Author Topic: Windows Not Genuine Virus  (Read 11356 times)

Offline Tech Amateur

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
Windows Not Genuine Virus
« on: October 18, 2011, 01:59:09 PM »
Please help.  I run Windows 7, and today when logging on as Administrator, I encountered a black screen for an extended period of time, followed by a message informing me that my Windows was not genuine.  Since I know that it is genuine, I did not follow the link for "more information" and suspected a virus/trojan horse.  I searched the internet and found general information concerning this message - that there are two possibilities for this message, one from a legitimate Windows tool (Windows Genuine Advantage Tool), and the other from a virus/trojan horse.  By all accounts, the WGA tool appears as a popup balloon at the bottom of the screen and the virus appears with the black screen that I encountered.  Unfortunately, I cannot find ANY information on how to fix it, other than a couple websites that just say "click here and download this removal tool", etc., of which I do not know whether these downloads are legitimate or not.  Another post somewhere gave the advice to "just reinstall Windows" -- which is dumb and not an option.

Also, unfortunately, my full system AVAST scan revealed nothing.  I believe that this virus may have been downloaded while my kids let our license expire for about a week without telling me about the message saying we needed to renew!  How can I determine if this is WGA or virus, and if it's a virus, how do I get rid of it?

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21789
  • Gender: Male
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #1 on: October 18, 2011, 02:10:51 PM »
Check for malware with this

Malwarebytes Anti-Malware 1.51. http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have the latest signatures before you scan
click on the remove selected  button to quarantine anything found

post the scan log here
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Tech Amateur

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #2 on: October 18, 2011, 02:47:50 PM »
Okay.  I'll run this.  But, I've had instances where Malwarebytes has not detected something that I know is a virus/trojan horse before.  I can't remember the specifics, but one was something that was hijacking my IE search bar and forcing me to use an option I did not want, and the other was a fake popup telling me I had a virus, that took me to a site to purchase a product to "remove it."  I found both of these to be virus even though Malwarebytes (updated) found no infections.  I've not found Malwarebytes to be completely reliable.  But, I will run it and post the results as you suggest and go from there.  Thanks.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21789
  • Gender: Male
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #3 on: October 18, 2011, 02:53:24 PM »
Quote
But, I've had instances where Malwarebytes has not detected something that I know is a virus/trojan horse before
very possible as they only want fresh samples not older then 3months...... and mostly executable files
AV programs have millions of signatures.....MBAM have less then 350 000...
and no security program have 100% detection....


and remember to update before you run it....


« Last Edit: October 18, 2011, 03:14:15 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Tech Amateur

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #4 on: October 18, 2011, 05:22:10 PM »
Here is the log.  The two items that came up always come up no matter how many times I delete them.  That has been going on for months, and the "windows not genuine" issue just came up today, so I doubt they are related.

____________________


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7971

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

10/18/2011 1:18:37 PM
mbam-log-2011-10-18 (13-18-07).txt

Scan type: Full scan (C:\|)
Objects scanned: 778434
Time elapsed: 1 hour(s), 50 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21789
  • Gender: Male
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #5 on: October 18, 2011, 05:48:35 PM »
Quote
The two items that came up always come up no matter how many times I delete them.
you mean you click the Remove Selected button, and they are back ?.......as your log say no action taken!



OBS: if you scan again a quick scan is fine.....and there have been 3 new updates since you scanned
« Last Edit: October 18, 2011, 06:09:05 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29073
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #6 on: October 18, 2011, 06:16:54 PM »

Offline Tech Amateur

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #7 on: October 18, 2011, 06:32:15 PM »
Pondus, I updated and ran a short scan.  Still nothing but the same two items.  Yes, they do come back each time after I "remove selected."  I don't take action anymore because it does no good.

Scan results:

___________________________________________

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7975

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

10/18/2011 2:28:04 PM
mbam-log-2011-10-18 (14-27-51).txt

Scan type: Quick scan
Objects scanned: 240329
Time elapsed: 2 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

__________________________________________________


Essexboy:  what will this link do?  I want to know what I'm doing before I just start running things.  Thanks.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21789
  • Gender: Male
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #8 on: October 18, 2011, 06:35:37 PM »
Quote
Essexboy:  what will this link do?  I want to know what I'm doing before I just start running things.  Thanks.

click the link and read....it goes to a Microsoft tutorial




Quote
Still nothing but the same two items.  Yes, they do come back each time after I "remove selected."  I don't take action anymore because it does no good.
you may report that in MalwareBytes forum     http://forums.malwarebytes.org/
« Last Edit: October 18, 2011, 06:42:46 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Tech Amateur

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #9 on: October 18, 2011, 06:47:45 PM »
I read the link.  It tells me how to activate Windows.  My version is legitimate.  I have had it installed and running for quite some time (1 year or so, not exactly sure).  This is the first time this issue has arisen, and after the kids went several days without antivirus protection.  From what I have read, this is a virus, and that makes sense under the circumstances.  I'm looking to remove it, not work around it.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29073
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #10 on: October 18, 2011, 07:00:03 PM »
Download aswMBR.exe ( 1.8mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 



On completion of the scan click save log, save it to your desktop and post in your next reply



THEN

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post both logs

Offline Tech Amateur

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #11 on: October 18, 2011, 07:11:48 PM »
Okay.  I'll do this, but I have to do it a bit later tonight.  I'll post the results then.  Please bear with me and check back later.  Thanks!

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29073
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #12 on: October 18, 2011, 07:14:26 PM »
No problem however, I am on GMT so it is getting late here.  But, I will pick it up tomorrow if not tonight

Offline Tech Amateur

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #13 on: October 19, 2011, 11:58:31 AM »
Essexboy:  I have the scans. A question about posting them, though... they contain information on my system, including some user directories/file names and the computer name, as oppposed to just scan results.  Is there any problem with posting this publicly (security reasons) or can I **** out the names/partial names of some of the information?

Karmana:  Ironically, I am one of the apparent many that cannot successfully install SP1, after many attempts.  So that has not been installed, although I have tried.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21789
  • Gender: Male
    • Personal Message (Offline)
Re: Windows Not Genuine Virus
« Reply #14 on: October 19, 2011, 02:04:51 PM »
Quote
Essexboy:  I have the scans. A question about posting them, though... they contain information on my system, including some user directories/file names and the computer name, as oppposed to just scan results.  Is there any problem with posting this publicly (security reasons) or can I **** out the names/partial names of some of the information?
If you wait with posting them untill essexboy is online here....then you can remove them as soon as essexboy have downloaded them... ;)

he usually is here around 08:00pm - 11:59pm UK time
« Last Edit: October 19, 2011, 02:10:08 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now