New
#1
Copy of Windows not gneuine after trying to remove malware
Hello, yesterday I inadvertently started to install the malware from Web Protect for Windows. I ended the installation, after my Ad-Aware Antivirus flagged and deleted files, but it had already altered my Internet Explorer 11, but not my Firefox. I have run Malware Bytes, Super Antispyware, and CCleaner several times each and they removed several things. The program is still in my Programs List and if I try to uninstall it, it acts like it is trying to install. I tried running a system restore, but it fails saying a program, likely an antivirus is preventing it from completing. I tried turning off Ad-aware and turning on Windows Defender, but got the same message. For some reason only 2 restore points are listed for 9/23/14, all others are gone...
I tried following the removal guide here: How Do I Fully Remove Web Protect Adware
but didn't find most the files it said to remove, probably because the program did not install all the way. I did find one folder (Web Protect or something similar) with a lot of stuff in it, including the install and uninstall files, and deleted it.
However, I cannot access some of the folders, (%documents and settings) even though I am logged in as Administrator. Also I could not find the items in the Registry is says to remove either.
I did find two files under Windows\System32 that looked suspicious to me, as they were last modified 9/23/14 around the same time I got the malware and I deleted them to the recycle bin. They are C7483456-A289-439d-8115-601632D00A0 files.
This morning my desktop background is black with little white text saying my copy of windows is not genuine, and I get periodic messages about it. I looked online and it looks like those 2 files are windows validation files or something, so I tried to restore them. The recycle bin tells me those files already exist and asks if I want to overwrite. When I say yes it says I don't have permission and then does nothing.
I still don't know for sure if the malware is still on the computer, though my anti-spyware programs aren't detecting anything anymore
How can I fix this problem? I more concerned that I messed up windows than about the malware now.
Thanks in advance.
Code:Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 50 Cached Online Validation Code: N/A, hr = 0xc004f012 Windows Product Key: *****-*****-4RVXF-PQP4J-BWDHH Windows Product Key Hash: lS7hgeoUdDL3nInpjzl7Q6VHFIk= Windows Product ID: 00359-035-0060177-85623 Windows Product ID Type: 5 Windows License Type: Retail Windows OS version: 6.1.7601.2.00010300.1.0.003 ID: {0CEB0965-F327-4BF9-A459-0496B11682A1}(1) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: Windows 7 Home Premium Architecture: 0x00000009 Build lab: 7601.win7sp1_gdr.140303-2144 TTS Error: T:20140924092619549- Validation Diagnostic: Resolution Status: N/A Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 100 Genuine Microsoft Office Standard Edition 2003 - 100 Genuine OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files\Internet Explorer\iexplore.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{0CEB0965-F327-4BF9-A459-0496B11682A1}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BWDHH</PKey><PID>00359-035-0060177-85623</PID><PIDType>5</PIDType><SID>S-1-5-21-1902672100-1416066333-2091083124</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>3012</Version><SMBIOSVersion major="2" minor="6"/><Date>20120120000000.000000+000</Date></BIOS><HWID>C42D3807018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>23C913F125F806A</Val><Hash>DpLHsltKjzAE8lsvgb8CfZydRcw=</Hash><Pid>70141-053-8592254-56258</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults> Spsys.log Content: U1BMRwEAAAAAAQAACAAAAKkoAAAAAAAAYWECAID6//+tp0kg+9fPAWbXGpOihAOpMHzDmWxsjurDqgjph73YjmqlCwBIfjrqgWHnOwqQYpckiQr6nh+OFjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAx4dZsxs/sxaQSZh6DCEuBHTInH4gLIx5fnLTOW5blMa59dxOVDmn9b+baYe/TLbVozkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM Licensing Data--> Software licensing service version: 6.1.7601.17514 Error: product key not found. Windows Activation Technologies--> HrOffline: 0x00000000 HrOnline: 0x00000000 HealthStatus: 0x0000000000000000 Event Time Stamp: 8:20:2014 09:10 ActiveX: Registered, Version: 7.1.7600.16395 Admin Service: Registered, Version: 7.1.7600.16395 HealthStatus Bitmask Output: HWID Data--> HWID Hash Current: NAAAAAIAAwABAAEAAQABAAAAAgABAAEAln3q9IgudxasixpdeBk6yUiBDqe84m+nGJgucw== OEM Activation 1.0 Data--> N/A OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes, but no SLIC table Windows marker version: N/A OEMID and OEMTableID Consistent: N/A BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC ALASKA A M I FACP ALASKA A M I HPET ALASKA A M I MCFG ALASKA A M I SSDT SataRe SataTabl SSDT SataRe SataTabl SSDT SataRe SataTabl BGRT ALASKA A M I
Last edited by Terrek; 24 Sep 2014 at 10:00. Reason: Adding MGADiag Report