Answered by:
Windows 7 Ultimate install... Something fishy's going on...

Question
-
Alright, I've been through a good bit since Saturday. But here's what I have and what happened:
Windows 7 Ultimate, key from the Signature Edition won during the Win7 launch parties way back when.
Saturday, PC rebooted and wouldn't boot. BCD/Bootmgr issue here and there. I reinstall on another harddrive to try and fix my other install... same version, same key. In my head I figure... well it's on the same PC, I can't be using it twice at the same time. Anyway, I tried to fix BCD and screwed that up too... I'm on a roll now. I reformat that drive, reinstall after learning it could be my bios! I fix the bios but... nah, it doesn't fix my original issue. Screw it, I'll just reinstall windows 7.
I borrow a disc, not the key, just the disc... well, a copy of the disc. I install. I don't get prompted for my key. I didn't think anything of it (in fact I didn't notice). I start settling into the system but when I go to install Microsoft Security Essentials, I get told that I am not genuine. I go through a good bit to try and get verified and activated. System screen (the one with the performance rating) doesn't have the geunine logo on it, but it also doesn't give me the option to change my key! Confused, I go scour the internet and come back to find my SLUI.EXE cannot be accessed. I don't have permissions to the file. I give myself permissions and start my activation process. It won't do it auto, says my key is not valid. Well... telephone lets me activate after asking me "How many systems is this installed on?" I say 1, because that is true. But sicne I did install it 3 times in 24 hours on 3 different HDD's, I guess I confused the auto-activation into thinking I was mass producing installations. It then lets me activate. I am activated and genuine according to it two other online MS places, one that MSE sends you to to verify and another that passes me 6-6 or so tests.
MSE will not install still. I post in ansers.microsoft.com about it and someone tells me to download a diag and run it. I check the results and the last tab, license, says it cannot access the file SLMGR.VBS. I check permissions on that file... it's correct. I run the tool again, it says everything the same once more. Hmm... still other things are fishy seeming. I may have to settle on another reinstall to get anything else worked out, BUT i did find that I had SLWGA.DLL and an SLWGA.DLL.BAK. ? I name DLL to DLL.BAD and DLL.BAK to just .DLL and bedone with it. I try MSE again and it installs. Ah hah...? Still other fishiness going on, no "change key" still... And the diag tool comes up with the same message at the end of it.
And here it is.
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-9XWDK-9C7CT-MR244
Windows Product Key Hash: cGFcvIuXsS+W5zszCFUWhrJdQGg=
Windows Product ID: 00426-292-1390314-85923
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {8A422E6A-0A42-4664-95E3-7F151D24C1BF}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Ultimate
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.120305-1505
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{8A422E6A-0A42-4664-95E3-7F151D24C1BF}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-MR244</PKey><PID>00426-292-1390314-85923</PID><PIDType>5</PIDType><SID>S-1-5-21-3529393234-1430560857-1771791908</SID><SYSTEM><Manufacturer>MICRO-STAR INTERNATIONAL CO.,LTD</Manufacturer><Model>MS-7577</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>V1.17</Version><SMBIOSVersion major="2" minor="5"/><Date>20110218000000.000000+000</Date></BIOS><HWID>D95B3D07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 4:23:2012 01:48
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: OgAAAAIABAABAAIAAQACAAAAAgABAAEAln3u+HbZcFwQM1TQyP9U8lAfznDqIYw1yIosas4NqpqOLg==OEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC 7577MS A7577100
FACP 7577MS A7577100
SRAT AMD FAM_F_10
HPET 7577MS OEMHPET
MCFG 7577MS OEMMCFG
OEMB 7577MS A7577100Monday, April 23, 2012 8:27 PM
Answers
-
File Scan Data-->
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100Licensing Data-->
Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".These symptoms are consistent with a program called RemoveWat in order to circumvent Windows Activation Technologies.
solution from Noel D. Paton:
Your system is showing signs of having had RemoveWAT installed – your need to use RemoveWAT again, this time with the Restore function.Then post back with another MGADiag report.If you no longer have RemoveWAT, download WATFix from here (WATFix ), and use that.- Marked as answer by Dressi Tuesday, April 24, 2012 2:27 AM
Monday, April 23, 2012 11:05 PMAnswerer
All replies
-
Posting as an FYI only:
OP's original thread & background here => http://answers.microsoft.com/en-us/protect/forum/protect_start/mse-says-im-not-on-genuine-windows-but-windows/0118b935-db14-4260-b8d4-f22ef40e5f1e
~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
Monday, April 23, 2012 9:57 PM -
File Scan Data-->
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100Licensing Data-->
Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".These symptoms are consistent with a program called RemoveWat in order to circumvent Windows Activation Technologies.
solution from Noel D. Paton:
Your system is showing signs of having had RemoveWAT installed – your need to use RemoveWAT again, this time with the Restore function.Then post back with another MGADiag report.If you no longer have RemoveWAT, download WATFix from here (WATFix ), and use that.- Marked as answer by Dressi Tuesday, April 24, 2012 2:27 AM
Monday, April 23, 2012 11:05 PMAnswerer -
As I begin to answer my own questions (or just make new ones)... I have found more .BAK files. SLWGA.DLL.BK, SYSTEMCPL.DLL.BAK and USER32.DLL.BAK. I also found the regular .DLL next to each one. I did a checksum comparison between the ones just named .DLL and the files on my cloned harddrive. They're different. When I rename the .BAK to just .DLL, the checksums add up. So I've changed the .BAK to just .DLL and the imposter DLLs to .BAD for now. (But I did read that something can fake the MD5 and SHA-1 results...)
I checked up on the internet to see what (my own post was #3 in Bing...) but also looking up the files without .BAK (just .DLL) and RemoveWAT and Wpakill.B turn up in the first two results. I had asked a co-worker about this (about my MSE connundrum) and was told to run RemoveWAT and then reinstall WAT as a way to get myself back on the genuine track. I haven't done anything like that... but... would that work? I feel I've either been compromised OR I was from the beginning. So... can I make this install genuine? I tried looking at how to back out what RemoveWAT OR Wpakill.B would do, but haven't gone too deep. I dun wanna mess it up more than I've managed XD
SPP Notification Service (one of the Wpakill.b victims) won't start...
[All in all, MSE and Live Essentials installed, I have a 'working' install of Win7Ultimate... I just don't have a "genuine" badge or the ability to change my key. I don't think I'll be doing that anytime soon, so I am pretty much just poking holes in seemingly good pie crust]
Monday, April 23, 2012 11:07 PM -
You have a real mess on your hands. You seem to have both an activation exploit and malware.
Wpakill.B I have seen this defined as both an activation exploit and as malware.
see this:
Personally at this point I would reinstall.
at least run a malware scan such as malwarebytes.
http://www.malwarebytes.org/products/malwarebytes_free
It may be that the malware may have rendered MSE ineffective if the malware was present before MSE was installed.
- Proposed as answer by Robear Dyer (PA Bear), MS-MVP since October 2002MVP Tuesday, April 24, 2012 12:59 AM
Tuesday, April 24, 2012 12:38 AMAnswerer -
...It may be that the malware may have rendered MSE ineffective if the malware was present before MSE was installed.
+1
Cite:
• Can I install Microsoft Security Essentials [or any other anti-virus/anti-spyware application] to clean up my already-infected computer?
http://answers.microsoft.com/thread/87058857-d181-4019-a723-efd9a49d9275• Cleaning a Compromised System
http://technet.microsoft.com/en-us/library/cc700813.aspxSee the (my) ANSWER post in this thread and follow those instructions (to-the-letter and in order! ) to return your computer to a secure & functional state: http://answers.microsoft.com/thread/bc95f2f0-7968-4bd0-8de5-70b83db31fa6
Note: The computer should NOT be connected to the internet or any local networks (i.e., other computers) in its current state. All of your personal data (e.g., online banking & credit-card passwords) should be considered at-risk, if not already compromised.
Good luck!
~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
- Proposed as answer by Robear Dyer (PA Bear), MS-MVP since October 2002MVP Tuesday, April 24, 2012 12:59 AM
Tuesday, April 24, 2012 12:59 AM -
Sorry George, I didn't see your post as I had been writing mine at the time yours popped up and I guess I didn't see it.
WATFix seems to have given me back what I'm used to seeing:
Windows is activated > Product ID: blah... "Ask for Genuine microsoft software..."
I scanned my system from another machine (harddrive in a craddle) with Malwarebytes, MSE and my company's McAfee (which may or may not be any better than malwarebytes). It only came up with faXcool.exe that had the Wpakill.B hacktool. A few searches on the internet and I found that it actually comes pre-loaded on a few torrented copies of win7 as a means to bypass activation. It's a serbian dude (according to his blogspot) that does this. Looked out on piratebay and found his download being seeded by
So... you don't think I can trust this installation of 7 anymore, eh? I'm only 2 days into the installation so it might not be a bad idea to just reinstall and get things over with.
My question now... where do I get a good win7ultimate 64-bit disc...
Tuesday, April 24, 2012 2:23 AM -
the new diag
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->Validation Code: 0x8004FE22
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-9XWDK-9C7CT-MR244
Windows Product Key Hash: cGFcvIuXsS+W5zszCFUWhrJdQGg=
Windows Product ID: 00426-292-1390314-85923
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {8A422E6A-0A42-4664-95E3-7F151D24C1BF}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Ultimate
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.120305-1505
TTS Error:
Validation Diagnostic:
Resolution Status: N/AVista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: AllowedFile Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{8A422E6A-0A42-4664-95E3-7F151D24C1BF}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-MR244</PKey><PID>00426-292-1390314-85923</PID><PIDType>5</PIDType><SID>S-1-5-21-3529393234-1430560857-1771791908</SID><SYSTEM><Manufacturer>MICRO-STAR INTERNATIONAL CO.,LTD</Manufacturer><Model>MS-7577</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>V1.17</Version><SMBIOSVersion major="2" minor="5"/><Date>20110218000000.000000+000</Date></BIOS><HWID>D95B3D07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: ac96e1a8-6cc4-4310-a4ff-332ce77fb5b8
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00170-292-139031-00-1033-7601.0000-1132012
Installation ID: 015690032931258251455005851800756830633413428885833372
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: MR244
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 4/23/2012 10:25:23 PMWindows Activation Technologies-->
HrOffline: 0x8004FE22
HrOnline: N/A
HealthStatus: 0x0002000000000000
Event Time Stamp: 4:23:2012 01:48
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered Service: sppuinotify
HWID Data-->
HWID Hash Current: PAAAAAIABAABAAIAAQACAAAAAwABAAEAln3u+HbZcFwQM1TQyP9U8lAfznDqIYw1yIosas4Nqppy5Y4uOEM Activation 1.0 Data-->
N/AOEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC 7577MS A7577100
FACP 7577MS A7577100
SRAT AMD FAM_F_10
HPET 7577MS OEMHPET
MCFG 7577MS OEMMCFG
OEMB 7577MS A7577100Tuesday, April 24, 2012 2:25 AM -
I would not trust this install at all. It is completely unknown what evils may be lurking.
What happened to your original disk?
If you know someone with a legitimate ultimate disk you could use that with your key. or you could ask here for a link to a legitimate digital river .iso someone will give you one.
http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install?tab=all
Tuesday, April 24, 2012 3:46 AMAnswerer