Query

[ICIT2LOL]

Have a friend who bought a used machine for his young teenage son that I think is dodgy - bought it as seen from one of his wife's work mates.

I suspect the 7 he has is not an entirely genuine one as the machine was originally a Vista one and there is no MBR (I think the HDD has been scrubbed or replaced)and I can find no way of factory defaulting it -I've tried numerous ways but nothing.

The only thing I have is the OEM Product ID in "System" and I don't want to go checking too deeply as obviously as I don't want to get him into strife, as he is not computer savvy - nor am I for that matter but I can spot something not quite right like this puppy.

I did find some cookies of porn sites on it that I cannot get rid of - ideas?? I can clear them with CC but if one uninstalls and reinstalls the CC the cookies come back!

 

[theog]

Can you post the specs of the rig you are working on?
&
Can you post a screen shot of Disk management?
http://www.sevenforums.com/tutorials/9733-how-post-screenshot-seven-forums.html
Screenshot tools.
http://www.sevenforums.com/general-...ed-method-uploading-posting-screen-shots.html
How to Use the Snipping Tool in Vista - Vista Forums
Snipping Tool - Windows 7 features - Microsoft Windows
Use Snipping Tool to capture screen shots
http://www.sevenforums.com/tutorials/9717-screenshot-paint.html
http://www.sevenforums.com/tutorials/51160-screenshot-upload-using-mwsnap.html
fscapture free download

Use Snipping Tool to capture screen shots

 

[Bill2]

Run this tool.

http://go.microsoft.com/fwlink/?linkid=52012

Click on the Copy tab at the bottom, paste into notepad, save as .txt file, upload the file here. Looking at the file, I may be able to tell you whether windows is genuine.

Also, if its not genuine OEM, there wont be a recovery partition so factory restore will not be possible.

 

[ICIT2LOL]

Ok Bill

Bill I have copied the result form the machine to a stick hopefully this will work ok as I didn't want to risk sending a virus or whatever on it as I did find that rootkit when tidying it up.

As I said I am not that savvy re these things yet hence me doing it this way as a precaution.

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-QH38Y-JG33F-3PFXV
Windows Product Key Hash: pnqmnE0SPRmC5tlIKYhYTnRp53E=
Windows Product ID: 00359-OEM-8702911-70946
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {B708F032-68EB-4104-9296-A3E3A64E6E37}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_rtm.101119-1850
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{B708F032-68EB-4104-9296-A3E3A64E6E37}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-3PFXV</PKey><PID>00359-OEM-8702911-70946</PID><PIDType>3</PIDType><SID>S-1-5-21-1543349361-3578065358-67789564</SID><SYSTEM><Manufacturer>NEC</Manufacturer><Model>NEC VERSA series</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>080014 </Version><SMBIOSVersion major="2" minor="5"/><Date>20071005000000.000000+000</Date></BIOS><HWID>1F8E3907018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>AUS Eastern Standard Time(GMT+10:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>NECCAP</OEMID><OEMTableID>COMPUTER</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>64BC76978749586</Val><Hash>GW6PzcEVEDTVKeO5Ym5UUm41dBk=</Hash><Pid>89388-707-0441865-65118</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: 586bc076-c93d-429a-afe5-a69fbc644e88
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00174-029-170946-02-1033-7600.0000-1332010
Installation ID: 010232956774287960804064072670308165318411899226731915
Processor Certificate URL: [URL]http://go.microsoft.com/fwlink/?LinkID=88338[/URL]
Machine Certificate URL: [URL]http://go.microsoft.com/fwlink/?LinkID=88339[/URL]
Use License URL: [URL]http://go.microsoft.com/fwlink/?LinkID=88341[/URL]
Product Key Certificate URL: [URL]http://go.microsoft.com/fwlink/?LinkID=88340[/URL]
Partial Product Key: 3PFXV
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 12-Mar-11 9:16:04 AM
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 1:12:2011 21:54
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
 
HWID Data-->
HWID Hash Current: OAAAAAEABQABAAIAAQABAAAAAgABAAEAJJQ2OLhZ4g5Gg3gyvv9a0qJSQjB+UvKAOKCUOxX6KoU=
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x0
OEMID and OEMTableID Consistent: yes
BIOS Information: 
ACPI Table Name OEMID Value OEMTableID Value
APIC 100507 APIC1645
FACP 100507 FACP1645
HPET 100507 OEMHPET 
MCFG 100507 OEMMCFG 
SLIC NECCAP COMPUTER
OEMB 100507 OEMB1645
ASF! LEGEND I865PASF
GSCI 100507 GMCHSCI 
SSDT PmRef CpuPm

I didn't try those links as I really don't know what they mean or are for.
Cheers
John

 

[ICIT2LOL]

To Theog

Theog again I've done what I did with the othe reply and am sending snips of the specs I hopw are the ones you want plus the disk management.
Cheers
John

http://i51.tinypic.com/2udyvk9.png

http://i54.tinypic.com/2njbj3p.png

 

[Bill2]

I had a look at the mgadiag report and the disk management. The mgadiag does not show anything that would immediately identify the system as non-genuine. Its using a system builder license (the types you get from newegg) so there would be a disk lying around that can be used to clean install with. The only odd thing is the remaining rearm count is 4, only 3 rearm counts are available normally. This means the install has been tampered in some way.

Also, since the machine bios is dated 2007, it could not possibly have come with win7 preinstalled this is also confirmed by the mgadiag report and the snip which does not show any factory partition.

Best bet would be to reinstall windows- get your friend to cough up the disk and product key he used. Till you get around to doing that, you can also visit the MS genuine site and validate the install, there could be other issues like the same key being used on multiple computers.

 

[D3ftOn3Z]

The only odd thing is the remaining rearm count is 4, only 3 rearm counts are available normally. This means the install has been tampered in some way.

By installing SP1, an extra rearm is given. For those who haven't update to SP1, it will still show 3 rearms.

 

[Bill2]

The only odd thing is the remaining rearm count is 4, only 3 rearm counts are available normally. This means the install has been tampered in some way.

By installing SP1, an extra rearm is given. For those who haven't update to SP1, it will still show 3 rearms.

Ahhh SP1! Of course, for the image capture. Thanks for pointing out.

 

[theog]

I had a look at the mgadiag report and the disk management. The mgadiag does not show anything that would immediately identify the system as non-genuine. Its using a system builder license (the types you get from newegg) so there would be a disk lying around that can be used to clean install with. The only odd thing is the remaining rearm count is 4, only 3 rearm counts are available normally. This means the install has been tampered in some way.

Also, since the machine bios is dated 2007, it could not possibly have come with win7 preinstalled this is also confirmed by the mgadiag report and the snip which does not show any factory partition.

Best bet would be to reinstall windows- get your friend to cough up the disk and product key he used. Till you get around to doing that, you can also visit the MS genuine site and validate the install, there could be other issues like the same key being used on multiple computers.

+1, good job done Bill

 

[ICIT2LOL]

Thanks Bill

Sorry for late reply mate - work and all that.

So it's quite an old machine isn't it?

Hmmmm as I said my mate got it from one his wife's work colleagues and not knowing that he should have got the disk off this bloke - there isn't one to hand.

Yeh the machine was originally Vista as it has the NEC and Microsoft Vista compliance sticker on the bottom (the one with the Vista OEM Activation code, Serial No. etc).

So when I tried to factory default it absolutely nothing happened which immediately made me think the original owner had either completely wiped / destroyed the MBR or replaced the drive with new one.

Now the second theory I don't think is quite right as the HDD is only a 120Gb one, and who in their right mind would replace it with such a small one??

So I am guessing that the owner put on a pirated or "acquired" OEM version of 7.
He has used it for a while himself (or someone has) and then sold it on hence my finding those porn cookies still in it.

OR I am beginning to have a rather nasty suspiscion that he might have been sold a "fell off the back of a truck or bought it from a bloke in a pub" machine if you get my drift!

I've set some security on it for him - MSE & the free Malwarebytes as it had nothing and it works just fine. I don't know how he wants the email set up as it has Office on it and anyway that is his decision.

I am going to contact him in the next couple of days to find out where it came from but am not going to hold my breath that he will be told the truth!!

I'm just really angry at some person selling this machine to him as he doesn't have a lot of disposable income being disabled. Plus I guess any chance of him getting his money back is going to be negligable.

Hey but look thanks so much for having a look for me as I don't understand that stuff - and to the other guys input too everyone in this forum is SO pleasant and I am in your debt and very appreciative!!