Backup.  I know this forum is about Genuine Windows issues so I'll start there.  Thanks for the help.

    Diagnostic Report (1.9.0027.0):

    -----------------------------------------

    Windows Validation Data-->


    Validation Code: 0x8004FE21

    Cached Online Validation Code: 0x0

    Windows Product Key: *****-*****-YWFW3-RMKWQ-2HQ9G

    Windows Product Key Hash: OwPxlW9OXfJBmrpPfL9URWrUSzo=

    Windows Product ID: 00426-292-7501744-85367

    Windows Product ID Type: 5

    Windows License Type: Retail

    Windows OS version: 6.1.7601.2.00010100.1.0.001

    ID: {6842223C-9127-4B33-AB6B-F1FABD9F50D5}(3)

    Is Admin: Yes

    TestCab: 0x0

    LegitcheckControl ActiveX: N/A, hr = 0x80070002

    Signed By: N/A, hr = 0x80070002

    Product Name: Windows 7 Ultimate

    Architecture: 0x00000009

    Build lab: 7601.win7sp1_rtm.101119-1850

    TTS Error: 

    Validation Diagnostic: 

    Resolution Status: N/A


    Vista WgaER Data-->

    ThreatID(s): N/A, hr = 0x80070002

    Version: N/A, hr = 0x80070002


    Windows XP Notifications Data-->

    Cached Result: N/A, hr = 0x80070002

    File Exists: No

    Version: N/A, hr = 0x80070002

    WgaTray.exe Signed By: N/A, hr = 0x80070002

    WgaLogon.dll Signed By: N/A, hr = 0x80070002


    OGA Notifications Data-->

    Cached Result: N/A, hr = 0x80070002

    Version: N/A, hr = 0x80070002

    OGAExec.exe Signed By: N/A, hr = 0x80070002

    OGAAddin.dll Signed By: N/A, hr = 0x80070002


    OGA Data-->

    Office Status: 100 Genuine

    Microsoft Expression Web 2 - 121

    OGA Version: N/A, 0x80070002

    Signed By: N/A, hr = 0x80070002

    Office Diagnostics: 7E90FEE8-198-80004005_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3


    Browser Data-->

    Proxy settings: N/A

    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)

    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe

    Download signed ActiveX controls: Prompt

    Download unsigned ActiveX controls: Disabled

    Run ActiveX controls and plug-ins: Allowed

    Initialize and script ActiveX controls not marked as safe: Disabled

    Allow scripting of Internet Explorer Webbrowser control: Disabled

    Active scripting: Allowed

    Script ActiveX controls marked as safe for scripting: Allowed


    File Scan Data-->

    File Mismatch: C:\Windows\system32\sppcext.dll[Hr = 0x800b0100]

    File Mismatch: C:\Windows\system32\en-US\slui.exe.mui[Hr = 0x80092003]

    File Mismatch: C:\Windows\system32\sppcommdlg.dll[Hr = 0x800b0100]


    Other data-->

    Office Details: <GenuineResults><MachineData><UGUID>{6842223C-9127-4B33-AB6B-F1FABD9F50D5}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-2HQ9G</PKey><PID>00426-292-7501744-85367</PID><PIDType>5</PIDType><SID>S-1-5-21-3519206298-1893559416-1398785597</SID><SYSTEM><Manufacturer>NVIDIA</Manufacturer><Model>NFORCE 680i LT SLI</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="4"/><Date>20070221000000.000000+000</Date></BIOS><HWID>D6AD3507018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0045-0000-0000-0000000FF1CE}"><LegitResult>121</LegitResult><Name>Microsoft Expression Web 2</Name><Ver>12</Ver><Val>5C75A1FD862B576</Val><Hash>cYq9KbAcKmw7RHHUxwPI1Qn9sa8=</Hash><Pid>78727-699-6506803-59881</Pid><PidType>0</PidType></Product></Products><Applications/></Office></Software></GenuineResults>  


    Spsys.log Content: 0x80070002


    Licensing Data-->

    Software licensing service version: 6.1.7601.17514


    Name: Windows(R) 7, Ultimate edition

    Description: Windows Operating System - Windows(R) 7, RETAIL channel

    Activation ID: ac96e1a8-6cc4-4310-a4ff-332ce77fb5b8

    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f

    Extended PID: 00426-00170-292-750174-00-1033-7601.0000-1072011

    Installation ID: 005811551921390894782486796190538946793781354693847633

    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338

    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339

    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341

    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340

    Partial Product Key: 2HQ9G

    License Status: Licensed

    Remaining Windows rearm count: 4

    Trusted time: 5/5/2011 12:51:15 PM


    Windows Activation Technologies-->

    HrOffline: 0x8004FE21

    HrOnline: N/A

    HealthStatus: 0x0000000000004840

    Event Time Stamp: 5:5:2011 10:07

    ActiveX: Registered, Version: 7.1.7600.16395

    Admin Service: Registered, Version: 7.1.7600.16395

    HealthStatus Bitmask Output:

    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui

    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration

    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui



    HWID Data-->

    HWID Hash Current: MgAAAAIAAwABAAEAAQABAAAAAQABAAEAJJTMEY8qjrzmjZIATB9sm/7cje8K1njCKoU=


    OEM Activation 1.0 Data-->

    N/A


    OEM Activation 2.0 Data-->

    BIOS valid for OA 2.0: yes, but no SLIC table

    Windows marker version: N/A

    OEMID and OEMTableID Consistent: N/A

    BIOS Information: 

      ACPI Table Name OEMID Value OEMTableID Value

      APIC Nvidia NVDAACPI

      FACP Nvidia NVDAACPI

      HPET Nvidia NVDAACPI

      MCFG Nvidia NVDAACPI

      WDRT Nvidia NVDAACPI


    Thursday, May 5, 2011 7:54 PM

Answers

  • Hello Keegen,

     

      At this point you can try a System Restore back to Restore Point before the issue occurred. 

    1) Click the Start button
    2) In the Start Search field, type: System Restore and hit “Enter”
    3) Select "Choose Different Restore Point", Put a check in the box that says "Show restore points older than 5 days", select the restore point that corresponds to the date Before you first noticed the issue.
    4) Click the "Next" button.
    5) Reboot and see if that resolves the issue.

     

    If that doesn't work, I would recommend contacting Microsoft Assisted Support at one of the below URLs:

    North America: http://support.microsoft.com/contactus/cu_sc_genadv_master?ws=support&ws=support#tab4

    Outside North America:
    http://support.microsoft.com/contactus/?ws=support#tab0

     

    Thank you,


    Darin MS
    Monday, May 9, 2011 10:00 PM

All replies

  • Whoa!  Sorry about the large type, not sure what happed with copy and paste. :-)
    Thursday, May 5, 2011 7:56 PM
  • Try running the system file checker to repair the tampered files. 

    Click Start, type 'cmd' in the Search/Run box, and right click on the CMD icon at the top of the results pane.  Select Run as Administrator.  When the cmd window opens type 'sfc /scannow' at the prompt and hit Enter.  When the scan completes close the cmd window. 


    Colin Barnhorst Windows 7 Ultimate x64 on DIY with 6GB ram.
    Thursday, May 5, 2011 8:45 PM
    Answerer
  • Ran System file checker and it came back with this.

    "Window Resource Protection found corrupt files but was unable to fix them."

    Thursday, May 5, 2011 9:20 PM
  • Hello Keegen,

     

      At this point you can try a System Restore back to Restore Point before the issue occurred. 

    1) Click the Start button
    2) In the Start Search field, type: System Restore and hit “Enter”
    3) Select "Choose Different Restore Point", Put a check in the box that says "Show restore points older than 5 days", select the restore point that corresponds to the date Before you first noticed the issue.
    4) Click the "Next" button.
    5) Reboot and see if that resolves the issue.

     

    If that doesn't work, I would recommend contacting Microsoft Assisted Support at one of the below URLs:

    North America: http://support.microsoft.com/contactus/cu_sc_genadv_master?ws=support&ws=support#tab4

    Outside North America:
    http://support.microsoft.com/contactus/?ws=support#tab0

     

    Thank you,


    Darin MS
    Monday, May 9, 2011 10:00 PM
  • When I run System Restore I just get a error message saying that it's not functioning correctly and says:

    "A Volume Shadow Copy Service component encountered an unexpected error"

    I will contact MS Support but I'm guessing in the end they will have me reinstall. :-(

    Thanks for your help.

    Tuesday, May 10, 2011 1:33 AM