locked
Windows 7 x32 Activation damaged RRS feed

  • Question

  • Good day,

    I recently had a piece of drive by malware get planted on my system. I managed to remove it with a malware product, but either the malware or the cleaner seem to have destroyed the software licensing service. I do see sppsvc listed un the controlSets in the registry and the file exists under system32...  but when I start the service either in services.msc or with net start sppsvc.exe I get an error 2 (file not found).

    The MGaDiag says sppsvc.exe is tampered with but SFC /SCANNOW says the files are fine..

    Here is the MGaDiag data:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: N/A, hr = 0xc0000022
    Windows Product Key: *****-*****-84FFD-6QGKP-279RC
    Windows Product Key Hash: YjJUxJg8AcB+W4q0KFKN68OoW8Y=
    Windows Product ID: 00371-222-4136142-86840
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {9356CD45-58C4-4F78-9C11-E3B90784E3A9}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000000
    Build lab: 7601.win7sp1_gdr.130505-1534
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: 191.168.0.2:8030
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{9356CD45-58C4-4F78-9C11-E3B90784E3A9}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-279RC</PKey><PID>00371-222-4136142-86840</PID><PIDType>5</PIDType><SID>S-1-5-21-938299814-1201750613-2718179475</SID><SYSTEM><Manufacturer>MICRO-STAR INTERNATIONAL CO., LTD</Manufacturer><Model>MS-7258</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="3"/><Date>20070716000000.000000+000</Date></BIOS><HWID>8A893C07018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0C0A</SystemLCID><TimeZone>Hora estándar de Brasil central(GMT-04:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    En un equipo que ejecute una edición de Microsoft Windows distinta de Core Edition, ejecute 'slui.exe 0x2a 0x80070426' para mostrar el texto de error.
    Error: 0x80070426

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x0001000000000000
    Event Time Stamp: 7:23:2013 13:46
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered Service: sppsvc


    HWID Data-->
    HWID Hash Current: MgAAAAEABAABAAEAAQABAAAAAQABAAEAeqj0m7VubMCg1XhclpTOACZqWhZOuHKP7Ds=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   P4M890  AWRDACPI
      FACP   P4M890  AWRDACPI
      MCFG   P4M890  AWRDACPI

    Wednesday, July 24, 2013 5:41 PM

Answers

  • The usual cause of this error set is the SPDLR service being disabled or broken in some way (often the configflags entry has been misset by Norton)

    In your case, the service has been disabled in the registry.

      Start    REG_DWORD    0x4

    If you change that value to 0, it will auto-start, and things should return to normal after a reboot :)

    Post a new MGADiag report so we can check the outcome.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Saturday, July 27, 2013 11:09 AM
    Moderator

All replies

  • Windows Product ID: 00371-222-4136142-86840

    The 222 portion of your Product ID indicates that you are using a not for resale, leaked MSDN Subscription Key.  In order to get an MSDN subscription, you need to sign agreements with Microsoft.  Then they allow you access to keys that are to be used ONLY for the purpose for which they were intended.  When those keys are "activated" enough times, Microsoft will ban them from further use.  That might take over a year before a particular one is banned.  But the effect is the same - the counterfeit installation is then flagged as non-genuine.

    For more information see the following thread:

    http://social.microsoft.com/Forums/en-US/a2444f34-0aff-4f29-a8ac-67e28b0c0285/blocked-product-keys

    If you bought this in a Retail box, you were sold a counterfeit.  You will need to install a genuine copy of Windows 7.


    Wednesday, July 24, 2013 6:14 PM
  • Apart from Kamin's perfectly correct comments, you also have a problem with activation....

    (Have you EVER used Norton software on this machine?)

    Please run the following commands, and post the results.

    REG QUERY HKLM\SYSTEM\CurrentControlSet\services\spldr /S

     

    REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR /S

    REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_SLSVC

    REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_SPPSVC

     

     They may show something

    (NOTE - another possible cause is Read-only Windows folders)

    Here are some instructions to make life easier :)

    1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt. 

    2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once. 

    3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.     


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Wednesday, July 24, 2013 9:02 PM
    Moderator
  • You will need to replaced the pirated not-for-resale MSDN Subscription product key with a genuine "full retail" edition of Windows 7 Professional.

    Carey Frisch

    Wednesday, July 24, 2013 9:59 PM
    Moderator
  • Carey

    How do you know the OP is not a subscriber?


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, July 25, 2013 5:52 AM
    Moderator
  • Sorry guys, should have mentioned that too..

    I am an MSDN subscriber as well as working in a Partner organization, not a pirated copy although the possibility of it being banned does exist. Sadly I am taking over what does not seem to be a very tight ship so knowing its an MSDN key is helpful. At the moment I need to get it running more than fixing the licensing, but with this info that will be next on my list. It's useful to know that the 222 in the PID is for MSDN, that may give me a way to sweep the place with WMI later.

    For now I'll try Noel's suggestions and see if I can get this thing running or not. Nortons has not been used, but McAfee, Spybot, and MalwareBytes have. I have seen some of MBAMs more aggresive cleaners do this before but not recently. That may prove to be the cause, but since I uninstalled MBAM taking its logs with it I may never know (Rats).

    C:\>REG QUERY HKLM\SYSTEM\CurrentControlSet\services\spldr /S

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\spldr
        DisplayName    REG_SZ    Security Processor Loader Driver
        ErrorControl    REG_DWORD    0x3
        Start    REG_DWORD    0x4
        Type    REG_DWORD    0x1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\spldr\Enum
        0    REG_SZ    Root\LEGACY_SPLDR\0000
        Count    REG_DWORD    0x1
        NextInstance    REG_DWORD    0x1

    C:\>REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR /S

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR
        NextInstance    REG_DWORD    0x1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR\0000
        Service    REG_SZ    spldr
        Legacy    REG_DWORD    0x1
        ConfigFlags    REG_DWORD    0x400
        Class    REG_SZ    LegacyDriver
        ClassGUID    REG_SZ    {8ECC055D-047F-11D1-A537-0000F8753ED1}
        DeviceDesc    REG_SZ    Security Processor Loader Driver
        Capabilities    REG_DWORD    0x0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR\0000\Control

    C:\>REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_SLSVC
    ERROR: El sistema no ha podido encontrar la clave o el valor del Registro
    especificados.   (Spanish for The system couldn't find the specified key or value)

    C:\>REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_SPPSVC
    ERROR: El sistema no ha podido encontrar la clave o el valor del Registro
    especificados.  (DITTO)

    No help here, no legacy security procesors or License providers..

    This is probably a stupid question, but is there any direct way to find out what file is missing ?

    I am about to fire up process explorer and try to run the executable, but I'm not sure that will work with a service. I read somewhere that a tampered service could mean some rootkit has a hook into it so I am about to run GMER on it and check if the service starts in safe mode (assuming it even runs in safe mode).

    Thanks everyone for your help and suggestions !

    Dave

    Thursday, July 25, 2013 6:45 PM
  • Hello all,

    No luck. GMER found nothing, McAfee found nothing, service still gives error 2 and complains about a missing file. Watched with Procmon and could not find any sign of what was missing. There are some file related errors, but they occur on every file I think Windows checks if every file is a reparse point to make sure it's jsut a file.. No real help there. 

    Is there any way to reinstall the licensing components other than a full blown repair install (in place upgrade) ?

    Dave

    Friday, July 26, 2013 12:23 PM
  • open cmd with admin rights:

    slmgr /upk (uninstall product key)
    slmgr /cpky (clear registry setting)

    Reboot the Machine

    slmgr /ipk xxxxx-xxxxxx-xxxxxx-xxxxx-xxxxx (Your Product key goes here, dashes included)
    slmgr /rilc (re install liencecse file)
    slmgr /ato (automatic updates)

    Reboot the Machine


    gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

    Friday, July 26, 2013 12:35 PM
  • The usual cause of this error set is the SPDLR service being disabled or broken in some way (often the configflags entry has been misset by Norton)

    In your case, the service has been disabled in the registry.

      Start    REG_DWORD    0x4

    If you change that value to 0, it will auto-start, and things should return to normal after a reboot :)

    Post a new MGADiag report so we can check the outcome.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Saturday, July 27, 2013 11:09 AM
    Moderator
  • Hello all,

    Kudos Noel, that was it.. I was just getting ready to fire up serviwin and compare this system to another one, but you were right on the dot.

    After I rebooted it came up as not being activated, but it activated online directly out of System Properties so it does not appear the key is banned. (This is a testing machine, but builing out a new one is a chore). I'm building out a new one now, but after a few scans I can let them use this one while I build the new one.

    Thank you for all your assistance and patience with this. Have a great day !

    Dave

    Monday, July 29, 2013 12:27 PM
  • You're welcome - glad it worked for you.

    Good luck.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Monday, July 29, 2013 2:20 PM
    Moderator