none
Wondering if this Windows 7 is legit RRS feed

  • Question

  • I'm helping someone over at a malware removal forum. I think his Windows is pirated, but I'm not sure. He says it's legit himself. I was wondering if someone could take a look at this MGADiag log and confirm whether it's legitimate or not. If it's an illegal license, can you please tell me which lines of the log tell you that?

    Thanks,

    Rick

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-Q6MMK-KYK6X-VKM6G
    Windows Product Key Hash: 289NoAWl2ZoVfuieux/315WkDIc=
    Windows Product ID: 00426-OEM-8992662-00173
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.001
    ID: {61E8CB52-D15E-4567-808F-6B46D1D2A518}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Ultimate
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.120503-2030
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Users\Rhomel\AppData\Local\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{61E8CB52-D15E-4567-808F-6B46D1D2A518}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-VKM6G</PKey><PID>00426-OEM-8992662-00173</PID><PIDType>2</PIDType><SID>S-1-5-21-269433224-411305373-2250994567</SID><SYSTEM><Manufacturer>ASUSTeK COMPUTER INC.</Manufacturer><Model>K55VD</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>K55VD.203</Version><SMBIOSVersion major="2" minor="7"/><Date>20120312000000.000000+000</Date></BIOS><HWID>D2203207018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>_ASUS_</OEMID><OEMTableID>Notebook</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows® 7, Ultimate edition
    Description: Windows Operating System - Windows® 7, OEM_SLP channel
    Activation ID: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00426-00178-926-600173-02-1033-7600.0000-1802012
    Installation ID: 000894986302003671694536069904321840326492235422838530
    Processor Certificate URL: http://go.microsoft....k/?LinkID=88338
    Machine Certificate URL: http://go.microsoft....k/?LinkID=88339
    Use License URL: http://go.microsoft....k/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft....k/?LinkID=88340
    Partial Product Key: VKM6G
    License Status: Licensed
    Remaining Windows rearm count: 4
    Trusted time: 8/14/2012 11:46:22 PM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 6:29:2012 04:30
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: MAAAAAEAAQABAAIAAAABAAAAAwABAAEA6GG04Sh0DiZiDDaKCoOMvPBqIoUc7pZj

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
    ACPI Table Name OEMID Value OEMTableID Value
    APIC _ASUS_ Notebook
    FACP _ASUS_ Notebook
    HPET _ASUS_ Notebook
    MCFG _ASUS_ Notebook
    FPDT _ASUS_ Notebook
    ECDT _ASUS_ Notebook
    SLIC _ASUS_ Notebook
    SSDT PmRef Cpu0Ist
    SSDT PmRef Cpu0Ist
    BGRT _ASUS_ Notebook

    Wednesday, August 15, 2012 11:05 AM

Answers

  • There's no indications of it being anything other than a genuine install.

    All the right bits are in all the right places, and everything matches.

    The machine normally ships with Home Premium - but Ultimate could have been an in-factory option.

    Does the COA state Ultimate, or Home Premium?

    You might want him to validate at www.microsoft.com/genuine/validate - it passed validation on 29 June so it should still be OK.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    • Marked as answer by Gammo0123 Wednesday, August 15, 2012 1:34 PM
    Wednesday, August 15, 2012 11:27 AM
    Moderator

All replies

  • There's no indications of it being anything other than a genuine install.

    All the right bits are in all the right places, and everything matches.

    The machine normally ships with Home Premium - but Ultimate could have been an in-factory option.

    Does the COA state Ultimate, or Home Premium?

    You might want him to validate at www.microsoft.com/genuine/validate - it passed validation on 29 June so it should still be OK.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    • Marked as answer by Gammo0123 Wednesday, August 15, 2012 1:34 PM
    Wednesday, August 15, 2012 11:27 AM
    Moderator
  • Thanks for your reply, Noel.

    The presence of these files (among others) made me suspicious:

    D:\Downloads\Compressed\Microsoft Office 2010 Activator (Direct Download)\mini-KMS_Activator_v1.051.exe
    D:\Installer\Windows 7 Anytime Upgrade Keygen\Windows 7 Anytime Upgrade Keygen.exe
    D:\Installer\MICROSOFT.OFFICE.2010.RTM.14.0.4734.1000_ProfessionalPlus_volume_x64_en-us\Office 2010 Activation and Conversion Kit 1.6.exe

    He says he downloaded that for his other PC, so I guess I'll give him the benefit of the doubt.

    Wednesday, August 15, 2012 1:34 PM
  • Oh dear :(

    And his AV isn't flagging them? - many AV's will flag them as a generic 'Hacktool' - or has he not got an AV? (wouldn't surprise me!)


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Wednesday, August 15, 2012 1:49 PM
    Moderator
  • He's using avast! Antivirus. Possibly he configured avast to ignore the files.

    Malwarebytes' Anti-Malware caught the files. That's how I got alerted of their existence.

    Wednesday, August 15, 2012 2:13 PM
  • Many of those so-called Loaders are pure malware, and have no actual effect on activation, so that doesn't surprise me at all.

    There was one for Nero, which did work - but also installed various malware unless you unpacked it first, and stripped it out.

    I haven't toyed with any of the Office ones (I already have too many VM's on this box!).


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Wednesday, August 15, 2012 3:05 PM
    Moderator