Copy of Windows not gneuine after trying to remove malware

Page 1 of 2 12 LastLast

  1. Terrek
    Posts : 81
    Windows 7 Home Premium 64bit
       New #1

    Copy of Windows not gneuine after trying to remove malware


    Hello, yesterday I inadvertently started to install the malware from Web Protect for Windows. I ended the installation, after my Ad-Aware Antivirus flagged and deleted files, but it had already altered my Internet Explorer 11, but not my Firefox. I have run Malware Bytes, Super Antispyware, and CCleaner several times each and they removed several things. The program is still in my Programs List and if I try to uninstall it, it acts like it is trying to install. I tried running a system restore, but it fails saying a program, likely an antivirus is preventing it from completing. I tried turning off Ad-aware and turning on Windows Defender, but got the same message. For some reason only 2 restore points are listed for 9/23/14, all others are gone...

    I tried following the removal guide here: How Do I Fully Remove Web Protect Adware
    but didn't find most the files it said to remove, probably because the program did not install all the way. I did find one folder (Web Protect or something similar) with a lot of stuff in it, including the install and uninstall files, and deleted it.
    However, I cannot access some of the folders, (%documents and settings) even though I am logged in as Administrator. Also I could not find the items in the Registry is says to remove either.

    I did find two files under Windows\System32 that looked suspicious to me, as they were last modified 9/23/14 around the same time I got the malware and I deleted them to the recycle bin. They are C7483456-A289-439d-8115-601632D00A0 files.

    This morning my desktop background is black with little white text saying my copy of windows is not genuine, and I get periodic messages about it. I looked online and it looks like those 2 files are windows validation files or something, so I tried to restore them. The recycle bin tells me those files already exist and asks if I want to overwrite. When I say yes it says I don't have permission and then does nothing.

    I still don't know for sure if the malware is still on the computer, though my anti-spyware programs aren't detecting anything anymore


    How can I fix this problem? I more concerned that I messed up windows than about the malware now.

    Thanks in advance.

    Code:
     
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 50
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-4RVXF-PQP4J-BWDHH
Windows Product Key Hash: lS7hgeoUdDL3nInpjzl7Q6VHFIk=
Windows Product ID: 00359-035-0060177-85623
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {0CEB0965-F327-4BF9-A459-0496B11682A1}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.140303-2144
TTS Error: T:20140924092619549-
Validation Diagnostic: 
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Standard Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{0CEB0965-F327-4BF9-A459-0496B11682A1}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BWDHH</PKey><PID>00359-035-0060177-85623</PID><PIDType>5</PIDType><SID>S-1-5-21-1902672100-1416066333-2091083124</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>3012</Version><SMBIOSVersion major="2" minor="6"/><Date>20120120000000.000000+000</Date></BIOS><HWID>C42D3807018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>23C913F125F806A</Val><Hash>DpLHsltKjzAE8lsvgb8CfZydRcw=</Hash><Pid>70141-053-8592254-56258</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>  
Spsys.log Content: U1BMRwEAAAAAAQAACAAAAKkoAAAAAAAAYWECAID6//+tp0kg+9fPAWbXGpOihAOpMHzDmWxsjurDqgjph73YjmqlCwBIfjrqgWHnOwqQYpckiQr6nh+OFjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAx4dZsxs/sxaQSZh6DCEuBHTInH4gLIx5fnLTOW5blMa59dxOVDmn9b+baYe/TLbVozkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Error: product key not found.
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 8:20:2014 09:10
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:

HWID Data-->
HWID Hash Current: NAAAAAIAAwABAAEAAQABAAAAAgABAAEAln3q9IgudxasixpdeBk6yUiBDqe84m+nGJgucw==
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information: 
  ACPI Table Name OEMID Value OEMTableID Value
  APIC   ALASKA  A M I
  FACP   ALASKA  A M I
  HPET   ALASKA  A M I
  MCFG   ALASKA  A M I
  SSDT   SataRe  SataTabl
  SSDT   SataRe  SataTabl
  SSDT   SataRe  SataTabl
  BGRT   ALASKA  A M I
    Last edited by Terrek; 24 Sep 2014 at 10:00. Reason: Adding MGADiag Report
      My Computer
    Quote Quote

  3. Gator
    Posts : 1,810
    Dual Boot: Windows 8.1 & Server 2012r2 VMs: Kali Linux, Backbox, Matriux, Windows 8.1
       New #2

    Hello, welcome to Sevenforums!

    Just for fun, can you run an sfc scan?

    1. Click on the Start button and in the search box, type Command Prompt
    2. When you see Command Prompt on the list, right-click on it and select Run as administrator
    3. When command prompt opens, copy and paste the following commands into it, press enter after each

      sfc /scannow

      Wait for this to finish before you continue

      copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt
    4. This will create a file, cbs.txt on your Desktop. Please attach this to your next post.

    Also, I would try either calling Microsoft to re-active or follow the instructions on the link below:
    Do You Know How To Check Windows Is Genuine Or Not?
      My Computer
    Quote Quote

  4. Terrek
    Posts : 81
    Windows 7 Home Premium 64bit
    Thread Starter
       New #3

    Hi Gator thanks for your reply. While the command prompt was completing I followed Method 1 of the guide you posted and reentered my product key. It told my it was not genuine still, but took me online to validate it. This seems to have worked, as it took me to the offer page for Microsoft Security Essentials and said since I was a valid user I get free access. My desktop is still black but the little message in the corner that said it was not genuine is gone. Hopefully everything is good now, but I attached the cbs.txt file just in case.
      My Computer
    Quote Quote

  6. Layback Bear
    Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       New #4

    Another suggestion.
    After doing what Gator suggested if the problem is still there try this.

    Use a restore point before you installed Ad-AWare anti virus.

    This tutorial by Brink should help.

    System Restore

    Then look and remove everything that has to do with Ad-Aware anti virus.

    Try their removal tool again. You might even have to do it in Safe Mode.

    How to uninstall | Lavasoft

    It is very difficult to remove all of any anti virus program.

    Their are many choices of anti virus programs. You need to pick another one when this mess is cleaned up.

    I use MSE.

    Download Microsoft Security Essentials from Official Microsoft Download Center

    Because this is in your log you might have to reactivate your system by calling Microsoft.

    Software licensing service version: 6.1.7601.17514 Error: product key not found.

      My Computer
    Quote Quote

  7. Gator
    Posts : 1,810
    Dual Boot: Windows 8.1 & Server 2012r2 VMs: Kali Linux, Backbox, Matriux, Windows 8.1
       New #5

    Terrek said:
    Hi Gator thanks for your reply. While the command prompt was completing I followed Method 1 of the guide you posted and reentered my product key. It told my it was not genuine still, but took me online to validate it. This seems to have worked, as it took me to the offer page for Microsoft Security Essentials and said since I was a valid user I get free access. My desktop is still black but the little message in the corner that said it was not genuine is gone. Hopefully everything is good now, but I attached the cbs.txt file just in case.
    Go to Start > Right-click on Computer > Click Properties

    This will take you to an overview of your PC and OS, down at the bottom has activation information, it should say "Windows is activated" with a product ID (which is not the same as your product key, technically)

    The black screen is just left over from the Windows Genuine warning. Simply change it back to whatever background you want.
      My Computer
    Quote Quote

  8. Terrek
    Posts : 81
    Windows 7 Home Premium 64bit
    Thread Starter
       New #6

    Gator, Windows says it is activated now, so looks like that issue is fixed. Do you know if it would be safe to delete those C7483456-A289-439d-8115-601632D00A0 files from my recycle bin now? Thanks again.

    Layback Bear, Thanks for the suggestion, but all my restore points prior to yesterdays date, 9/23/14, have vanished so I cannot restore to a point where I didn't have Ad-aware. Checking the show other restore points box does nothing.
    Hopefully I don't need to do that anyway. Ad-Aware, Super Antispyware, Malwarebytes, and CCleaner are not detecting any more issues, so hopefully I managed to stop the Web Protect adware before it could fully do its thing.
      My Computer
    Quote Quote

  10. NoelDP
    Posts : 21,482
    Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
       New #7

    Please post a new MGADiag report - this sequence of events seems a little strange to me, and I'm a bit concerned about the outcome. (Even if it looks OK currently, it could go bad again, without further investigation)
      My Computer
    Quote Quote

  11. Terrek
    Posts : 81
    Windows 7 Home Premium 64bit
    Thread Starter
       New #8

    Here is the new report.

    Code:
     
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-4RVXF-PQP4J-BWDHH
Windows Product Key Hash: lS7hgeoUdDL3nInpjzl7Q6VHFIk=
Windows Product ID: 00359-035-0060177-85623
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {0CEB0965-F327-4BF9-A459-0496B11682A1}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.140303-2144
TTS Error: T:20140924092619549-
Validation Diagnostic: 
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Standard Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{0CEB0965-F327-4BF9-A459-0496B11682A1}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BWDHH</PKey><PID>00359-035-0060177-85623</PID><PIDType>5</PIDType><SID>S-1-5-21-1902672100-1416066333-2091083124</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>3012</Version><SMBIOSVersion major="2" minor="6"/><Date>20120120000000.000000+000</Date></BIOS><HWID>C4653307018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>23C913F125F806A</Val><Hash>DpLHsltKjzAE8lsvgb8CfZydRcw=</Hash><Pid>70141-053-8592254-56258</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>  
Spsys.log Content: U1BMRwEAAAAAAQAACAAAAKkoAAAAAAAAYWECAID6//+tp0kg+9fPAWbXGpOihAOpMHzDmWxsjurDqgjph73YjmqlCwBIfjrqgWHnOwqQYpckiQr6nh+OFjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAx4dZsxs/sxaQSZh6DCEuBHTInH4gLIx5fnLTOW5blMa59dxOVDmn9b+baYe/TLbVozkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00170-035-006017-01-1033-7601.0000-2672014
Installation ID: 019373925475333946887116905894903020374161785616160203
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: BWDHH
License Status: Licensed
Remaining Windows rearm count: 5
Trusted time: 9/27/2014 9:34:16 AM
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 9:24:2014 12:00
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:

HWID Data-->
HWID Hash Current: NAAAAAIAAwABAAEAAQABAAAAAgABAAEAln3q9IgudxasixpdeBk6yUiBDqe84m+nGJgucw==
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information: 
  ACPI Table Name OEMID Value OEMTableID Value
  APIC   ALASKA  A M I
  FACP   ALASKA  A M I
  HPET   ALASKA  A M I
  MCFG   ALASKA  A M I
  SSDT   SataRe  SataTabl
  SSDT   SataRe  SataTabl
  SSDT   SataRe  SataTabl
  BGRT   ALASKA  A M I
      My Computer
    Quote Quote

  12. NoelDP
    Posts : 21,482
    Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
       New #9

    Nope - that looks fine to me.
    The Tamper Timestamp (TTS) hasn't changed, which is a good sign that whatever caused the problem has probably gone now.


    Good luck!
      My Computer
    Quote Quote

  13. Terrek
    Posts : 81
    Windows 7 Home Premium 64bit
    Thread Starter
       New #10

    Good to hear, thanks!
      My Computer
    Quote Quote

 
Page 1 of 2 12 LastLast

  Related Discussions
I tried programs and features and search, but came up empty. It constantly shows up in Firefox and Chrome ...
Hi guys, Hopefully someone out there can give me a hand. I've checked many websites but I'm not really able to find a good answer to my problem. I have a PC, running windows 7 ultimate 64bit, that has the conduit malware on it. Our work antivirus/malware, Webroot, detects it but is unable to...
Remove malware by formatting
in System Security

Hi, When the C: and D: drives are infected, the formatting of them can kill all the malware existing on those two? Machine: Windows 7.
Hello, I'm having a malware-nightmare and hoping someone can advise. Thanks in advance. I'm running Windows 7 Service Pack 1 64bit with Internet Explorer 9. While browsing on 29th Oct 2011 at 15:08: my AV (Virgin Media Security) flagged a Trojan-detected message from the task bar; IE...
not sure how but ive picked up what i think is some malware. its an add-on tool bar called 'searchqu' and is by 'bandoo media inc' i noticed it in my toolbar and deactivated it but my computer was progressively slower than normal. i decided to look into it when i kept getting 'windows explorer...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 12:24.
Find Us