Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Suspect RemoveWAT was used to make used computer appear valid

24 Mar 2014   #1
Christy

Windows 7 Home Premium 64bit
 
 
Suspect RemoveWAT was used to make used computer appear valid

I purchased a used refurb computer locally from a Mom & Pop Repair Shop. It came with Win7, Word and Excel. It is entirely my responsibility that I did not fully investigate the computer, they checked out with online reviews and were pretty helpful while I was there. They also had a decent amount of other customer traffic while I was looking around. They claim to have been in business 10 years, thou their biz license was only issued 2012, they could have had a different license previous.

Something is fishy, my Product Keys are all default, and I did not receive COA Product Keys.

I suspect that RemoveWAT was used because I have NOTHING in the space where Windows Activation is supposed to be (see screenshot)

Here's my Diagnostic Report
Code:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-74XYM-BH4JX-XM76F
Windows Product Key Hash: KeYfcvXg/a1Q01x73+f8IL/JC4Y=
Windows Product ID: 00359-112-0000007-85796
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7600.2.00010300.0.0.003
ID: {16F229F2-E552-401F-BB95-1F67C95E6586}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7600.win7_gdr.130318-1532
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{16F229F2-E552-401F-BB95-1F67C95E6586}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010300.0.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-XM76F</PKey><PID>00359-112-0000007-85796</PID><PIDType>5</PIDType><SID>S-1-5-21-2083349407-628229037-1197225645</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>OptiPlex 755                 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A22</Version><SMBIOSVersion major="2" minor="5"/><Date>20120611000000.000000+000</Date></BIOS><HWID>81BB3607018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B9K    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>17EE25E38C41586</Val><Hash>CSmFLSHpkTpMJgV3g4QMsUFwBlo=</Hash><Pid>89388-707-1105923-65847</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

Spsys.log Content: 0x80070002

Licensing Data-->
Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Not Registered - 0x80070005
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: MgAAAAEABAABAAIAAAABAAAAAQABAAEAeqhgqFxTOuyKKJIuKK+2myK9aubauWaOzDE=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x0
OEMID and OEMTableID Consistent: yes
BIOS Information:
  ACPI Table Name    OEMID Value    OEMTableID Value
  APIC            DELL          B9K   
  FACP            DELL          B9K   
  HPET            DELL          B9K   
  BOOT            DELL          B9K   
  MCFG            DELL          B9K   
  SSDT            DELL        st_ex
  ASF!            DELL          B9K   
  ____            DELL          B9K   
  SLIC            DELL          B9K
My ideal solution is to simply return the system for a full refund, I already called my bank for dispute information. I will go to the merchant tomorrow (Tue Mar 25 2014) only because I want a friend with me as a material witness in case the merchant tries to weasel out of refunding me. They supposedly have no returns, but do have a 90 or 120 day warranty. At this point, I would not be comfortable if they offered to "fix" the issue. Even if they say "All Sales Final" that does not apply to defective merchandise.

Questions:
1) I do not wish to accuse the merchant of shady setup without substantial evidence. Is there any other setting or error that could cause Windows Activation to be blank/missing/removed? Other than RemoveWAT, I could not find any other reason.

2) Is there any way to look at the log files to see if RemoveWat was actually used? (Or any other activation exploit software if it wasn't RWat specifically)

I appreciate any insight, I got this far with the help of these forums, so thanks for that already!


PS I do not want to try and repair or fix the issue, I feel I have better grounds for refund if the system is left as is. So there are a few fixes I've seen and not tried (like sfc /scannow) I attempted to get as much information as I could without changing too much, thou I did run Dell diagnostics, Win Validation (which of course failed), MGADiag and ProduKeys






My System SpecsSystem Spec
.
24 Mar 2014   #2
sml156

Microsoft Windows 7 Ultimate 32-bit 7601
 
 

Your question made me wounder how someone would be able to figure out if their computer was activated with remove watt and I found it. If you find these files on your computer it was more than likely illegally activated. Also with remove wat it disables windows update

Code:
antiwat.dll
freewat.dll
by-pass.dll
antiwpa.dll
wpa.dll
I also did more searching and found another illegal activation method and the way to tell if that was used is to look at your updates and if you are missing KB971033 it's probably illegal, After installing KB971033 if illegal your computer will not pass the genuine test. This method uses a tool called Windows loader and allows the computer to update as long as KB971033 is not installed, I spent about a hour searching for this info and I would share the links but there were some pretty shady sites I went to so I will not share the references
My System SpecsSystem Spec
24 Mar 2014   #3
Britton30
Microsoft MVP

Windows 7 Ultimate X64 SP1
 
 

Something is certainly fishy, the System Properties should also have a Dell logo. They may have used the DAZ loader too, which is difficult to detect.
My System SpecsSystem Spec
.

24 Mar 2014   #4
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by sml156 View Post
Your question made me wounder how someone would be able to figure out if their computer was activated with remove watt and I found it. If you find these files on your computer it was more than likely illegally activated

Code:
antiwat.dll
freewat.dll
by-pass.dll
antiwpa.dll
wpa.dll
I also did more searching and found another illegal activation method and the way to tell if that was used is to look at your updates and if you are missing KB971033 it's probably illegal, After installing KB971033 if illegal your computer will not pass the genuine test
Be very careful visiting websites that even discuss this topic. I'm not sure that much more can be said about the KB that you mentioned without breaking this forum's rules - so I'll just say that your info is outdated.



Quote   Quote: Originally Posted by Britton30 View Post
Something is certainly fishy, the System Properties should also have a Dell logo. They may have used the DAZ loader too, which is difficult to detect.
Using the Daz loader would install an OEM key - the OP has a retail key. As the OP stated, the key is the Windows default one. When installing W7, just skip putting in a key and you will get the trail key as shown in the OP's MGA report.

Let's see what Noel has to say :-)
My System SpecsSystem Spec
24 Mar 2014   #5
Christy

Windows 7 Home Premium 64bit
 
 

Thank you all so much - after more digging I found slmgr.vbs.removewat in sys32 folder
and duh, why didn't I search "removewat" sooner! I think I thought that would be too obvious

Also helpful was knowing what removewat does - based on this article Confessions of a Windows 7 pirate | Page 2 | ZDNet

I can see the timestamp on slwga.dll 3/20/14 12:30 PM (the fake dll that removewat installed)
and the backup slwga.dll.bak 07/13/2009 6:41 PM (the real dll that removewat replaced but left intact for their uninstaller, my guess)

The merchant did the install on 3/20, that's the earliest date in logs, I bought on 3/21

More questions later, must unplug, just didn't want to leave you hanging!
My System SpecsSystem Spec
25 Mar 2014   #6
NoelDP

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
 
 

The system Definitely shows signs of the use of RemoveWAT - the installed Key is the Default Key for Home Premium, which can NEVER be legally activated, but the report shows it as being activated.

The three tell-tale errors for RemoveWAT are present.

Code:
Licensing Data-->
Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".

Code:
File Scan Data-->
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100

Is there a COA sticker on the case of the machine?
The BIOS is dated June 2012 - which places the machine firmly in Windows 7 territory, so there should be - if so, for what edition of WIndows is it valid? (If the edition is not visible, but the Key is, it's another sign of a shady vendor)


Definitely demand a refund from the vendor - if you can still find them!
My System SpecsSystem Spec
25 Mar 2014   #7
UsernameIssues

W7 Pro SP1 64bit
 
 

Thanks Noel.

@Christy,
Did you get your money back?
My System SpecsSystem Spec
25 Mar 2014   #8
Christy

Windows 7 Home Premium 64bit
 
 

Got the refund - I won't have closure til it processes fully, my bank said it won't show til tomorrow and can take up to three days to complete. I still have 30 days from purchase to dispute if something goes haywire, it all seems OK thou.

Vendor has a store front, so I wasn't worried about that

COA sticker on box was for Vista, and yes entirely my fault for not questioning it, I fired it up in store and doinked around to see what was there. Saw the Win7 info in Control Panel System, verified hardware thru system & physically inside the box.

Previous to this debacle, I didn't know you could look up a Dell by Service Tag, computer originally shipped 6/2008, he claimed it was 2012 when I was there. Support | Dell US

So just for fun, I called him anonymously earlier today and asked a bunch of questions and he was consistent with the false information he said in the store - the systems I knew were 2006, he claimed were 2010 and 2008s he claimed 2012. I played it like I was a noob, specifically asked about needing a sticker or code for windows, and he said it was already on the computer.

When I went to get the refund, they didn't recognize me so I pretended to be looking around and played with one that was on display. Checked Control Panel System - Windows activation spot BLANK, and slmgr.vbs.removewat in Sys32 folder.

Up til that point, I was still trying to give him the benefit of the doubt that my system was some mistake or oversight, but seeing another invalid machine on display for sale confirmed it proly wasn't in error.

So I said my Win7 wouldn't verify and I wanted a refund. He said he'd fix it right there, which I declined. He claimed it was an oversight and showed me other systems with actual Win7 COA stickers and the marked thru previous sticker, and "I just got a bad one" [in my head "Umm, so then why is there another invalid one sitting right there?"] Then he told me he was one of 17 Certified Re-manufacturers in the US, blah blah blah - whatever, I said as little as possible, other than to mention I found removewat had been used on my system.

There is no logical reason I can think of he'd be "working" on a system and wants to put it on display invalid, then when it sells, make it legit.

Isn't Win 7 pretty cheap, like $60 cost for reseller/remanuf/bulk whatever MS calls it?

/meaderingventrant

Please forgive my verbosity, better too much than threads where the OP vanishes? LOL
My System SpecsSystem Spec
25 Mar 2014   #9
UsernameIssues

W7 Pro SP1 64bit
 
 

Thanks for the update. It sounds like you did an excellent job of finding them out.

Microsoft might be interested in hearing about this particular "vendor". I'm not sure which number to call since I've never run into such characters. Perhaps other forum members know how best to report them.
My System SpecsSystem Spec
26 Mar 2014   #10
NoelDP

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
 
 

The counterfeit reporting mechanism starts here... How to Tell ? Hardware
My System SpecsSystem Spec
Reply

 Suspect RemoveWAT was used to make used computer appear valid




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
NSIS error writing temporary file. make sure your temp folder is valid
I've had this problem going on for 5 months now , every now and then i get this error , i have 2 drivers on my pc , one ssd for OS and some programs and an HDD for games and mass storage. I get this whenever i try to run a setup from inside the downloads folder located on the HDD , the D disc....
Software
Computer doesn't have a valid IP address
Hey all So here is my issue, I have a laptop that I have recently bought. I can connect to my works wifi without any issues but as soon as I get home the freaking pc cannot identify the wifi network. I know it is not the router as I have desktop,a tablet and 2 other laptops at home that connects...
Network & Sharing
Install 7 on new hard drive with valid key, windows saying not valid
I am a part-time computer technician when I am not at my actual job doing IT Help Desk for the bank, and I have an issue with this laptop i am working on. Laptop specs: Toshiba Satelite L455D Windows 7 32bit (sticker does not say which version) (per belarc and magic jelly bean software) it...
Installation & Setup


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:34.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App