locked
Win7 Ultimate suddenly 'not genuine' RRS feed

  • Question

  • W7 went AWOL a couple of days ago - I've searched and tried several solutions without success. It seems that these problems are specific to the PC W7 is installed on, so here I am.

    Required analysis below:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-YB4GH-9QTX7-HGD48
    Windows Product Key Hash: KfClLaeGZFZJkXiNaygstr8BDMQ=
    Windows Product ID: 00426-OEM-9154351-08937
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 6.1.7601.2.00010100.1.0.001
    ID: {F8F0D6F0-0C33-4630-8DF8-2CB32FAE4915}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Ultimate
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.140706-1506
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: D:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppc.dll[Hr = 0x80070002]
    File Mismatch: C:\Windows\system32\sppcext.dll[Hr = 0x80070002]

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{F8F0D6F0-0C33-4630-8DF8-2CB32FAE4915}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-HGD48</PKey><PID>00426-OEM-9154351-08937</PID><PIDType>3</PIDType><SID>S-1-5-21-367642897-562009265-2858216383</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>3302</Version><SMBIOSVersion major="2" minor="6"/><Date>20120515000000.000000+000</Date></BIOS><HWID>70CF3F07018400FE</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Ultimate edition
    Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
    Activation ID: cfb3e52c-d707-4861-af51-11b27ee6169c
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00426-00182-543-508937-02-2057-7601.0000-1812012
    Installation ID: 006550905161977301618885287923080692612350685481646390
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: HGD48
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 22/03/2015 14:37:26

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x0000000000000060
    Event Time Stamp: 3:15:2015 19:35
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui


    HWID Data-->
    HWID Hash Current: PgAAAAIABgABAAEAAAAEAAAAAgABAAEAHKKu93cWFN54GVzZGl2siw6nfOk60IyOXJPKxLpZXUb6+ZKulmM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            ALASKA        A M I
      FACP            ALASKA        A M I
      HPET            ALASKA        A M I
      MCFG            ALASKA        A M I
      SSDT            SataRe        SataTabl
      SSDT            SataRe        SataTabl
      SSDT            SataRe        SataTabl

    Sunday, March 22, 2015 2:42 PM

Answers

  • I'm beginning to suspect hardware problems here - either the HD or the RAM.

    There are a large number of CHKDSK results going back to October last year -  some with fairly serious errors, and one which indicates problems with the two files we're having problems with now. There are no bad sectors in the disk, so it should be physically OK, but there maybe firmware or other problems with it, or there may be RAM problems which are causing issues.

    Please test the RAM using MemTest86+ from www.memtest86.com -  run at least 3 passes to see if there are any problems. Even one fault there will need to be addressed before doing anything else.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Monday, March 30, 2015 6:00 PM
    Moderator

All replies

  • File Scan Data-->
    File Mismatch: C:\Windows\system32\sppc.dll[Hr = 0x80070002]
    File Mismatch: C:\Windows\system32\sppcext.dll[Hr = 0x80070002]

    Please run a full CHKDSK and SFC scan....

    Click on Start > All Programs > Accessories

    Right-click on the Command Prompt entry

    Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

    At the Command prompt, type

     CHKDSK C: /R

    and hit the Enter key.

    You will be told that the drive is locked, and the CHKDSK will run at the next boot - hit the Y key, and then reboot.

    The CHKDSK will take a few hours depending on the size  of the drive, so be patient!

     After the CHKDSK has run, Windows should boot normally  (possibly after a second auto-reboot) - then run the SFC.

    SFC -System File Checker - Instructions

    Click on Start > All Programs > Accessories

    Right-click on the Command Prompt entry

    Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

    At the Command prompt, type

    SFC /SCANNOW

    and hit the Enter key

    Wait for the scan to finish - make a note of any error messages - and then reboot.

    Upload the CBS.log file (compressed, please!) to your OneDrive or DropBox Public folder, and post a link - also post a new MGADiag report.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Wednesday, March 25, 2015 6:58 PM
    Moderator
  • Thanks for the reply. I ran chkdsk as you instructed, then from an administrator command prompt I received the following from SFC /SCANNOW

    Beginning system scan.  This process will take some time.

    Windows Resource Protection could not perform the requested operation.

    C:\>

    Thursday, March 26, 2015 11:33 AM
  • Ouch - that could mean you have some severe problems.

    Let's have a quick look at some of the important services...

    Please download the Farbar Service Scanner from

    http://www.bleepingcomputer.com/download/farbar-service-scanner/

     

    Right-click on the saved file and select 'Run as Administrator', and tick all the options, then click on the Scan button - copy and paste the report to your response.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, March 26, 2015 5:28 PM
    Moderator
  • Farbar Service Scanner Version: 17-01-2015
    Ran by Phil McCavity (administrator) on 27-03-2015 at 08:08:39
    Running from "D:\Users\Phil McCavity\Downloads"
    Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    mpsdrv Service is not running. Checking service configuration:
    The start type of mpsdrv service is OK.
    The ImagePath of mpsdrv service is OK.

    MpsSvc Service is not running. Checking service configuration:
    The start type of MpsSvc service is set to Demand. The default start type is Auto.
    The ImagePath of MpsSvc service is OK.
    The ServiceDll of MpsSvc service is OK.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Policy:
    ========================


    Action Center:
    ============


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => File is digitally signed
    C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
    C:\Windows\System32\dhcpcore.dll => File is digitally signed
    C:\Windows\System32\drivers\afd.sys => File is digitally signed
    C:\Windows\System32\drivers\tdx.sys => File is digitally signed
    C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
    C:\Windows\System32\dnsrslvr.dll => File is digitally signed
    C:\Windows\System32\mpssvc.dll => File is digitally signed
    C:\Windows\System32\bfe.dll => File is digitally signed
    C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
    C:\Windows\System32\SDRSVC.dll => File is digitally signed
    C:\Windows\System32\vssvc.exe => File is digitally signed
    C:\Windows\System32\wscsvc.dll => File is digitally signed
    C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
    C:\Windows\System32\wuaueng.dll => File is digitally signed
    C:\Windows\System32\qmgr.dll => File is digitally signed
    C:\Windows\System32\es.dll => File is digitally signed
    C:\Windows\System32\cryptsvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\Windows\System32\ipnathlp.dll => File is digitally signed
    C:\Windows\System32\iphlpsvc.dll => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed


    **** End of log ****
    Friday, March 27, 2015 8:13 AM
  • Hmm - what Anti-Virus is installed? what Firewall?

    The Firewall settings above could simply be because your firewall has switched off the Windows Firewall, or because malware has done so.

    The Defender setting is pretty much  normal where an AV is installed (either 3rd Party or MSE)


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Friday, March 27, 2015 8:50 AM
    Moderator
  • There's no AV apart from Defender. The Firewall is disabled, I have a hardware FW at the point of entry to my network.
    Friday, March 27, 2015 10:57 AM
  • You obviously like living dangerously! If one machine in your network manages to get infected, you risk ALL of them getting infected! This is why companies install firewalls and AV inside the network, as well as at the perimeter.

    I think perhaps a look at the Event logs may give some details here...

    Please open Event Viewer

    In the left pane, navigate to the Windows Logs

    right-click on Applications and select 'Save all events as...' save as Apps.evtx

    repeat for the System logs - save as Sys.evtx

    Compress both files, and attach to your reply or upload to your favourite fileshare site
    (preferably Dropbox or OneDrive/SkyDrive) and post a link in your reply



    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Friday, March 27, 2015 11:33 AM
    Moderator
  • https://dl.dropboxusercontent.com/u/25506750/apps.zip

    https://dl.dropboxusercontent.com/u/25506750/sys.zip

    This is the only Win machine on the network. The others are Linux & Apple and are protected.
    • Edited by SkyBod Friday, March 27, 2015 3:32 PM
    Friday, March 27, 2015 12:28 PM
  • I'm beginning to suspect hardware problems here - either the HD or the RAM.

    There are a large number of CHKDSK results going back to October last year -  some with fairly serious errors, and one which indicates problems with the two files we're having problems with now. There are no bad sectors in the disk, so it should be physically OK, but there maybe firmware or other problems with it, or there may be RAM problems which are causing issues.

    Please test the RAM using MemTest86+ from www.memtest86.com -  run at least 3 passes to see if there are any problems. Even one fault there will need to be addressed before doing anything else.


    Noel Paton | Nil Carborundum Illegitemi
    CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Monday, March 30, 2015 6:00 PM
    Moderator