Windows Activation Technologies Pop-up

watadminsvc.exe

Windows Activation Technologies Service - WatAdminSvc.exe - Program Information

Layback Bear said:

You never did answer the question I asked in post #2

Check and see if your system has KB971033 installed.

Installed 14 Mar 2015

Callender said:

I don't believe that the two are related. Your first screenshot shows UAC asking to allow:

"C:\Windows\System32\Wat\WatAdminSvc.exe"

That is a legitimate process.

ESET has detected something else.

I'm not a malware removal expert exactly but if you like you can download and run UVK then scan and create a log.

Also you could navigate to C:\Users\TJG\AppData\Roaming\Gayux\Devod.dll and check the file information.

If you decide to download UVK - install it and from the welcome screen choose "Scan and create log" then upload the result.

I'm downloading UVK now.

The UVK log file is over 2MB.

UVK - Ultra Virus Killer Log.txt

You can download the UVK log file from the file drop site on the link above.

Let me know if you see something.

Regards

14 posts and NO MGADiag??
SHAME ON YOU!

ESET has been known to flag the WAT tools in the past - it's a false positive, but semi-legitimate, since the tool will phone home every so often to pick up the latest definitions.

Please follow this tutorial and post an MGADiag report - then we can see what the problem is.

Windows Genuine and Activation Issue Posting Instructions

Ignore errors produced when clicking on the Copy button - they simply mean that the tool could not create the backup files for some reason. The data is still copied to the clipboard for pasting to your response.

Please also state the Version and Edition of Windows quoted on your COA sticker (if you have one) on the case of your machine (or inside the battery compartment), but do NOT quote the Key on the sticker!
https://www.microsoft.com/en-gb/howt...spx#PCPurchase

It's a virus, but I'm not sure it's been completely removed, because the system doesn't behave as if the virus is completely removed. I downloaded and ran the Microsoft Safety Scanner for my Win 7 Pro x64 system. The MS Safety Scanner detected a Trojan Dynamater virus. I'm not sure about the spelling. The symptoms were constant downloading of temp files, very sluggish system when attempting to navigate between different folders in Windows Explorer. Windows Task Manger indicated significantly higher than normal system resource utilization, cpu and memory. Presently, I'm running ESET Smart Security 8 Smart Scan. It doesn't appear to be detecting anything yet and it's been running for an hour and twenty minutes. I don't know how long it will take to complete the ESET virus scan. I'm not sure if the virus software can scan the boot sectors. I will check the scan logs when the scan completes. This is a virus issue.

From the Certificate of Authenticity Sticker:
Windows 7 Pro OEM Software
FQC-04849 (the 8 could be a 6, the print is illegible)
X16-93649
00180-451-841-077

The ESET Smart Security 8 Smart Scan completed, but the scan logs indicate that it had errors when attempting to open the boot sectors of C:\, D:\, E:\, & O:\. Therefore, I don't think ESET SS 8 successfully scanned the boot sectors and I suspect this virus is hiding in the boot sectors and will reload when I reboot.

Code:

 

 
Diagnostic Report 
(1.9.0027.0):
-----------------------------------------
Windows Validation 
Data-->

 
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product 
Key: *****-*****-9CBQQ-CBRDX-4VBW4
Windows Product Key Hash: 
4o79yMzf+5/lHKmwIiotxng2nPc=
Windows Product ID: 
00371-OEM-9045181-41077
Windows Product ID Type: 3
Windows License Type: 
OEM System Builder
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: 
{88569B0E-21CB-4760-A2CC-9595DA52037D}(3)
Is Admin: Yes
TestCab: 
0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: 
Microsoft
Product Name: Windows 7 Professional
Architecture: 
0x00000009
Build lab: 7601.win7sp1_gdr.150722-0600
TTS Error: 

Validation Diagnostic: 
Resolution Status: N/A

 
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, 
hr = 0x80070002

 
Windows XP Notifications Data-->
Cached Result: N/A, hr = 
0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe 
Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 
0x80070002

 
OGA Notifications Data-->
Cached Result: N/A, hr = 
0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 
0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

 
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional 
2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 
0x80070002
Office Diagnostics: 
77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

 
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 
(compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet 
Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download 
unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: 
Allowed
Initialize and script ActiveX controls not marked as safe: 
Disabled
Allow scripting of Internet Explorer Webbrowser control: 
Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe 
for scripting: Allowed

 
File Scan Data-->

 
Other data-->
Office Details: 
<GenuineResults><MachineData><UGUID>{88569B0E-21CB-4760-A2CC-9595DA52037D}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-4VBW4</PKey><PID>00371-OEM-9045181-41077</PID><PIDType>3</PIDType><SID>S-1-5-21-764048772-141219837-185285450</SID><SYSTEM><Manufacturer>INTEL_</Manufacturer><Model>DX58SO__</Model></SYSTEM><BIOS><Manufacturer>Intel 
Corp.</Manufacturer><Version>SOX5810J.86A.5600.2013.0729.2250</Version><SMBIOSVersion 
major="2" 
minor="5"/><Date>20130729000000.000000+000</Date></BIOS><HWID>92BD3107018400F4</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern 
Standard 
Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product 
GUID="{91120000-0014-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft 
Office Professional 
2007</Name><Ver>12</Ver><Val>1B16FCA35E8C714</Val><Hash>Ox0izo7MjcnLKUdV4ul5G/4OhBY=</Hash><Pid>81605-906-5273533-65430</Pid><PidType>1</PidType></Product></Products><Applications><App 
Id="15" Version="12" Result="100"/><App Id="16" Version="12" 
Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" 
Version="12" Result="100"/><App Id="1A" Version="12" 
Result="100"/><App Id="1B" Version="12" 
Result="100"/></Applications></Office></Software></GenuineResults>  


 
Spsys.log Content: 0x80070002

 
Licensing Data-->
Software licensing service version: 
6.1.7601.17514

 
Name: Windows(R) 7, Professional edition
Description: Windows Operating 
System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: 
e120e868-3df2-464a-95a0-b52fa5ada4bf
Application ID: 
55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 
00371-00180-451-841077-02-1033-7601.0000-0732015
Installation ID: 
012201651040681403614155510252839633960930028731337932
Processor Certificate 
URL: SpcService Web Service
Machine 
Certificate URL: RacService Web Service
Use 
License URL: UseLicenseService Web Service
Product 
Key Certificate URL: PkcService Web Service
Partial 
Product Key: 4VBW4
License Status: Licensed
Remaining Windows rearm count: 
3
Trusted time: 08-Oct-15 09:26:18

 
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 
0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 9:11:2015 
06:15
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: 
Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:

 

HWID Data-->
HWID Hash Current: 
MgAAAAMAAAABAAEAAQADAAAAAQABAAEACrYw0kNG2mNsQ1D3xOAOLEaUnJ+9IKaegig=

 
OEM Activation 1.0 Data-->
N/A

 
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC 
table
Windows marker version: N/A
OEMID and OEMTableID Consistent: 
N/A
BIOS Information: 
  ACPI Table Name OEMID 
Value OEMTableID Value
  APIC   INTEL 
  DX58SO  
  FACP   INTEL 
  DX58SO  
  HPET   INTEL 
  DX58SO  
  MCFG   INTEL 
  DX58SO  
  WDDT   INTEL 
  DX58SO  
  ASF!   INTEL 
  DX58SO  
  SSDT   INTEL 
  SSDT  PM
  DMAR   INTEL 
  DX58SO  
  WDTT   INTEL 
  DX58SO  
  ASPT   INTEL 
  PerfTune

Posting the MGADiag log as Noel has requested after your security scan will let Noel see if your infection has effected your MGADiag.

Please complete the instruction Noel has given.

I looked at your log. Can you confirm what is in this folder?

C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}

Will check here later!