none
restoring tampered files with sfc /scannow and original DVD RRS feed

  • Question

  • After revalidating, how do I clean up the system of tampered files and verify that the system is valid again?  Microsoft support as told to use sfc /scannow  but either I'm using it wrong or that's not the answer since it doesn't seem to give me any useful results.

    Thanks in advance for any help anybody can provide!

    I recently started receiving a message indicating that Windows 7 was not genuine.  I contacted Microsoft and went back and forth between the Microsoft PC safety and Windows Genuine advantage numbers a few times, and they have had me perform a few actions that they said would fix the issue.  The message reappeared the next day, and I went through the call handoff again and after more actions they stated (again) that it was fixed. 

    Even though they claim everything is ok, MGADiag.exe still shows a list of tampered files, and if I go to http://windows.microsoft.com/en-US/windows/help/genuine/what-is-validation and click on the "Validate Now"  button, it still takes me to the page that includes the note "Files that Windows needs to work properly have been modified, removed, or disabled. To resolve, you need to install genuine Windows."  Before hanging up, the tech suggested that I use the original DVD along with the command sfc /scannow to restore the tampered files.

    Is there any way to test for a valid copy other than the "Validate Now" link that doesn't work for me (unless that IS the test, nothing was resolved in any way, and I need to give Microsoft a third call?)

    Here's the diagnostic report in case that helps in any way:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-R2Q2B-9XHD8-HKT43
    Windows Product Key Hash: bFUgW4u+L6e94cu1kcUrnUjITZc=
    Windows Product ID: 00359-OEM-8703631-31539
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {92F17E10-54A4-4C60-88CE-7BE3B1251F5A}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.110622-1506
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\en-US\sppc.dll.mui[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\en-US\sppcext.dll.mui[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\en-US\slc.dll.mui[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\en-US\slcext.dll.mui[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\en-US\sppuinotify.dll.mui[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\en-US\slui.exe.mui[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\en-US\sppcomapi.dll.mui[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\en-US\sppcommdlg.dll.mui[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\en-US\sppsvc.exe.mui[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\en-US\user32.dll.mui[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{92F17E10-54A4-4C60-88CE-7BE3B1251F5A}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-HKT43</PKey><PID>00359-OEM-8703631-31539</PID><PIDType>3</PIDType><SID>S-1-5-21-3108934152-1946102615-1201745099</SID><SYSTEM><Manufacturer>MSI</Manufacturer><Model>MS-7599</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>V17.13</Version><SMBIOSVersion major="2" minor="6"/><Date>20110629000000.000000+000</Date></BIOS><HWID>82923707018400F6</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, HomePremium edition
    Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
    Activation ID: 586bc076-c93d-429a-afe5-a69fbc644e88
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00359-00174-036-331539-02-1033-7601.0000-3152011
    Installation ID: 022134047676880510343044881960846290635714417375775800
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: HKT43
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 11/12/2011 7:50:22 AM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000000EF60
    Event Time Stamp: 11:12:2011 07:17
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui


    HWID Data-->
    HWID Hash Current: NgAAAAIABgABAAEAAAABAAAAAQABAAEAln3qvDD4FTp66FTytvLG+xAz4l9eZfZv3LvGKQLQ

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            7599MS        A7599300
      FACP            7599MS        A7599300
      HPET            7599MS        OEMHPET
      MCFG            7599MS        OEMMCFG
      OEMB            7599MS        A7599300
      SSDT            A M I         POWERNOW

    Saturday, November 12, 2011 11:08 PM

Answers

All replies

    • Marked as answer by Darin Smith MS Tuesday, November 15, 2011 11:12 PM
    Saturday, November 12, 2011 11:16 PM
    Answerer
  • you have Vistalizator installed.
    I don't think I do; If I run msconfig and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\UILanguages , the only one listed is en-US. The kb article seems to indicate that I have to have more than one language listed if vistalizator is installed. I also noticed something else odd; in today's daily discussion with Microsoft support (this message appears to be showing up once per day now) they had me for the first time run a copy of MGADiag.exe (1.9.0019.0) which indicates that my product is genuine and doesn't list any tampered files. However I just now realized the version of MGADiag.exe that I was running (1.9.0027.0) still shows the above list. I don't recall exactly what link I got my copy from or why it would appear to be a newer version than the one Microsoft's tech support uses. What is the latest version (as of Nov. 14, 2011) and where is the most appropriate place to be finding it? Are there different versions for different versions of Windows and I could be running an incorrect version? (This wouldn't explain why I am getting the non-genuine window, but perhaps could rule out the above file list and keep me from looking in the wrong direction to try to solve it.)
    Tuesday, November 15, 2011 1:45 AM
  • The mismatched and tampered files are a match for vistalizator. I suggest you use the how to fix it section of the link i referred you to.

     

     What is the latest version (as of Nov. 14, 2011) and where is the most appropriate place to be finding it?

     

    the current version of the MGA is here

     

    http://go.microsoft.com/fwlink/?linkid=52012

     

    (1.9.0027.0) is current.

    Tuesday, November 15, 2011 2:48 AM
    Answerer
  • The fix section of this article states that the fix can only be obtained from Microsoft. Unfortunately none of the people I was transferred through in today's support call were interested in following this lead, so I'm completely unable to try it.
    Wednesday, November 16, 2011 3:39 AM
  • did you tell them you have Vistalizator installed?

     

    What exactly did support tell you?

    Wednesday, November 16, 2011 4:41 AM
    Answerer
  • I told them I don't know if I have it installed, but that I would like to obtain the possible fix for it from Microsoft just in case I do have it installed. The first tech ignored me completely and seemed convinced that the next step should be checking for viruses instead, then transfered me to some other department who actually laughed at me when I suggested trying to eliminate Vistalizor, but then when pressed didn't seem to have any idea what I was talking about. He ended the phone conversation with the suggestion that I try registing windows using the phone. (The article he pointed me at seems to differ from my version of Windows, I haven't located the "register by phone" area yet to try it, although I assume that wasn't a real suggestion anyway and was just his way of not having to deal with my issue.)
    Wednesday, November 16, 2011 5:02 AM
  • What was the original language of your computer?

    Have you tried running vistalizator again and restoring the original language?

     

    If you can't get help from support you likely will have to reinstall. make sure you have backups.

    Wednesday, November 16, 2011 1:46 PM
    Answerer
  • What was the original language of your computer?

    Have you tried running vistalizator again and restoring the original language?

     

    If you can't get help from support you likely will have to reinstall. make sure you have backups.

    The original and current language is English, that has not changed. I have not run Vistalizator myself that I'm aware of. I don't know if it is something that could somehow have been bundled into some piece of software I own and I could have run it without realizing it. If I'm not aware of having run it the first time, would it still make any sense to try to go find it and install it, either as a weird workaround or to test with? If it turns out it really isn't installed, would that just make it worse? I can definitely reinstall, everything is backed up. I have not yet tried that because the problem showed up almost immediately after a fresh install, so I'm assuming it will most likely happen again if I perform the exact same installation steps. I wanted to first try to figure out what was causing it so it could be avoided on my next reinstall attempt.
    Thursday, November 17, 2011 2:13 AM
  •  the problem showed up almost immediately after a fresh install, so I'm assuming it will most likely happen again if I perform the exact same installation steps

     

    Where did you get your iso. Was it from your original OEM system builder disk? I don't know if it is possible but maybe it is embedded in your iso. (just an uneducated guess) 

    You should have a good install and should not have a problem unless you deliberately run vistalizator and install a language pack.

     


     


    Thursday, November 17, 2011 2:36 AM
    Answerer
  • "george1009" wrote in message news:579bada5-960b-4283-bf71-d762f5eff999...

    the problem showed up almost immediately after a fresh install, so I'm assuming it will most likely happen again if I perform the exact same installation steps

     

    Where did you get your iso. Was it from your original OEM system builder disk? I don't know if it is possible but maybe it is embedded in your iso. (just an uneducated guess)

    You should have a good install and should not have a problem unless you deliberately run vistalizator and install a language pack.

     


     


     
     
    Yes – it is possible to embed just about any program into the installation image using the OPK or WAIK.
    The question then become ‘is the disk a hologrammed OEM SB disk, or a copy?’
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Thursday, November 17, 2011 7:50 AM
    Moderator
  • Thanks Noel, I ran out of ideas here.
    Thursday, November 17, 2011 1:16 PM
    Answerer
  • No iso, I just installed directly from the original Windows 7 OEM DVD purchased from Newegg.com. This DVD has holograms only around the very center and very edge of the DVD, the bulk of the DVD is a white label with black text, unlike my Windows XP cds, which were entirely a hologram with no additional label. Is this expected or not? I am going to try to reinstall everything from scratch next to see what happens, and to try to identify if it's triggered immediately or by any of the software I'm installing after installing windows, or upon plugging in my backup drive. Microsoft support was also super-nice and provided me with an upgrade to Windows 7 Professional yesterday (in the form of an iso file this time) which I'm supposed to use to reinstall everything with to see if that will somehow fix the issue.
    Friday, November 18, 2011 1:50 AM