locked
Windows 7 Enterprise Not genuine, Enterprise environment, After Virus RRS feed

  • Question

  • We've seen a few virus infections that after they are cleaned, windows comes up non geniune. We have been unable to activate the license through the VLS. I ran the diag's and this is the output.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 50
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-Q799D-Y6JJ3-86WC6
    Windows Product Key Hash: NhiaeilolLeliTKRtmWljjyi0dc=
    Windows Product ID: 00392-914-0000007-85109
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010100.1.0.004
    ID: {B0A78A13-5DA8-44A5-B09D-7DF70C88510F}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Enterprise
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.120830-0333
    TTS Error: T:20121219082007802-
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{B0A78A13-5DA8-44A5-B09D-7DF70C88510F}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.004</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-86WC6</PKey><PID>00392-914-0000007-85109</PID><PIDType>5</PIDType><SID>S-1-5-21-982623906-548005818-1918393941</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8000 Elite CMT PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786G7 v01.02</Version><SMBIOSVersion major="2" minor="6"/><Date>20091022000000.000000+000</Date></BIOS><HWID>15663A07018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAACAAAAGt3LwAAAAAAYWECAKD4//99pK6Q693NAWbXGpOihAOpMHzDmWxsjup6nd7cc219n32fn+Cs7piX90Xbcfx3IqJHIywcB9V/0jOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAx4dZsxs/sxaQSZh6DCEuBHz1gtM0Ol5fiFK/9uC5QtdLkXo5pgxxpmqdhb2PNXXT4zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Enterprise edition
    Description: Windows Operating System - Windows(R) 7, RETAIL channel
    Activation ID: b793ff2d-9d80-407c-b521-85111c51028c
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00392-00170-914-000000-00-1033-7601.0000-0302013
    Installation ID: 017815334411164831820133356716368094280015406506799630
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 86WC6
    License Status: Notification
    Notification Reason: 0xC004FE00.
    Remaining Windows rearm count: 5
    Trusted time: 1/30/2013 4:39:52 PM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 12:6:2012 17:24
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: NgAAAAIABAABAAEAAQACAAAAAQABAAEA6GFu7k40jHjI6xQDMrp8IkbD1v7eiELY0T6OLUbK

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   COMPAQ  EAGLLAKE
      FACP   COMPAQ  EAGLLAKE
      HPET   COMPAQ  EAGLLAKE
      MCFG   COMPAQ  EAGLLAKE
      ASF!   COMPAQ  EAGLLAKE
      TCPA   COMPAQ  EAGLLAKE
      SLIC   HPQOEM  SLIC-BPC

    Any direction would be appreciated.

    Thanks

    Wednesday, January 30, 2013 9:57 PM

Answers

  • Sorry - I missed that the Enterprise Key was reporting as being Retail (Enterprise is a Volume Only edition).

    It's likely that you'll need to do some file repair work as well....

    Please run a full CHKDSK and SFC scan....

     

    Click on Start > All Programs > Accessories

    Right-click on the Command Prompt entry

    Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

     

    At the Command prompt, type

     

    CHKDSK C: /R

     

    and hit the Enter key.

    You will be told that the drive is locked,

    and the CHKDSK will run at he next boot - hit the Y key, press Enter, and then reboot.

     

    The CHKDSK will take a few hours depending on the size of the drive, so be patient!

     

    After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) -

    then run the SFC.

     

    SFC -System File Checker - Instructions

    Click on Start > All Programs > Accessories

    Right-click on the Command Prompt entry

    Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

     

    At the Command prompt, type

     

    SFC /SCANNOW

     

    and hit the Enter key

     

    Wait for the scan to finish - make a note of any error messages - and then reboot.

     

     

    Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload it to your SkyDrive Public folder (http://skydrive.live.com ) and post a link to it so that I can take a look.

     

    Post a new MGADiag report with details of any error messages encountered.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, January 31, 2013 4:26 PM
    Moderator

All replies

  • (This machine appears to have had problems since at least 19th December??)

    Please first try recreating Licensing Store.

     

    Recreate the Licensing Store

    Go to Start > All Programs > Accessories

    Right-Click on Command Prompt and select Run as Administrator - accept the UAC prompt

    Run the following commands in the Command Prompt window, using the Enter key at the end of each

     

    net stop sppsvc

    (wait until the service has stopped before entering the following lines)

     

    CD %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform

    REN tokens.dat tokens.bar

    net start sppsvc

    slui.exe

     

    After a couple of seconds the Windows Activation dialog will appear.

    You may be asked to re-activate and/or re-enter your product key, or Activation may occur automatically.

    If you are asked for your Key, use the one on the COA sticker on the machine's case

     

    Reboot and Post back with a new MGADiag report


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Wednesday, January 30, 2013 10:20 PM
    Moderator
  • We have tried that twice already. The COA on the machine is differnt. We use an KMS on site and the KMS is saying that the product ID is blocked which that can't be possible or every machine re build wouldnt activate. Is there something the virus could have done to have caused this? Is it possible the virus was able to change the product ID?
    Thursday, January 31, 2013 3:49 PM
  • Just ran some tests... The virus was able to change product ID... I'll try changing it to our enterprise account product ID and see if it will reactive correctly

    Thursday, January 31, 2013 3:54 PM
  • Sorry - I missed that the Enterprise Key was reporting as being Retail (Enterprise is a Volume Only edition).

    It's likely that you'll need to do some file repair work as well....

    Please run a full CHKDSK and SFC scan....

     

    Click on Start > All Programs > Accessories

    Right-click on the Command Prompt entry

    Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

     

    At the Command prompt, type

     

    CHKDSK C: /R

     

    and hit the Enter key.

    You will be told that the drive is locked,

    and the CHKDSK will run at he next boot - hit the Y key, press Enter, and then reboot.

     

    The CHKDSK will take a few hours depending on the size of the drive, so be patient!

     

    After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) -

    then run the SFC.

     

    SFC -System File Checker - Instructions

    Click on Start > All Programs > Accessories

    Right-click on the Command Prompt entry

    Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

     

    At the Command prompt, type

     

    SFC /SCANNOW

     

    and hit the Enter key

     

    Wait for the scan to finish - make a note of any error messages - and then reboot.

     

     

    Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload it to your SkyDrive Public folder (http://skydrive.live.com ) and post a link to it so that I can take a look.

     

    Post a new MGADiag report with details of any error messages encountered.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, January 31, 2013 4:26 PM
    Moderator
  • Sorry for not replying back but we have yet to track this down to anything. We have about 10 machines infected and have had to replace the machines. We do have a licesen for about 100 seats we can use to activate just in case. We are doing some forensics on an infected PC and will post what we found. So far we have found that it is virus related and that it removes Local Administration rights from the C:\Windows folder recursivly.
    Wednesday, February 27, 2013 5:30 PM
  • Thanks for the feedback!

    All information gratefully received :)

     


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, February 28, 2013 9:00 PM
    Moderator