Solved Windows Activation Technologies Pop-up

[tjg79]

Windows Activation Technologies Pop-up - VIRUS

I just started getting the pop-up depicted below. I haven't made any changes to my system in months.

User Account Control - Do you want to allow the following program to make
changes to this computer?

Is anyone getting this?



I'm reluctant to click yes.

Regards

 

[Layback Bear]

Check and see if your system has KB971033 installed.
It might be asking to install KB971033 which your Windows 7 should have.

 

[Callender]

I don't get that pop up but UAC is off. (Not recommended) - I use an alternative to UAC.

If UAC was switched on I'd expect to see that pop up every 3 months (90 days)

Check scheduled tasks and you can see details. On my machine it last ran on 11th September.

​

Other logs show the same date:

​

​

 

[tjg79]

I think I was hit with a virus. I ultimately clicked yes, because it kept popping up and then the fun started. Now I'm trying to clean my system.



I clicked "Delete," but now I get the small pop-up every time I reboot.

Does anyone know a solution to clean this up?

Does anyone recognized that file and path? I did a Google, but nothing came up.

I'm considering going into the registry and deleting all references to it.

 

[tjg79]

SuperAntiSpyware detected a Trojan.

 

[Callender]

I don't believe that the two are related. Your first screenshot shows UAC asking to allow:

"C:\Windows\System32\Wat\WatAdminSvc.exe"

That is a legitimate process.

ESET has detected something else.

I'm not a malware removal expert exactly but if you like you can download and run UVK then scan and create a log.

Also you could navigate to C:\Users\TJG\AppData\Roaming\Gayux\Devod.dll and check the file information.

If you decide to download UVK - install it and from the welcome screen choose "Scan and create log" then upload the result.

 

[tjg79]

I suspect the two are related. I just deleted that directory in the users folder. Now I'm going to a complete disk clean-up and reboot to see what happens.

 

[Layback Bear]

You never did answer the question I asked in post #2

Check and see if your system has KB971033 installed.

 

[Callender]

Okay so upload "C:\Windows\System32\Wat\WatAdminSvc.exe" to virus total and see if it is the leigitimate file from microsoft or an imposter.

​

 

[Callender]

UVK log will show any unsigned running processes. Problem files can be removed with a script. Alternatively try this tutorial:

http://www.sevenforums.com/tutorial...er-virustotal-check-all-processes-50-avs.html

 

[Layback Bear]

watadminsvc.exe

Windows Activation Technologies Service - WatAdminSvc.exe - Program Information

 

[tjg79]

You never did answer the question I asked in post #2

Check and see if your system has KB971033 installed.

Installed 14 Mar 2015

 

[tjg79]

Okay so upload "C:\Windows\System32\Wat\WatAdminSvc.exe" to virus total and see if it is the leigitimate file from microsoft or an imposter.

View attachment 373158
​

View attachment 373159

I checked the file with my ESET Smart Security 8 and SuperAntiSpyware Pro. I also checked the properties and it appears to be digitally signed by Microsoft.

I'm not familiar with Virus Total. Is it on my system?

Other than that the file appears to be good.

The main issues I'm experiencing at the moment are that when I click on any folder or the start menu button, the system is very sluggish to respond and extremely slow when navigating between different folders. Also, when I do a shutdown, I see a webpage that the system is or has tried to connect to. It appears to be an adware type virus from hell. Also, my ESET Smart Security 8 is giving me lots of alerts about blocking the address in the picture below. So, what ever is on this system still has a remnant that wants to connect to that address.



I've started a re-indexing for Windows Explorer and I did a SFC /SCANNOW. There were no issues with the SFC.

This was definitely a virus attack.

 

[tjg79]

I don't believe that the two are related. Your first screenshot shows UAC asking to allow:

"C:\Windows\System32\Wat\WatAdminSvc.exe"

That is a legitimate process.

ESET has detected something else.

I'm not a malware removal expert exactly but if you like you can download and run UVK then scan and create a log.

Also you could navigate to C:\Users\TJG\AppData\Roaming\Gayux\Devod.dll and check the file information.

If you decide to download UVK - install it and from the welcome screen choose "Scan and create log" then upload the result.

I'm downloading UVK now.

The UVK log file is over 2MB.

UVK - Ultra Virus Killer Log.txt

You can download the UVK log file from the file drop site on the link above.

Let me know if you see something.

Regards

 

[NoelDP]

14 posts and NO MGADiag??
SHAME ON YOU!

ESET has been known to flag the WAT tools in the past - it's a false positive, but semi-legitimate, since the tool will phone home every so often to pick up the latest definitions.

Please follow this tutorial and post an MGADiag report - then we can see what the problem is.

http://www.sevenforums.com/windows-...ne-activation-issue-posting-instructions.html

Ignore errors produced when clicking on the Copy button - they simply mean that the tool could not create the backup files for some reason. The data is still copied to the clipboard for pasting to your response.

Please also state the Version and Edition of Windows quoted on your COA sticker (if you have one) on the case of your machine (or inside the battery compartment), but do NOT quote the Key on the sticker!
https://www.microsoft.com/en-gb/howtotell/Hardware.aspx#PCPurchase

 

[tjg79]

It's a virus, but I'm not sure it's been completely removed, because the system doesn't behave as if the virus is completely removed. I downloaded and ran the Microsoft Safety Scanner for my Win 7 Pro x64 system. The MS Safety Scanner detected a Trojan Dynamater virus. I'm not sure about the spelling. The symptoms were constant downloading of temp files, very sluggish system when attempting to navigate between different folders in Windows Explorer. Windows Task Manger indicated significantly higher than normal system resource utilization, cpu and memory. Presently, I'm running ESET Smart Security 8 Smart Scan. It doesn't appear to be detecting anything yet and it's been running for an hour and twenty minutes. I don't know how long it will take to complete the ESET virus scan. I'm not sure if the virus software can scan the boot sectors. I will check the scan logs when the scan completes. This is a virus issue.

From the Certificate of Authenticity Sticker:
Windows 7 Pro OEM Software
FQC-04849 (the 8 could be a 6, the print is illegible)
X16-93649
00180-451-841-077

The ESET Smart Security 8 Smart Scan completed, but the scan logs indicate that it had errors when attempting to open the boot sectors of C:\, D:\, E:\, & O:\. Therefore, I don't think ESET SS 8 successfully scanned the boot sectors and I suspect this virus is hiding in the boot sectors and will reload when I reboot.

Diagnostic Report 
(1.9.0027.0):
-----------------------------------------
Windows Validation 
Data-->

 
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product 
Key: *****-*****-9CBQQ-CBRDX-4VBW4
Windows Product Key Hash: 
4o79yMzf+5/lHKmwIiotxng2nPc=
Windows Product ID: 
00371-OEM-9045181-41077
Windows Product ID Type: 3
Windows License Type: 
OEM System Builder
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: 
{88569B0E-21CB-4760-A2CC-9595DA52037D}(3)
Is Admin: Yes
TestCab: 
0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: 
Microsoft
Product Name: Windows 7 Professional
Architecture: 
0x00000009
Build lab: 7601.win7sp1_gdr.150722-0600
TTS Error: 

Validation Diagnostic: 
Resolution Status: N/A

 
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, 
hr = 0x80070002

 
Windows XP Notifications Data-->
Cached Result: N/A, hr = 
0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe 
Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 
0x80070002

 
OGA Notifications Data-->
Cached Result: N/A, hr = 
0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 
0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

 
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional 
2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 
0x80070002
Office Diagnostics: 
77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

 
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 
(compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet 
Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download 
unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: 
Allowed
Initialize and script ActiveX controls not marked as safe: 
Disabled
Allow scripting of Internet Explorer Webbrowser control: 
Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe 
for scripting: Allowed

 
File Scan Data-->

 
Other data-->
Office Details: 
<GenuineResults><MachineData><UGUID>{88569B0E-21CB-4760-A2CC-9595DA52037D}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-4VBW4</PKey><PID>00371-OEM-9045181-41077</PID><PIDType>3</PIDType><SID>S-1-5-21-764048772-141219837-185285450</SID><SYSTEM><Manufacturer>INTEL_</Manufacturer><Model>DX58SO__</Model></SYSTEM><BIOS><Manufacturer>Intel 
Corp.</Manufacturer><Version>SOX5810J.86A.5600.2013.0729.2250</Version><SMBIOSVersion 
major="2" 
minor="5"/><Date>20130729000000.000000+000</Date></BIOS><HWID>92BD3107018400F4</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern 
Standard 
Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product 
GUID="{91120000-0014-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft 
Office Professional 
2007</Name><Ver>12</Ver><Val>1B16FCA35E8C714</Val><Hash>Ox0izo7MjcnLKUdV4ul5G/4OhBY=</Hash><Pid>81605-906-5273533-65430</Pid><PidType>1</PidType></Product></Products><Applications><App 
Id="15" Version="12" Result="100"/><App Id="16" Version="12" 
Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" 
Version="12" Result="100"/><App Id="1A" Version="12" 
Result="100"/><App Id="1B" Version="12" 
Result="100"/></Applications></Office></Software></GenuineResults>  


 
Spsys.log Content: 0x80070002

 
Licensing Data-->
Software licensing service version: 
6.1.7601.17514

 
Name: Windows(R) 7, Professional edition
Description: Windows Operating 
System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: 
e120e868-3df2-464a-95a0-b52fa5ada4bf
Application ID: 
55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 
00371-00180-451-841077-02-1033-7601.0000-0732015
Installation ID: 
012201651040681403614155510252839633960930028731337932
Processor Certificate 
URL: [url=http://go.microsoft.com/fwlink/?LinkID=88338]SpcService Web Service[/url]
Machine 
Certificate URL: [url=http://go.microsoft.com/fwlink/?LinkID=88339]RacService Web Service[/url]
Use 
License URL: [url=http://go.microsoft.com/fwlink/?LinkID=88341]UseLicenseService Web Service[/url]
Product 
Key Certificate URL: [url=http://go.microsoft.com/fwlink/?LinkID=88340]PkcService Web Service[/url]
Partial 
Product Key: 4VBW4
License Status: Licensed
Remaining Windows rearm count: 
3
Trusted time: 08-Oct-15 09:26:18

 
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 
0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 9:11:2015 
06:15
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: 
Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:

 

HWID Data-->
HWID Hash Current: 
MgAAAAMAAAABAAEAAQADAAAAAQABAAEACrYw0kNG2mNsQ1D3xOAOLEaUnJ+9IKaegig=

 
OEM Activation 1.0 Data-->
N/A

 
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC 
table
Windows marker version: N/A
OEMID and OEMTableID Consistent: 
N/A
BIOS Information: 
  ACPI Table Name OEMID 
Value OEMTableID Value
  APIC   INTEL 
  DX58SO  
  FACP   INTEL 
  DX58SO  
  HPET   INTEL 
  DX58SO  
  MCFG   INTEL 
  DX58SO  
  WDDT   INTEL 
  DX58SO  
  ASF!   INTEL 
  DX58SO  
  SSDT   INTEL 
  SSDT  PM
  DMAR   INTEL 
  DX58SO  
  WDTT   INTEL 
  DX58SO  
  ASPT   INTEL 
  PerfTune

 

[Layback Bear]

Posting the MGADiag log as Noel has requested after your security scan will let Noel see if your infection has effected your MGADiag.

Please complete the instruction Noel has given.

 

[tjg79]

Do you need any additional information?

 

[Callender]

I looked at your log. Can you confirm what is in this folder?

C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}

 

[Callender]

Will check here later!