locked
Before I wipe the drive RRS feed

  • Question

  • I have an OEM installed version of Windows 7 on a Gateway machine purchased through a large regional retailer.  All was fine until it suddenly started reporting that Windows was not genuine.

    I have run SFC /SCANNOW... which reports that "Windows Resource Protection did not find any integrity issues."

    I have run CHKDSK... which reports that "Windows checked file system and found no problems."

    I have run slui... results in an error.

    Ran MGAdiag.  The report is below.  The Product Key in the report does not match the Key on the side of the computer.

    I would prefer to not wipe the drive in the short term, but if that is what it takes then I will accept my fate with dignity.

    Thanks in advance for any help or insights.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: N/A, hr = 0xc0000022
    Windows Product Key: *****-*****-WJ2H8-R6B6D-7QJB7
    Windows Product Key Hash: ckKNc+BBPDWmo1LUlOkraNjlQ34=
    Windows Product ID: 00359-OEM-8992687-00006
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {FCDFBAC2-2E8E-4920-8A11-F2B8CE9231EE}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.120503-2030
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Users\verde\AppData\Local\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{FCDFBAC2-2E8E-4920-8A11-F2B8CE9231EE}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-7QJB7</PKey><PID>00359-OEM-8992687-00006</PID><PIDType>2</PIDType><SID>S-1-5-21-3891710877-3408199049-697111149</SID><SYSTEM><Manufacturer>Gateway</Manufacturer><Model>FX6860</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P01-B2</Version><SMBIOSVersion major="2" minor="6"/><Date>20110809000000.000000+000</Date></BIOS><HWID>C5223307018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>ACRSYS</OEMID><OEMTableID>ACRPRDCT</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x80070426' to display the error text.
    Error: 0x80070426 

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x0001000000000000
    Event Time Stamp: 9:11:2012 16:55
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered Service: sppsvc


    HWID Data-->
    HWID Hash Current: MAAAAAEAAQABAAEAAAADAAAAAgABAAEACrbMaag3Nv9wcDadTpFSFFlXRJh+ji5z

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC ACRSYS ACRPRDCT
      FACP ACRSYS ACRPRDCT
      HPET ACRSYS ACRPRDCT
      MCFG ACRSYS ACRPRDCT
      SSDT ACRSYS ACRPRDCT
      SLIC ACRSYS ACRPRDCT

    Wednesday, September 12, 2012 2:24 AM

Answers

  • I'm not totally surprised - it's a fairly heavily-protected Key.

    We'll have to do a manual substitution then :(

    Open Regedit and navigate to the
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR Key

    Export it to a reg file for safety!

    Now go to the 0000 subkey and right-click on it

    Select Permissions,

    Click on Advanced, then the Owner tab

    Make sure that Administrators is the owner, and put a tick in the 'Replace
    owner...' box at the bottom

    Click OK once

    add Administrators to the Groups or Usernames list, and give them Full
    permissions

    CLICK OK

    Now you can change the ConfigFlags entry from 401 to 400 and exit regedit -
    reboot, and post another MGADiag report.

     



    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Thursday, September 13, 2012 7:11 AM
    Moderator

All replies

  • Please open an Elevated Command Prompt, and run the following commands, and post the
    results.

    REG QUERY HKLM\SYSTEM\CurrentControlSet\services\spldr /S

    REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR /S

    post the results.

      Here are some instructions to make life easier :)

    1) To open an Elevated Command Prompt Window (the CP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt. 

    2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once. 

    3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.     


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Wednesday, September 12, 2012 6:13 AM
    Moderator
  • Hi - I am the OP.  Somehow the forums would not let me log in with original username.

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\spldr /s

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spldr
        DisplayName    REG_SZ    Security Processor Loader Driver
        ErrorControl    REG_DWORD    0x3
        Start    REG_DWORD    0x0
        Type    REG_DWORD    0x1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spldr\Enum
        0    REG_SZ    Root\LEGACY_SPLDR\0000
        Count    REG_DWORD    0x1
        NextInstance    REG_DWORD    0x1


    C:\Windows\system32>


    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPL
    DR /S

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR
        NextInstance    REG_DWORD    0x1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR\0000
        Service    REG_SZ    spldr
        Legacy    REG_DWORD    0x1
        ConfigFlags    REG_DWORD    0x401
        Class    REG_SZ    LegacyDriver
        ClassGUID    REG_SZ    {8ECC055D-047F-11D1-A537-0000F8753ED1}
        DeviceDesc    REG_SZ    Security Processor Loader Driver
        Capabilities    REG_DWORD    0x0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR\0000\Control


    C:\Windows\system32>

    Wednesday, September 12, 2012 2:45 PM
  • The cause of your problem is....

    ConfigFlags    REG_DWORD    0x401

    Please run the following commands in an Elevated Command Prompt, and post the results.....

    REG ADD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR\0000 /V ConfigFlags /T REG_DWORD /d 0x400

    REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR /S


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Wednesday, September 12, 2012 6:11 PM
    Moderator
  • Hi Noel -

    The ADD command produced an error.   I ran the query anyway to see if anything changed.

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>REG ADD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR
    \0000 /V ConfigFlags /T REG_DWORD /d 0x400
    ERROR: Access is denied.

    C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPL
    DR /S

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR
        NextInstance    REG_DWORD    0x1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR\0000
        Service    REG_SZ    spldr
        Legacy    REG_DWORD    0x1
        ConfigFlags    REG_DWORD    0x401
        Class    REG_SZ    LegacyDriver
        ClassGUID    REG_SZ    {8ECC055D-047F-11D1-A537-0000F8753ED1}
        DeviceDesc    REG_SZ    Security Processor Loader Driver
        Capabilities    REG_DWORD    0x0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR\0000\Control


    C:\Windows\system32>

    Wednesday, September 12, 2012 8:40 PM
  • I'm not totally surprised - it's a fairly heavily-protected Key.

    We'll have to do a manual substitution then :(

    Open Regedit and navigate to the
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR Key

    Export it to a reg file for safety!

    Now go to the 0000 subkey and right-click on it

    Select Permissions,

    Click on Advanced, then the Owner tab

    Make sure that Administrators is the owner, and put a tick in the 'Replace
    owner...' box at the bottom

    Click OK once

    add Administrators to the Groups or Usernames list, and give them Full
    permissions

    CLICK OK

    Now you can change the ConfigFlags entry from 401 to 400 and exit regedit -
    reboot, and post another MGADiag report.

     



    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Thursday, September 13, 2012 7:11 AM
    Moderator
  • Looking Good! The MGADiag (below) report shows: 

    ** Licensing Data section is no longer an error.  

    ** Windows Activation Technologies no longer shows a tampered service

    Also, when I go to the System control panel it shows "Windows is Activated" 

    Now, the questions remain...

    1) Should I change the Permissions on the LEGACY_SPLDR back to where they were?

    2) Why did this happen?  I suspect it was the result of having installed and uninstalled security software from my ISP called VaultID.  

    3) Do any additional switches need to be thrown, or information entered, to make sure Windows knows that it is indeed Genuine and properly Activated?

    Lastly... THANK YOU Noel for your help with this!!!!

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-WJ2H8-R6B6D-7QJB7
    Windows Product Key Hash: ckKNc+BBPDWmo1LUlOkraNjlQ34=
    Windows Product ID: 00359-OEM-8992687-00006
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {DEC9AA31-2B76-4277-B5EA-06B63E01FC72}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.120503-2030
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Users\verde\AppData\Local\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{DEC9AA31-2B76-4277-B5EA-06B63E01FC72}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-7QJB7</PKey><PID>00359-OEM-8992687-00006</PID><PIDType>2</PIDType><SID>S-1-5-21-3891710877-3408199049-697111149</SID><SYSTEM><Manufacturer>Gateway</Manufacturer><Model>FX6860</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P01-B2</Version><SMBIOSVersion major="2" minor="6"/><Date>20110809000000.000000+000</Date></BIOS><HWID>C5223307018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>ACRSYS</OEMID><OEMTableID>ACRPRDCT</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, HomePremium edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: d2c04e90-c3dd-4260-b0f3-f845f5d27d64
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00359-00178-926-800006-02-1033-7601.0000-1052011
    Installation ID: 016814309396566473753182592741653961855083070551827261
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 7QJB7
    License Status: Licensed
    Remaining Windows rearm count: 2
    Trusted time: 9/13/2012 8:00:31 AM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 9:13:2012 07:50
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAEAAAADAAAAAQABAAEACrbMaag3Nv9wcDadTpFSFFlXRJgucw==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC ACRSYS ACRPRDCT
      FACP ACRSYS ACRPRDCT
      HPET ACRSYS ACRPRDCT
      MCFG ACRSYS ACRPRDCT
      SSDT ACRSYS ACRPRDCT
      SLIC ACRSYS ACRPRDCT

    Thursday, September 13, 2012 3:35 PM
  • It does look good :)

    Answers....

    1) No real need - you added permissions, rather than changed existing ones, so it shouldn't affect anything.

    2) I've never heard of VaultID - which ISP? - it's possible, or it could be malware.

    3) Nah - Windows knows when it's well off :)

    If you have any more problems, feel free to come back!

    Good luck.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Thursday, September 13, 2012 10:16 PM
    Moderator
  • Noel -

    VaultID is something that is part of the Xfinity (Comcast) Constant Guard package.  It is awful.  It was replacing keystrokes with random characters on all apps.  

    What steps to you recommend to eliminate any concerns about malware?  

    Thursday, September 13, 2012 10:26 PM
  • Why am I not in the least surprised to find that Norton is associated with this product?

    You may want to join this discussion - http://forums.comcast.com/t5/Security-and-Anti-Virus/Constant-Guard-What-Can-I-Disable/td-p/941269 - or others like it!

    I would suggest uninstalling anything to do with it from your PC - since it's a Norton-associated product, I would also run the Norton Removal tool - https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?lg=english&ct=united+states&docid=20080710133834EN&product=home&version=1&pvid=f-home - even if it's not strictly part of the Norton family.

    Then install a decent AntiVirus -  Also install Malwarebytes Anti-Malware (free edition) but do NOT activate the realtime protection offer. Update that and then run a full system scan (which will also force your AV to scan the files, so both get a bite at the cherry!) remove everything it finds (and anything the AV finds).

    AVOID Norton and McAfee - I'm beginning to think that AVG should also be added to my Avoid list, but it's not quite there yet.

    Microsoft Security Essentials is perfectly sufficient (and free) for 99.x% of users. Avast is good - and free (or paid for), Kaspersky and NOD32 are good (paid for). 

    AVOID all 'suites', the extra bells and whistles usually just mean trouble - Windows Firewall is perfectly adequate, and a lot less hassle than any third-party one.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Friday, September 14, 2012 8:44 AM
    Moderator