Windows 7 activation issue (real or fake?)

[RonM]

I had a virus problem with my PC about a month ago. I took it to a PC repair shop for repair and they told me that it would be a good idea to upgrade my PC from XP to Win 7 in addition to correcting the virus issue.

They upgraded my PC and everything seem OK for about a month and then a Window activation message popped up whenever I booted my PC and periodically while running. The message indicates that Windows must be activated and to click on a link for online processing. I also noticed that when the message appears the wallpaper is disabled.

I called the shop they told me to bring it in, which I did and they checked and claim windows was activated and that the pop-up is a virus/trojan.

Form reading several threads on the web it appears that others have also run into this issue.

But I ran malwarebytes and spybot and neither picked up the issue.

I emailed malwarebytes and they think that this copy of windows may not be legit. And Murice in product support suggested that I mention Noel Paton as someone who should look into this on your forum.

I ran the MGADiag program and here are the results.

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 50
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-74XYM-BH4JX-XM76F
Windows Product Key Hash: KeYfcvXg/a1Q01x73+f8IL/JC4Y=
Windows Product ID: 00359-112-0000007-85721
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {2E9A562F-7F02-4A0A-AAEE-C346F7C20830}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.140303-2144
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE; Win32)
Default Browser: C:\Program Files\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{2E9A562F-7F02-4A0A-AAEE-C346F7C20830}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-XM76F</PKey><PID>00359-112-0000007-85721</PID><PIDType>5</PIDType><SID>S-1-5-21-3988670118-4129494783-1430437545</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Vostro 200</Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>1.0.11</Version><SMBIOSVersion major="2" minor="5"/><Date>20080131000000.000000+000</Date></BIOS><HWID>BF183D07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>FX09   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>7480B9502DF0D86</Val><Hash>oYWOW5ayFE3pZ+jvTpuXYsY64JE=</Hash><Pid>89388-707-8722531-65357</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00170-112-000000-00-1033-7601.0000-0912015
Installation ID: 008392973385675234351915679195294281180105449813224200
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: XM76F
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 5/6/2015 11:25:39 AM

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0xC004F022
HealthStatus: 0x0000000000000000
Event Time Stamp: 4:1:2015 18:35
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: MAAAAAEABAABAAEAAAABAAAAAQABAAEAJJRkUkZvYCGI/eZyZP7m3uYPri4EVyqF

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x0
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			DELL  		FX09   
  FACP			DELL  		FX09   
  HPET			DELL  		FX09   
  MCFG			DELL  		FX09   
  SLIC			DELL  		FX09   
  DMY2			DELL  		FX09   
  SSDT			PmRef		CpuPm

 

[NoelDP]

The installed Product Key is the Default Key, which can NEVER be activated, legally.
Your machine looks as if it originally shipped with Vista installed - What does the COA sticker on the case say?

The current install is classed as counterfeit, because the Key cannot be activated legally, and yet is apparently activated. The only way this could happen is if there is a hacker's Activation Exploit present to bypass activation and validation requirements.
I can also tell you which hack it is that's installed - it produces characteristic errors in the MGADiag report. Part of it has broken down, probably as a result of cleanup operations (has an SFC /SCANNOW been run at some time since?)


When the shop upgraded your machine - they should have given you the (holographic) reinstall media, and (MOST important) the new Product Key on either a COA sticker, or a Proof of License card.
Did they do this?
If not, then they sold you a counterfeit, and you should threaten them with action for misrepresentation and fraud (as well as counterfeiting). They also stand a good chance of a visit from the FBI if you actually follow through (the FBI has jurisdiction in the US over software counterfeiting).

In short - go for the jugular!

 

[RonM]

I purchased the PC directly from Dell several years ago and it had XP Home Edition installed (that is also what's on the sticker on the PC).

I am not sure what SFC/SCANNOW is but I didn't run it. It may have been run by the PC shop.

I did not receive anything from the PC shop when I picked up my PC.

Thanks for your help on this.

 

[NoelDP]

Good luck!
Feel free to come back with supplementary questions if you need to.

 

[RonM]

Have one question related to the Vista question.

When the PC shop installed Win 7 they switched my two drives. The original drive was smaller than another I installed a couple of years after purchase.

When I picked up the PC after the Win & install I noticed that my d drive is now c and c is now d. And the windows XP appears to be on d.

Could the shop have installed Vista and then upgraded to Win 7 to somehow try to hide that it was not a genuine version?

 

[NoelDP]

That makes no difference to the license - I was reading the BIOS data 'blind', which shows that the BIOS date is 2008, and the SLIC table is a v2.0 one.

Vista was released to manufacture late in 2006, together with the 'new' v2.0 BIOS SLIC tables. These tables are what allow a Windows install to be self-activating right out of the box, and all machines from large manufacturers have them. They are (to an extent) backwards-compatible, so may be able to activate an XP Home install.

Since your machine has an XP Home COA sticker on the case, there is no doubt that it came with XP Home pre-installed.

Your discovery about the disk letter changes is interesting, though, since it shows that they could not have used OEM media (and Key) for the 'upgrade', as that does not allow such a procedure. They must therefore have used 'Retail' media - either an Upgrade or Full retail Key. The Default Key acts in all respects as a Full Retail Key apart from the fact that it is blocked by MS from activation, and cannot therefore ever be activated on ANY machine. It's likely that your store just chose to install this and then the hack because it's effectively free for them, so anything they get from you for the 'license' is clear profit.

Had they done the job properly, it would have cost them in the region of $75 for the license and disk(s) depending on how they managed to do it (they would actually nowadays have had to have bought a OEM System Builder kit for you, since MS stopped selling retail and upgrades some time ago). Then there's the cost of install and whatever cleanup they did actually do on your old install. You'd have been lucky to get away with less than $150 for a bill, and it could easily have come to over $250.

 

[RonM]

It did cost me about $150 for the "upgrade" and cleanup.

 

[NoelDP]

So they definitely ripped you off! demand a refund and correction.

 

[RonM]

I went back to the PC shop today and told the owner that after running diagnostics on the PC it appears that the Windows installation is not legit. The owner claims it is legit but would not give me copies of the CD and license (claims it would cost $150-$200). How do I report this shop?

 

[NoelDP]

Contact Microsoft and the FBI Assuming you're in the USA!)
https://www.microsoft.com/en-gb/howtotell/default.aspx

https://www.microsoft.com/en-gb/howtotell/cfr/report.aspx

FBI

Did you tell them that you propose to report them to the FBI unless you receive satisfaction? In writing??

 

[RonM]

Thanks for the links.

I think I realized what the repair shop did.

I brought the PC in for a virus problem so they just switched drives and installed Win 7 on the other drive. I bet if I reverted back to XP the virus will still be there. They were supposed to remove it.

In any case I filed a complaint with MS.

 

[RonM]

I submitted the issue to MS as per the link you provided above and received an email that the claim was denied because I didn't submit the media, the key or a receipt. The only receipt I have is the charge to my credit card and I did not receive any media or a valid key that is why I submitted the counterfeit claim in the first place. I didn't submit it to get a free version of windows from MS. I wanted them to go after the PC Shop so he does not do this to other people. How else can I can MS to pursue this?

 

[NoelDP]

MS will pursue it - but it takes time, and they have to get evidence themselves in a forensically-correct manner.
The shop will eventually get closed down.

 

[RonM]

They didn't mention anything about pursing it, just denied my claim because they thought I just wanted the genuine software they were offering for completing the counterfeit report.

I already called the credit card company and the put the charge in dispute. From what I gather they will deny the store's charges. I will use that money to buy a genuine copy.

 

[Layback Bear]

We had two small computer shops shut down in the small town I live in.

They were selling counterfeit Windows operating systems and got caught.

One was dumb enough and was selling the counterfeits to government agency's. It took over a year of investigation before the shut downs.