locked
Windows 7 Ultimate install... Something fishy's going on... RRS feed

  • Question

  • Alright, I've been through a good bit since Saturday.  But here's what I have and what happened:

    Windows 7 Ultimate, key from the Signature Edition won during the Win7 launch parties way back when.

    Saturday, PC rebooted and wouldn't boot.  BCD/Bootmgr issue here and there.  I reinstall on another harddrive to try and fix my other install... same version, same key.  In my head I figure... well it's on the same PC, I can't be using it twice at the same time.  Anyway, I tried to fix BCD and screwed that up too...  I'm on a roll now.  I reformat that drive, reinstall after learning it could be my bios!  I fix the bios but... nah, it doesn't fix my original issue.  Screw it, I'll just reinstall windows 7.

    I borrow a disc, not the key, just the disc... well, a copy of the disc.  I install.  I don't get prompted for my key.  I didn't think anything of it (in fact I didn't notice).  I start settling into the system but when I go to install Microsoft Security Essentials, I get told that I am not genuine.  I go through a good bit to try and get verified and activated.  System screen (the one with the performance rating) doesn't have the geunine logo on it, but it also doesn't give me the option to change my key!  Confused, I go scour the internet and come back to find my SLUI.EXE cannot be accessed.  I don't have permissions to the file.  I give myself permissions and start my activation process.  It won't do it auto, says my key is not valid.  Well... telephone lets me activate after asking me "How many systems is this installed on?"  I say 1, because that is true.  But sicne I did install it 3 times in 24 hours on 3 different HDD's, I guess I confused the auto-activation into thinking I was mass producing installations.  It then lets me activate.  I am activated and genuine according to it two other online MS places, one that MSE sends you to to verify and another that passes me 6-6 or so tests.

    MSE will not install still.  I post in ansers.microsoft.com about it and someone tells me to download a diag and run it.  I check the results and the last tab, license, says it cannot access the file SLMGR.VBS.  I check permissions on that file... it's correct.  I run the tool again, it says everything the same once more.  Hmm...  still other things are fishy seeming.  I may have to settle on another reinstall to get anything else worked out, BUT i did find that I had SLWGA.DLL and an SLWGA.DLL.BAK.  ?  I name DLL to DLL.BAD and DLL.BAK to just .DLL and bedone with it. I try MSE again and it installs.  Ah hah...?  Still other fishiness going on, no "change key" still...  And the diag tool comes up with the same message at the end of it.

    And here it is.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-9XWDK-9C7CT-MR244
    Windows Product Key Hash: cGFcvIuXsS+W5zszCFUWhrJdQGg=
    Windows Product ID: 00426-292-1390314-85923
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010100.1.0.001
    ID: {8A422E6A-0A42-4664-95E3-7F151D24C1BF}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Ultimate
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.120305-1505
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{8A422E6A-0A42-4664-95E3-7F151D24C1BF}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-MR244</PKey><PID>00426-292-1390314-85923</PID><PIDType>5</PIDType><SID>S-1-5-21-3529393234-1430560857-1771791908</SID><SYSTEM><Manufacturer>MICRO-STAR INTERNATIONAL CO.,LTD</Manufacturer><Model>MS-7577</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>V1.17</Version><SMBIOSVersion major="2" minor="5"/><Date>20110218000000.000000+000</Date></BIOS><HWID>D95B3D07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 4:23:2012 01:48
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: OgAAAAIABAABAAIAAQACAAAAAgABAAEAln3u+HbZcFwQM1TQyP9U8lAfznDqIYw1yIosas4NqpqOLg==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   7577MS  A7577100
      FACP   7577MS  A7577100
      SRAT   AMD     FAM_F_10
      HPET   7577MS  OEMHPET
      MCFG   7577MS  OEMMCFG
      OEMB   7577MS  A7577100

    Monday, April 23, 2012 8:27 PM

Answers

  • File Scan Data-->
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100

    Licensing Data-->
    Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".

    These symptoms are consistent with a program called RemoveWat in order to circumvent Windows Activation Technologies.

    solution from Noel D. Paton:

    Your system is showing signs of having had RemoveWAT installed – your need to use RemoveWAT again, this time with the Restore function.
    Then post back with another MGADiag report.
    If you no longer have RemoveWAT, download WATFix from here (WATFix ), and use that.
     

    • Marked as answer by Dressi Tuesday, April 24, 2012 2:27 AM
    Monday, April 23, 2012 11:05 PM
    Answerer

All replies

  • Posting as an FYI only:

    OP's original thread & background here => http://answers.microsoft.com/en-us/protect/forum/protect_start/mse-says-im-not-on-genuine-windows-but-windows/0118b935-db14-4260-b8d4-f22ef40e5f1e 


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft

    Monday, April 23, 2012 9:57 PM
  • File Scan Data-->
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100

    Licensing Data-->
    Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".

    These symptoms are consistent with a program called RemoveWat in order to circumvent Windows Activation Technologies.

    solution from Noel D. Paton:

    Your system is showing signs of having had RemoveWAT installed – your need to use RemoveWAT again, this time with the Restore function.
    Then post back with another MGADiag report.
    If you no longer have RemoveWAT, download WATFix from here (WATFix ), and use that.
     

    • Marked as answer by Dressi Tuesday, April 24, 2012 2:27 AM
    Monday, April 23, 2012 11:05 PM
    Answerer
  • As I begin to answer my own questions (or just make new ones)...  I have found more .BAK files.  SLWGA.DLL.BK, SYSTEMCPL.DLL.BAK and USER32.DLL.BAK.  I also found the regular .DLL next to each one.  I did a checksum comparison between the ones just named .DLL and the files on my cloned harddrive.  They're different.  When I rename the .BAK to just .DLL, the checksums add up.  So I've changed the .BAK to just .DLL and the imposter DLLs to .BAD for now.  (But I did read that something can fake the MD5 and SHA-1 results...)

    I checked up on the internet to see what (my own post was #3 in Bing...) but also looking up the files without .BAK (just .DLL) and RemoveWAT and Wpakill.B turn up in the first two results.  I had asked a co-worker about this (about my MSE connundrum) and was told to run RemoveWAT and then reinstall WAT as a way to get myself back on the genuine track.  I haven't done anything like that... but... would that work?  I feel I've either been compromised OR I was from the beginning.  So... can I make this install genuine?  I tried looking at how to back out what RemoveWAT OR Wpakill.B would do, but haven't gone too deep.  I dun wanna mess it up more than I've managed XD

    SPP Notification Service (one of the Wpakill.b victims) won't start...

    [All in all, MSE and Live Essentials installed, I have a 'working' install of Win7Ultimate...  I just don't have a "genuine" badge or the ability to change my key.  I don't think I'll be doing that anytime soon, so I am pretty much just poking holes in seemingly good pie crust]

    Monday, April 23, 2012 11:07 PM
  • You have a real mess on your hands. You seem to have both an activation exploit and malware.

    Wpakill.B I have seen this defined as both an activation exploit and as malware.

    see this:

    http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=HackTool%3AWin32%2FWpakill.B

    Personally at this point I would reinstall.

    at least run a malware scan such as malwarebytes.

    http://www.malwarebytes.org/products/malwarebytes_free

    It may be that the malware may have rendered MSE ineffective if the malware was present before MSE was installed. 

    Tuesday, April 24, 2012 12:38 AM
    Answerer
  • ...It may be that the malware may have rendered MSE ineffective if the malware was present before MSE was installed.

    +1

    Cite:

       • Can I install Microsoft Security Essentials [or any other anti-virus/anti-spyware application] to clean up my already-infected computer?
          http://answers.microsoft.com/thread/87058857-d181-4019-a723-efd9a49d9275

       • Cleaning a Compromised System
          http://technet.microsoft.com/en-us/library/cc700813.aspx

    See the (my) ANSWER post in this thread and follow those instructions (to-the-letter and in order! ) to return your computer to a secure & functional state: http://answers.microsoft.com/thread/bc95f2f0-7968-4bd0-8de5-70b83db31fa6

    Note: The computer should NOT be connected to the internet or any local networks (i.e., other computers) in its current state. All of your personal data (e.g., online banking & credit-card passwords) should be considered at-risk, if not already compromised.

    Good luck!


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft

    Tuesday, April 24, 2012 12:59 AM
  • Sorry George, I didn't see your post as I had been writing mine at the time yours popped up and I guess I didn't see it.

    WATFix seems to have given me back what I'm used to seeing:

    Windows is activated > Product ID: blah...  "Ask for Genuine microsoft software..."

    I scanned my system from another machine (harddrive in a craddle) with Malwarebytes, MSE and my company's McAfee (which may or may not be any better than malwarebytes).  It only came up with faXcool.exe that had the Wpakill.B hacktool.  A few searches on the internet and I found that it actually comes pre-loaded on a few torrented copies of win7 as a means to bypass activation.  It's a serbian dude (according to his blogspot) that does this.  Looked out on piratebay and found his download being seeded by

    So... you don't think I can trust this installation of 7 anymore, eh?  I'm only 2 days into the installation so it might not be a bad idea to just reinstall and get things over with.

    My question now... where do I get a good win7ultimate 64-bit disc...

    Tuesday, April 24, 2012 2:23 AM
  •  the new diag

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE22
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-9XWDK-9C7CT-MR244
    Windows Product Key Hash: cGFcvIuXsS+W5zszCFUWhrJdQGg=
    Windows Product ID: 00426-292-1390314-85923
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010100.1.0.001
    ID: {8A422E6A-0A42-4664-95E3-7F151D24C1BF}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Ultimate
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.120305-1505
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{8A422E6A-0A42-4664-95E3-7F151D24C1BF}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-MR244</PKey><PID>00426-292-1390314-85923</PID><PIDType>5</PIDType><SID>S-1-5-21-3529393234-1430560857-1771791908</SID><SYSTEM><Manufacturer>MICRO-STAR INTERNATIONAL CO.,LTD</Manufacturer><Model>MS-7577</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>V1.17</Version><SMBIOSVersion major="2" minor="5"/><Date>20110218000000.000000+000</Date></BIOS><HWID>D95B3D07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Ultimate edition
    Description: Windows Operating System - Windows(R) 7, RETAIL channel
    Activation ID: ac96e1a8-6cc4-4310-a4ff-332ce77fb5b8
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00426-00170-292-139031-00-1033-7601.0000-1132012
    Installation ID: 015690032931258251455005851800756830633413428885833372
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: MR244
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 4/23/2012 10:25:23 PM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE22
    HrOnline: N/A
    HealthStatus: 0x0002000000000000
    Event Time Stamp: 4:23:2012 01:48
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered Service: sppuinotify


    HWID Data-->
    HWID Hash Current: PAAAAAIABAABAAIAAQACAAAAAwABAAEAln3u+HbZcFwQM1TQyP9U8lAfznDqIYw1yIosas4Nqppy5Y4u

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   7577MS  A7577100
      FACP   7577MS  A7577100
      SRAT   AMD     FAM_F_10
      HPET   7577MS  OEMHPET
      MCFG   7577MS  OEMMCFG
      OEMB   7577MS  A7577100

    Tuesday, April 24, 2012 2:25 AM
  • I would not trust this install at all. It is completely unknown what evils may be lurking.

    What happened to your original disk?

    If you know someone with a legitimate ultimate disk you could use that with your key. or you could ask here for a link to a legitimate digital river .iso someone will give you one.

    http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install?tab=all

    Tuesday, April 24, 2012 3:46 AM
    Answerer