none
Win7 Update Error80096001, CAN'T UPDATE! + "not genuine" after rootkit removal RRS feed

  • Question

  • HI

    I am running Windows 7 Home Premium (spanish/Chile) and Windows update is failing giving error 80096001

    In addition I am receiving a message telling me This computer is not running genuine Windows . This a computer was purchased new about a year ago with this licensed windows installed.

    Before I had zeroaccess /sirefef rootkit malware/virus and only after running combofix a few times it seemes it went away (about 1 week ago)

    PLS GIVE ME SOME GUIDANCE

    I have run the Genuine Diagnostics MGADiag tool, getting these results:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-D96PV-T9B9D-M8X2Q
    Windows Product Key Hash: Fq/JsPUI1NdT6veDtiDB8N1RQUs=
    Windows Product ID: 00359-OEM-8992687-00246
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {82DF8798-D6A2-46CB-8FB4-7A77BC7B8D96}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000000
    Build lab: 7601.win7sp1_gdr.111025-1505
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Enterprise 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\INTER\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{82DF8798-D6A2-46CB-8FB4-7A77BC7B8D96}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-M8X2Q</PKey><PID>00359-OEM-8992687-00246</PID><PIDType>2</PIDType><SID>S-1-5-21-2909454272-1679785552-4241233484</SID><SYSTEM><Manufacturer>MICRO-STAR INTERNATIONAL CO., LTD</Manufacturer><Model>MS-6650</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>080015 </Version><SMBIOSVersion major="2" minor="5"/><Date>20091020000000.000000+000</Date></BIOS><HWID>56BC3B07018400F8</HWID><UserLCID>340A</UserLCID><SystemLCID>0C0A</SystemLCID><TimeZone>Hora estándar de Montevideo(GMT-03:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>MSI_NB</OEMID><OEMTableID>MEGABOOK</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>C0A25836FDBE5AC</Val><Hash>FmDbcrRY1pTOcrz4ZUZRHhpUuc0=</Hash><Pid>89388-726-2958074-65093</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Versión del Servicio de licencias de software: 6.1.7601.17514

    Nombre: Windows(R) 7, HomePremium edition
    Descripción: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Id. de activación: d2c04e90-c3dd-4260-b0f3-f845f5d27d64
    Id. de aplicación: 55c92734-d682-4d71-983e-d6ec3f16059f
    PID extendido: 00359-00178-926-800246-02-1033-7600.0000-0642010
    Id. de instalación: 016905545912556445941405561351344814838103665633841190
    URL del certificado de procesador: http://go.microsoft.com/fwlink/?LinkID=88338
    URL del certificado de maquina: http://go.microsoft.com/fwlink/?LinkID=88339
    URL de la licencia de uso: http://go.microsoft.com/fwlink/?LinkID=88341
    URL del certificado de clave de producto: http://go.microsoft.com/fwlink/?LinkID=88340
    Clave de producto parcial: M8X2Q
    Estado de la licencia: con licencia
    Recuento de rearmado de Windows restante: 2
    Hora de confianza: 11-03-2012 10:52:50

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000003EFFF
    Event Time Stamp: 3:8:2012 13:04
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\wat\watadminsvc.exe
    Tampered File: %systemroot%\system32\wat\watweb.dll
    Tampered File: %systemroot%\system32\wat\npwatweb.dll
    Tampered File: %systemroot%\system32\wat\watux.exe
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys
    Tampered File: %systemroot%\system32\drivers\spldr.sys


    HWID Data-->
    HWID Hash Current: NAAAAAEABAABAAEAAAABAAAAAwABAAEAeqgugWyAEDNU+aKqivao8SyWiCQsxExbaibI9A==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            102009        APIC1615
      FACP            102009        FACP1615
      HPET            102009        OEMHPET
      MCFG            102009        OEMMCFG
      SLIC            MSI_NB        MEGABOOK
      OEMB            102009        OEMB1615
      SSDT            A M I         POWERNOW

    AS this happened after combofix run, i think ther rootkit (sirefef) changed those system files that later, combofix amended.... but then how to turn back this into genuine? and most important how to keep getting updates??

    Wednesday, March 14, 2012 1:24 PM

Answers

All replies

  • "hhoorr" wrote in message news:8f0f3c94-2ccd-41a2-9049-c53b306ef8e4...

    HI

    I am running Windows 7 Home Premium (spanish/Chile) and Windows update is failing giving error 80096001

    In addition I am receiving a message telling me This computer is not running genuine Windows . This a computer was purchased new about a year ago with this licensed windows installed.

    Before I had zeroaccess /sirefef rootkit malware/virus and only after running combofix a few times it seemes it went away (about 1 week ago)

    PLS GIVE ME SOME GUIDANCE

    I have run the Genuine Diagnostics MGADiag tool, getting these results:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-D96PV-T9B9D-M8X2Q
    Windows Product Key Hash: Fq/JsPUI1NdT6veDtiDB8N1RQUs=
    Windows Product ID: 00359-OEM-8992687-00246
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010300.1.0.003

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000003EFFF
    Event Time Stamp: 3:8:2012 13:04
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\wat\watadminsvc.exe
    Tampered File: %systemroot%\system32\wat\watweb.dll
    Tampered File: %systemroot%\system32\wat\npwatweb.dll
    Tampered File: %systemroot%\system32\wat\watux.exe
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys
    Tampered File: %systemroot%\system32\drivers\spldr.sys


    HWID Data-->
    HWID Hash Current: NAAAAAEABAABAAEAAAABAAAAAwABAAEAeqgugWyAEDNU+aKqivao8SyWiCQsxExbaibI9A==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
      SLIC            MSI_NB        MEGABOOK

    AS this happened after combofix run, i think ther rootkit (sirefef) changed those system files that later, combofix amended.... but then how to turn back this into genuine? and most important how to keep getting updates??

    The problem with WGA is caused by the file tampers highlighted above.
    The common cause for these tampers is a faulty  Intel Rapid Storage Tech driver
    Download and install the latest version from....
     
    then run another MGADiag report and post the results.

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, March 14, 2012 2:16 PM
    Moderator
  • thank you i dl.ed the Intel Rapid Storage dirvers but then it came with an error related to minimum system requirements . fyi the processor is AMD Athlon 64 X2 3250e, chipset AMD RS780G + SB710
    Wednesday, March 14, 2012 4:27 PM
  • "hhoorr" wrote in message news:45adcc35-4e33-496c-9ff4-9ea1dec3d729...
    thank you i dl.ed the Intel Rapid Storage dirvers but then it came with an error related to minimum system requirements . fyi the processor is AMD Athlon 64 X2 3250e, chipset AMD RS780G + SB710
     
     
    Ah – OK.
    please run the following command from an Elevated Command Prompt, and copy the results to your response.
     
    SC QUERYEX CRYPTSVC
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, March 14, 2012 4:48 PM
    Moderator
  • right


    NOMBRE_SERVICIO: cryptsvc
            TIPO               : 20  WIN32_SHARE_PROCESS  
            ESTADO             : 4  RUNNING
                                    (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
            CàD_SALIDA_WIN32   : 0  (0x0)
            CàD_SALIDA_SERVICIO: 0  (0x0)
            PUNTO_COMPROB.     : 0x0
            INDICACIàN_INICIO  : 0x0
            PID                : 1388
            MARCAS         :

    Wednesday, March 14, 2012 5:54 PM
  • The only thing I can recommend at this point is that you contact WGA Support for assistance - once those two fixes fail (or at least fail to give further clues) then the situation is probably too complex to be dealt with in a forum context.

    WGA Support can be found here-


    North America: http://support.microsoft.com/contactus/cu_sc_genadv_master?ws=support&ws=support#tab4

    Outside North America:
    http://support.microsoft.com/contactus/?ws=support#tab0

    Please let us know if (and how) MS manage to repair the
    problem without a repair install of the OS - it would be useful for future
    reference!


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    • Marked as answer by Darin Smith MS Wednesday, March 14, 2012 7:24 PM
    Wednesday, March 14, 2012 6:21 PM
    Moderator