This computer is not running genuine Windows

benl · 30 Jan 2013

Hi Folks,

Can anybody help me diagnose why this message keeps coming up?

"This computer is not running genuine Windows"

MGADIAG
---------

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
Windows Product ID: 00371-OEM-8992671-00524
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {F21232A6-5671-4461-B531-4861BDC1F70E}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.120830-0333
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{F21232A6-5671-4461-B531-4861BDC1F70E}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-877389845-1523314926-2264527664</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Precision M6500 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A06</Version><SMBIOSVersion major="2" minor="6"/><Date>20110127000000.000000+000</Date></BIOS><HWID>A6F83007018400FE</HWID><UserLCID>0C09</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>AUS Eastern Standard Time(GMT+10:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>P2 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700524-02-1033-7600.0000-2332010
Installation ID: 003816635175363570648680300441358354312070884824641793
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 733WD
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 30/01/2013 10:00:05 PM

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x0000000000000040
Event Time Stamp: 1:30:2013 20:33
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui

HWID Data-->
HWID Hash Current: MgAAAAIAAAABAAEAAgABAAAAAwABAAEAHKL0K2FgzpyOeIwwfZegQB5SiBgyy2ZWdlY=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL P2
FACP DELL P2
HPET DELL P2
BOOT DELL P2
MCFG DELL P2
DMAR DELL P2
ASF! DELL P2
TCPA
SLIC DELL P2
SSDT PmRef CpuPm

Golden · 30 Jan 2013

benl said:

Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui

Hi,

What antivirus software are you running? Has your PC had any malware infections recently?

Please copy and paste the following block of text into an elevated command prompt, and hit enter on the keyboard when it appears to have run:

Code:

DIR C:\Windows\sppcext.dll.* /s
icacls c:\windows\system32\sppcext.dll
sfc /scanfile=c:\windows\system32\sppcext.dll
icacls c:\windows\system32\sppcext.dll

Copy and paste the resultant output back into your next reply.

Regards,
Golden

benl · 30 Jan 2013

Hi Golden,

I'm running Microsoft Security Essentials.

I did have a virus attack some months ago about the time this MGA message appeared. I can't remember what it was now but I thought I got rid of it.

Here is the output you requested...

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>DIR C:\Windows\sppcext.dll.* /s
Volume in drive C is OS
Volume Serial Number is 3EA5-54E2

Directory of C:\Windows\System32

14/07/2009 12:41 PM 1,203,712 sppcext.dll
1 File(s) 1,203,712 bytes

Directory of C:\Windows\System32\en-US

14/07/2009 01:30 PM 17,408 sppcext.dll.mui
1 File(s) 17,408 bytes

Directory of C:\Windows\SysWOW64

14/07/2009 12:16 PM 1,111,552 sppcext.dll
1 File(s) 1,111,552 bytes

Directory of C:\Windows\SysWOW64\en-US

14/07/2009 01:04 PM 17,408 sppcext.dll.mui
1 File(s) 17,408 bytes

Directory of C:\Windows\winsxs\amd64_microsoft-windows-s..clientext.resources_31bf3856ad364e35_6.1.
7600.16385_en-us_c2382769078e1059

14/07/2009 01:30 PM 17,408 sppcext.dll.mui
1 File(s) 17,408 bytes

Directory of C:\Windows\winsxs\amd64_microsoft-windows-security-spp-clientext_31bf3856ad364e35_6.1.
7600.16385_none_28bbe77bcacffbe4

14/07/2009 12:41 PM 1,203,712 sppcext.dll
1 File(s) 1,203,712 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..clientext.resources_31bf3856ad364e35_6.1.76
00.16385_en-us_66198be54f309f23

14/07/2009 01:04 PM 17,408 sppcext.dll.mui
1 File(s) 17,408 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-spp-clientext_31bf3856ad364e35_6.1.76
00.16385_none_cc9d4bf812728aae

14/07/2009 12:16 PM 1,111,552 sppcext.dll
1 File(s) 1,111,552 bytes

Total Files Listed:
8 File(s) 4,700,160 bytes
0 Dir(s) 28,370,583,552 bytes free

C:\Windows\system32>icacls c:\windows\system32\sppcext.dll
c:\windows\system32\sppcext.dll NT SERVICE\TrustedInstaller

F)
BUILTIN\Administrators

RX)
NT AUTHORITY\SYSTEM

RX)
BUILTIN\Users

RX)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>sfc /scanfile=c:\windows\system32\sppcext.dll

Windows Resource Protection did not find any integrity violations.

C:\Windows\system32>icacls c:\windows\system32\sppcext.dll

Golden · 30 Jan 2013

Hi,

OK - the malware would explain the tampered file.

I need a little bit more help with this problem, but I'm pretty confident it is easily fixed. Please look out for a reply from out resident activation expert NoelDP, but don't do anything else until he replies please.

I've asked Noel to have a look at this so he will be around shortly.

Regards,
Golden

benl · 30 Jan 2013

I just realized that the last command did not complete properly so here are the results again just in case you need them.

Thanks for your help.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>DIR C:\Windows\sppcext.dll.* /s
Volume in drive C is OS
Volume Serial Number is 3EA5-54E2

Directory of C:\Windows\System32

14/07/2009 12:41 PM 1,203,712 sppcext.dll
1 File(s) 1,203,712 bytes

Directory of C:\Windows\System32\en-US

14/07/2009 01:30 PM 17,408 sppcext.dll.mui
1 File(s) 17,408 bytes

Directory of C:\Windows\SysWOW64

14/07/2009 12:16 PM 1,111,552 sppcext.dll
1 File(s) 1,111,552 bytes

Directory of C:\Windows\SysWOW64\en-US

14/07/2009 01:04 PM 17,408 sppcext.dll.mui
1 File(s) 17,408 bytes

Directory of C:\Windows\winsxs\amd64_microsoft-windows-s..clientext.resources_31bf3856ad364e35_6.1.
7600.16385_en-us_c2382769078e1059

14/07/2009 01:30 PM 17,408 sppcext.dll.mui
1 File(s) 17,408 bytes

Directory of C:\Windows\winsxs\amd64_microsoft-windows-security-spp-clientext_31bf3856ad364e35_6.1.
7600.16385_none_28bbe77bcacffbe4

14/07/2009 12:41 PM 1,203,712 sppcext.dll
1 File(s) 1,203,712 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..clientext.resources_31bf3856ad364e35_6.1.76
00.16385_en-us_66198be54f309f23

14/07/2009 01:04 PM 17,408 sppcext.dll.mui
1 File(s) 17,408 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-spp-clientext_31bf3856ad364e35_6.1.76
00.16385_none_cc9d4bf812728aae

14/07/2009 12:16 PM 1,111,552 sppcext.dll
1 File(s) 1,111,552 bytes

Total Files Listed:
8 File(s) 4,700,160 bytes
0 Dir(s) 28,380,717,056 bytes free

C:\Windows\system32>icacls c:\windows\system32\sppcext.dll
c:\windows\system32\sppcext.dll NT SERVICE\TrustedInstaller

F)
BUILTIN\Administrators

RX)
NT AUTHORITY\SYSTEM

RX)
BUILTIN\Users

RX)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>sfc /scanfile=c:\windows\system32\sppcext.dll

Windows Resource Protection did not find any integrity violations.

C:\Windows\system32>icacls c:\windows\system32\sppcext.dll
c:\windows\system32\sppcext.dll NT SERVICE\TrustedInstaller

F)
BUILTIN\Administrators

RX)
NT AUTHORITY\SYSTEM

RX)
BUILTIN\Users

RX)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>

Golden · 30 Jan 2013

Thats Ok thanks - we see it.

NoelDP · 30 Jan 2013

`(saw the thread before I saw your request, Golden :) )
Not a bad start - but you missed the potential WOW64 entries (which are also seen as the same errors) and the .mui files.

This is why I find it easier to request a fill SFC scan first....

@benl

Please run a full CHKDSK and SFC scan....

Click on Start > All Programs > Accessories
Right-click on the Command Prompt entry
Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type

CHKDSK C: /R

and hit the Enter key.
You will be told that the drive is locked,
and the CHKDSK will run at he next boot - hit the Y key, press Enter, and then reboot.

The CHKDSK will take a few hours depending on the size of the drive, so be patient!

After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) -
then run the SFC.

SFC -System File Checker - Instructions
Click on Start > All Programs > Accessories
Right-click on the Command Prompt entry
Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type

SFC /SCANNOW

and hit the Enter key

Wait for the scan to finish - make a note of any error messages - and then reboot.

Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload it to your SkyDrive Public folder (http://skydrive.live.com ) and post a link to it so that I can take a look.

Post a new MGADiag report with details of any error messages encountered.

benl · 30 Jan 2013

CBS file here:

http://dl.dropbox.com/u/18685639/CBS.zip

MGADiag:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-M3DJT-4J3WC-733WD
Windows Product Key Hash: xo+ajVSpae7/4VoZjS7m6JL0f3A=
Windows Product ID: 00371-OEM-8992671-00524
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {F21232A6-5671-4461-B531-4861BDC1F70E}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.120830-0333
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{F21232A6-5671-4461-B531-4861BDC1F70E}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-733WD</PKey><PID>00371-OEM-8992671-00524</PID><PIDType>2</PIDType><SID>S-1-5-21-877389845-1523314926-2264527664</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Precision M6500 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A06</Version><SMBIOSVersion major="2" minor="6"/><Date>20110127000000.000000+000</Date></BIOS><HWID>A6F83007018400FE</HWID><UserLCID>0C09</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>AUS Eastern Standard Time(GMT+10:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>P2 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Professional edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00371-00178-926-700524-02-1033-7600.0000-2332010
Installation ID: 003816635175363570648680300441358354312070884824641793
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 733WD
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 31/01/2013 8:01:11 AM

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x0000000000000040
Event Time Stamp: 1:30:2013 20:33
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui

HWID Data-->
HWID Hash Current: MgAAAAIAAAABAAEAAgABAAAAAwABAAEAHKL0K2FgzpyOeIwwfZegQB5SiBgyy2ZWdlY=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL P2
FACP DELL P2
HPET DELL P2
BOOT DELL P2
MCFG DELL P2
DMAR DELL P2
ASF! DELL P2
TCPA
SLIC DELL P2
SSDT PmRef CpuPm

NoelDP · 30 Jan 2013

SFC found no errors.
That almost certainly means that the problem is in the registry somewhere.

Let's see if a CheckSUR scan finds the source....

Please download and save the CheckSUR tool from http://support.microsoft.com/kb/947821
(you'll need to look in the details for Method 2)

Run it - The tool can take anywhere from 5 mins to a couple of hours to run (or 'Install') depending on how much it has to do, and may exit silently - it may appear to freeze for most of that time, but be patient.
The result is logged in the C:\Windows\Logs\CBS\CheckSUR.log file - and an archive …\checksur.persist.log file

Then zip the CheckSUR.log and attach it to your reply..

benl · 30 Jan 2013

CheckSUR.log attached