locked
After installing updates, vista product code suddenly invalid! plus 2 strange files in the system32 folder RRS feed

  • Question

  • I recently found that my windows Vista SP2 is telling me that my version of windows is not genuine (even though I've been registered and have been using it for the last year or so without any problems until now). The pc is a Toshiba laptop model P200-1JV which had window Vista pre-installed when I bought it from the PC World store.
    I also have what seems to be 2 strange files located in my C:\Windows\System32 folder. They are:
    7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    I have read some other posts but they do not seem to have an answer as yet?
    I've downloaded the dianostic tool and the result is as indicated below:

    Diagnostic Report (1.9.0011.0):
    -----------------------------------------
    WGA Data-->
    Validation Status: Invalid License
    Validation Code: 50

    Cached Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-JQMWD-2QJRJ-RJ34F
    Windows Product Key Hash: R8gPTEFMoOygFewoq/uOoWMpz68=
    Windows Product ID: 89578-OEM-7332157-00237
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6002.2.00010300.2.0.003
    ID: {7AEFC3FB-6C32-47C4-B082-F1F5B0F8CE6A}(1)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered, 1.7.69.2
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6002.lh_sp2rtm.090410-1830
    TTS Error: T:20091012181116071-
    Validation Diagnostic:
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: 6.0.6002.16398

    WGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{7AEFC3FB-6C32-47C4-B082-F1F5B0F8CE6A}</UGUID><Version>1.9.0011.0</Version><OS>6.0.6002.2.00010300.2.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-RJ34F</PKey><PID>89578-OEM-7332157-00237</PID><PIDType>2</PIDType><SID>S-1-5-21-1000721033-3681975270-2672486604</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>Satellite P200</Model></SYSTEM><BIOS><Manufacturer>TOSHIBA</Manufacturer><Version>V2.50</Version><SMBIOSVersion major="2" minor="4"/><Date>20080611000000.000000+000</Date></BIOS><HWID>D7333507018400FA</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>TOSCPL</OEMID><OEMTableID>TOSCPL00</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAAFkIAAAAAAAAYWECAAQAbZ9zIjEBX0vKASPvOhE4aiPWkIrToHXwxdoNj/YCIhfWHLJyMqtFNTPelI6mUmJUrmFKYHjIgoXtHTOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw2LChCixnhclyLKxemNGWeZEGKM654T4yuF8YwDdRsPaVqiy8ohqV4AC5c+oiViVczkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM

    Licensing Data-->
    Software licensing service version: 6.0.6002.18005

    HWID Data-->
    HWID Hash Current: OgAAAAEAAwABAAIAAQACAAAABAABAAEAeqiaq25BcscoS0aDPIrSuc5w8vQa7LhqAgv0daxW8D8qhQ==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20000
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   INTEL   CRESTLNE
      FACP   TOSCPL  CRESTLNE
      HPET   INTEL   CRESTLNE
      BOOT   PTLTD   $SBFTBL$
      MCFG   INTEL   CRESTLNE
      TCPA   Intel   CRESTLNE
      TMOR   PTLTD          
      SLIC   TOSCPL  TOSCPL00
      OSFR   TOSHIB  A+2nd ID
      APIC   INTEL   CRESTLNE
      SSDT   SataRe  SataAhci
      SSDT   SataRe  SataAhci
      SSDT   SataRe  SataAhci
      SSDT   SataRe  SataAhci


    Why has Windows Vista suddenly become non-genuine?
    What can I do to get the PC running as it Should?
    thank you,
    Bob

    Tuesday, October 13, 2009 5:49 PM

Answers

  • Hi Bob,

      If I understood correctly, your Non-Genuine issue is resolved and you need assistance identifying/removing possible malware related files.

      If that is correct, I recommend posting in the 'Security and Privacy' section of the Vista Answers Forum http://social.answers.microsoft.com/Forums/en-US/category/windowsvista.  The support people there have more knowledge regarding that type of issue.

    Thank you,
    Darin MS
    • Proposed as answer by Darin Smith MS Wednesday, October 14, 2009 6:48 PM
    • Marked as answer by Darin Smith MS Thursday, October 15, 2009 5:18 PM
    Wednesday, October 14, 2009 6:48 PM

All replies

  • Hello AudisAreBest,

    I'm not nearly as conversant with Vista GA troubleshooting as Darin of MSFT is, but in your case I think I can offer some advice.

    Your installation of Vista Home Premium on your Toshiba Satellite P200 computer was Genuine and will resume being Genuine, but at the moment there is something tampering with the Operating System that is causing it to report as NonGenuine, sort of like a smoke alarm going off, warning you about a dangerous situation.

    The bold line below is an indicator:

    WGA Data-->
    Validation Status: Invalid License
    Validation Code: 50

    Cached Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-JQMWD-2QJRJ-RJ34F
    Windows Product Key Hash: R8gPTEFMoOygFewoq/uOoWMpz68=
    Windows Product ID: 89578-OEM-7332157-00237
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6002.2.00010300.2.0.003
    ID: {7AEFC3FB-6C32-47C4-B082-F1F5B0F8CE6A}(1)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered, 1.7.69.2
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6002.lh_sp2rtm.090410-1830
    TTS Error: T:20091012181116071-
    Validation Diagnostic:
    Resolution Status: N/A

    This is the date-time goup of when the latest Tampering took place, during the 6:11pm minute on October 12, 2009.

    Since you told us about two unusual programs within the Windows\system32 folder, it might be a good assumption to think that the suspicious files have something to do with the Tamper.

    Since the "File Scan Data-->" section of the report is blank, that tells us that the Tamper is an in-memory tamper as opposed to a tamper that alters the makeup of any specific file.  Generally that means a program runs to effect the tamper.  I would suspect that one or both of those suspicious files are the programs that are running and effecting the tamper.

    Perhaps your troubleshooting efforts should be centered around scanning for malicious programs and attempting to figure out if the suspicious files are legitimate, say from a program you just installed, or not legitimate.

    Try several online scans at the sites of the major anti-virus publishers such as Symantec (Norton), Trend Micro, or McAfee, or Microsoft's online scanner found on this page:  http://www.microsoft.com/security/malwareremove/default.aspx


    For great advice on all topics XP, visit http://www.annoyances.org/exec/forum/winxp
    Tuesday, October 13, 2009 6:35 PM
  • thanks very much for the reply.
    As you recommended, I've downloaded and run the windows malicious removal tool but it did not find any infected files.
    I've also run the Trend Housecall and it did not find anything.
    I've also run my installed Panda internet Security scan and it has not found anything.

    The files with the very long names cannot be moved/copied or deleted as they report that they are in use by another program. I did mange to delete them if I started up in safe command mode. However, they just came back when I re-started Vista and I think that's when the date/time stamp you mentioned is recorded. I think they were originally installed at an earlier date.

    I have followed advice from Darin from another post to validate Windows and this seems to have worked but the "strange" files are still there so I think the original problem still exists!

    It's beginning to seem that there is a new virus which is being missed by Anti-virus systems and firewalls??

    Anyone have any idea on this?

    Thanks
    Bob

    PS the "strange?" files are:
    7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    and since they are re-created suggests there is another program somewhere that is creating them?

    Wednesday, October 14, 2009 12:39 PM
  • Hi Bob,

      If I understood correctly, your Non-Genuine issue is resolved and you need assistance identifying/removing possible malware related files.

      If that is correct, I recommend posting in the 'Security and Privacy' section of the Vista Answers Forum http://social.answers.microsoft.com/Forums/en-US/category/windowsvista.  The support people there have more knowledge regarding that type of issue.

    Thank you,
    Darin MS
    • Proposed as answer by Darin Smith MS Wednesday, October 14, 2009 6:48 PM
    • Marked as answer by Darin Smith MS Thursday, October 15, 2009 5:18 PM
    Wednesday, October 14, 2009 6:48 PM
  • Darin,

    Yes - the "Windows is not genuine" seems to have been resolved (thanks to a post that you replied to) You had offered 2 options and it was the 2nd that did the trick it seems.
    (Trouble is I cannot find the post now but fortunately I had copied the fix to Notepad)
    Many thanks for that.

    What is confusing for me is that some posts say it's caused by a virus and others that it was caused by a Microsoft Update (some debate as to which one).
    So until I find out if it is a virus/trojan or not I will not be using my laptop for ANY sensitive functions.

    You may have noticed the reply from Dan at IT Associates and He thinks there may be some form of tampering which suggests a virus etc. which no Anti-virus has recognised!

    I will put a post into the page you recommended and see what results.
    Again many thanks - Keep up the good work!

    Bob
    Thursday, October 15, 2009 4:24 PM
  • Hello AudisAreBest,

    Actually, your specific issue is rare.  There are three types "Tamper".  M=Mod-Auth, T= Trusted Store and K=Kernel Mod.

    1) Mod-Auth Tamper is the most common and is again seperated into two types 'In Memory' and 'On Disk'.
    a)On-Disk Mod-Auth, in the past, could be caused by a Update that drasticly failed during install (Updates have a roll back function when they fail, so this situation could only happen if the rollback also failed or the user turned off his/her computer during a vital portion of the install). On-Disk Mod-Auths could also be caused by a Virus or by any other senario where a file could become Modified or Corrupt.
    b)In Memory Mod-Auth are caused by a running program that is hooking or shimming into file running in memory. This can be either Malware or an incompatible program.

    2) Kernel Mod tampers almost never occur by themselves. They are usualy found in conjunction with a Mod-Auth Tamper and is usually a stronger indicator that the Mod-Auth was caused by Malware. When Vista first came out, Kernel Mod tampers were also caused by anti-virus programs that were trying to access the kernel in an unauthorized way (i.e. the way they did with XP) but today, this is very rare.

    3) Trusted Store Tampers are very rare and while I know what the Devs think should cause this type of tamper, I haven't seen enough to get a good handle on what is actually causes them in the wild. 

     In the past, I had seen indications that the Tamper could be caused by a semi-incompatible driver. But the fact that the sfc /scannow command fixed your issue (I assume that is the step that solved your issue) indicates there was a bad system file causing the issue, but in those situations, your Diagnostic Report should have indicated the file that was bad (Vista keeps track of most of it's critical system files and can see if any are modified or become corrupt).

    The long story short is that I don't know how or why your particular Trusted Store tamper happened. But if you can confirm exactly what set of steps fixed your issue, that would go a long way in helping me figure it out and possibly help others in the future.

    Thanks for the question,
    Darin MS
    Thursday, October 15, 2009 5:18 PM
  • Darin -
    I am not that technical - but certainly think the two files I have in the System 32 file - are indeed malware or a virus.
    This is the same thing that happened to my father's pc.

    Long story short:

    7B296FB0-376B-497e-B012-9C450E1B7327-2P-0

    7B296FB0-376B-497e-B012-9C450E1B7327-2P-1

    When I started on safe mode and deleted them, they came back again.  My pc now is lagging.  I have tried Eset NOD32, AVG, SuperAntyspyware, McCaffee and MS Malicious Software Removal Tool - Nothing has worked.

    Suggestions ?

    Saturday, December 5, 2009 5:13 PM
  • I recommend posting in the Security and Privacy section of the Vista Answers Forum
     http://social.answers.microsoft.com/Forums/en-US/category/windowsvista

     The people in that forum (Microsoft and community memebers) have greater knowledge, when it comes to Malware issues, then I do. And even if they can not help you, they should know the best place to direct you.

    Sorry I couldn't be more help,
    Darin MS
    Friday, December 11, 2009 8:27 PM
  • hey i had the same issue it was a "TROJANDOWNLOADER.ASX/BF"

    windows essantails found it and avg didnt for me avg was my virus protecter and didnt catch it

    aswell it might run as a MP3 file and if you use windows media player it opens and downloads other and more trojans to yor pc with out you knowing

    thats what happened to me
    Saturday, January 9, 2010 8:50 PM
  • Hey Gonza, what did you use to detect that trojan and how did you get rid of it??

    Stephen
    Tuesday, January 12, 2010 4:18 PM
  • I have been using Windows Vista for two years with the windows security.  Last night it kept coming up saying I had trojan's stealth etc it started scanning and stated I had 24 viruses.  When I tried to remove it stated that I was using an unregistered product.  Please help what do I do now.  I can't get into anything on computer or on-line 
    Monday, February 8, 2010 1:00 PM
  • Stephen sorry for such a late response but i used the windows essentials virus, malware, and adware software right from the microsoft website since i was having problems with avg and windows defender but i did also have the same issue with widows' software as well at first but then i went to task manger and just stopped windows defender since windows essentials already has something in it like defender running so it was causing a conflect all the time,

     

    this is the link for windows essentials - http://explore.live.com/windows-live-essentials?os=winxp

     

    and i also did a full run through the internet that microsoft provided and caught some little things for me which is ONECARE protectino center it took awhile but it found sttuff i dont think anyone could of found so it was nice - http://onecare.live.com/site/en-US/center/howsafe.htm?s_cid=mscom_msrt

     

    good luck

     

    Jesse

    Sunday, June 6, 2010 6:53 AM
  • I kind of had the same problem i wasnt able to get into anything at firs it was sayin that i had a bootleg version for awhile then vista just stopped working and the screen was black but long story short went on line with my destop went to support and there was options to either pay or not for online assistance which i didnt have to pay which i was lucky had 32bit sp1 n vista anyways he made me run it in safe mode or CMD. promt and type an ".EXE" command i dont remember what it was exactly but i think it was exploer.exe or winlogon.exe or dmw.exe im not sure which one but it was something like that it brought the screen back and i was able to save everything and then reinstall vista

     

    http://support.microsoft.com/common/international.aspx?RDPATH=dm;en-us;select&target=assistance

    make sure you are using internet explorer other wise firefox will act a little funny

     

    good luck

     

    Jesse

    Sunday, June 6, 2010 7:03 AM
  • make sure you run that protection center link in explorer
    Sunday, June 6, 2010 7:03 AM