locked
This Computer is not running genuine windows RRS feed

  • Question

  • Hi, my computer was recently infected by a nasty virus.  After the clean up my windows update stopped working and about a week later the message regarding "genuine windows" started showing up.

    Additionally, when I first purchased my dell computer it was running vista, I did a full installation of the windows 7 professional on the computer.

    Here's the diagnostic report

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-2BRVD-2887B-2H6M9
    Windows Product Key Hash: 1ZDTdPHPlEhuOBisvD8xbL+ARNU=
    Windows Product ID: 00371-177-2055027-85674
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7600.2.00010100.0.0.048
    ID: {B17DFD65-E735-4DC4-8CC7-7E2B9C5EDED6}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000000
    Build lab: 7600.win7_gdr.110622-1503
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Ultimate 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{B17DFD65-E735-4DC4-8CC7-7E2B9C5EDED6}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2H6M9</PKey><PID>00371-177-2055027-85674</PID><PIDType>5</PIDType><SID>S-1-5-21-683273971-958678362-1661301952</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Vostro 220s Series</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>1.0.3</Version><SMBIOSVersion major="2" minor="5"/><Date>20081024000000.000000+000</Date></BIOS><HWID>4DB03907018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>FX09   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002E-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Ultimate 2007</Name><Ver>12</Ver><Val>40C7CE43D2C4F0C</Val><Hash>ZsWyTkC1512DkLPQYwtsbd8r9uI=</Hash><Pid>81608-902-6497727-65843</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7600.16385

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, RETAIL channel
    Activation ID: e838d943-63ed-4a0b-9fb1-47152908acc9
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00170-177-205502-00-1033-7600.0000-3542009
    Installation ID: 004282091283986186025050067603256106257476338521000150
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 2H6M9
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 12/12/2011 4:48:49 PM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000003EFFF
    Event Time Stamp: 12:6:2011 17:48
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\wat\watadminsvc.exe
    Tampered File: %systemroot%\system32\wat\watweb.dll
    Tampered File: %systemroot%\system32\wat\npwatweb.dll
    Tampered File: %systemroot%\system32\wat\watux.exe
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys
    Tampered File: %systemroot%\system32\drivers\spldr.sys


    HWID Data-->
    HWID Hash Current: LgAAAAEAAgABAAEAAAACAAAAAQABAAEAeqj+6fzzqn/SGuzw1pYa7N5YmGFGyg==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            102408        APIC1017
      FACP            102408        FACP1017
      HPET            102408        OEMHPET
      MCFG            102408        OEMMCFG
      SLIC            DELL          FX09  
      OEMB            102408        OEMB1017
      GSCI            102408        GMCHSCI
      SSDT            DpgPmm        CpuPm


    thanks

    Tuesday, December 13, 2011 12:51 AM

Answers

  • "Hahale" wrote in message news:bde60369-9910-4d3c-b9ce-7be7e6b089d8...
    that's exactly what i got the requested service has already been started
     
    Bother! – that probably means that we need to look elsewhere (and I have no idea where to start!)
     
    In view of the opening statement in your first post “my computer was recently infected by a nasty virus” – I think I should recommend a clean install at this point, as there’s obviously significant damage to the OS and/or registry.
     
    You could try a repair install – but if there are still residuals from the virus, you could end up having to do the clean install anyhow.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by Darin Smith MS Tuesday, December 20, 2011 10:27 PM
    Tuesday, December 20, 2011 9:41 AM
    Moderator

All replies

  • "Hahale" wrote in message news:da6f65b0-2fba-4c39-b779-40437abfbf59...

    Hi, my computer was recently infected by a nasty virus.  After the clean up my windows update stopped working and about a week later the message regarding "genuine windows" started showing up.

    Additionally, when I first purchased my dell computer it was running vista, I did a full installation of the windows 7 professional on the computer.

    Here's the diagnostic report

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-2BRVD-2887B-2H6M9
    Windows Product Key Hash: 1ZDTdPHPlEhuOBisvD8xbL+ARNU=
    Windows Product ID: 00371-177-2055027-85674
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7600.2.00010100.0.0.048


    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Ultimate 2007 - 100 Genuine


    File Scan Data-->

    Other data-->
    SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Vostro 220s Series</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>1.0.3</Version><SMBIOSVersion major="2" minor="5"/><Date>20081024000000.000000+000</Date></BIOS



    Licensing Data-->
    Software licensing service version: 6.1.7600.16385

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, RETAIL channel
    Partial Product Key: 2H6M9
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 12/12/2011 4:48:49 PM

    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\wat\watadminsvc.exe
    Tampered File: %systemroot%\system32\wat\watweb.dll
    Tampered File: %systemroot%\system32\wat\npwatweb.dll
    Tampered File: %systemroot%\system32\wat\watux.exe
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys
    Tampered File: %systemroot%\system32\drivers\spldr.sys



    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes

      SLIC            DELL          FX09  



    thanks

    The Tampered files above are the cause of your problem.
     
    Thus appears to be an atypical version of the following....
    The set of file mismatches above are typical of one of two causes:-
    1) a restore from an image backup of the system
    2) a failed driver update
    The only one for which we currently have a solution is the second.....
    Installing the Intel Rapid Storage Drivers
    try downloading and installing them from here -
    - you’ll need the set for the x86 (32-bit) platform on Win7
    Once complete, please reboot twice, then post another MGADiag report.
    Good Luck!

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, December 13, 2011 10:27 AM
    Moderator
  • unable to install Intel Rapid Storage Drivers...

    run the program and half way through a popup message "windows can't verify publisher", I went with install driver anyway but wasn't successful...same thing happened when i was trying to install itunes.

    Wednesday, December 14, 2011 12:40 AM
  • Sorry for the delay - missed it until now.

    This looks like a problem with the Cryptography Service.

    please open an Admin Command Prompt (Start > All Programs > Accessories> right-click on Command Prompt, and select Run as Admin) and enter the following commands

    SC QC CRYPTSVC

    SC SDSHOW CRYPTSVC

     

    copy and paste the results back here.(to copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.)


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, December 16, 2011 5:13 PM
    Moderator
  • here are the reports

    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


    C:\Windows\system32>SC QC CRYPTSVC
    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: CRYPTSVC
            TYPE               : 20  WIN32_SHARE_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k NetworkService
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Cryptographic Services
            DEPENDENCIES       : RpcSs
            SERVICE_START_NAME : NT Authority\NetworkService

    C:\Windows\system32>SC SDSHOW CRYPTSVC

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
    RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    C:\Windows\system32>
    Monday, December 19, 2011 5:54 AM
  • "Hahale" wrote in message news:5641c288-575e-4504-b169-f57df9651f5a...

    here are the reports

    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


    C:\Windows\system32>SC QC CRYPTSVC
    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: CRYPTSVC
            TYPE               : 20  WIN32_SHARE_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k NetworkService
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Cryptographic Services
            DEPENDENCIES       : RpcSs
            SERVICE_START_NAME : NT Authority\NetworkService

    C:\Windows\system32>SC SDSHOW CRYPTSVC

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
    RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    C:\Windows\system32>
     
     
    They look normal enough – at least the service is present (I’ve seen it be removed completely by registry cleaners)
    What happens if you issue a
    NET START CRYPTSVC
    from an Admin Command Prompt?
    (you should get a ‘service already started’ error)
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, December 19, 2011 9:36 AM
    Moderator
  • that's exactly what i got the requested service has already been started
    Tuesday, December 20, 2011 2:27 AM
  • "Hahale" wrote in message news:bde60369-9910-4d3c-b9ce-7be7e6b089d8...
    that's exactly what i got the requested service has already been started
     
    Bother! – that probably means that we need to look elsewhere (and I have no idea where to start!)
     
    In view of the opening statement in your first post “my computer was recently infected by a nasty virus” – I think I should recommend a clean install at this point, as there’s obviously significant damage to the OS and/or registry.
     
    You could try a repair install – but if there are still residuals from the virus, you could end up having to do the clean install anyhow.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by Darin Smith MS Tuesday, December 20, 2011 10:27 PM
    Tuesday, December 20, 2011 9:41 AM
    Moderator