This computer is not running Genuine Windows

NoelDP · 20 Nov 2012

That's clear - so we're left with the 'tamper' that MGADiag sees.

Just to make certain, please run another MGADiag report, and post the results.

Kipac · 20 Nov 2012

Here's a new MGADiag.

Code:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE22
Cached Online Validation Code: N/A, hr = 0x80070005
Windows Product Key: *****-*****-VQQKT-QGGGP-RQ62D
Windows Product Key Hash: B1oWRG44kq4hE5pxicwjPOx3L+M=
Windows Product ID: 00426-437-6655695-85858
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7600.2.00010100.0.0.001
ID: {80409215-9A94-4664-BBCA-49BFB01EB123}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Ultimate
Architecture: 0x00000009
Build lab: 7600.win7_gdr.120830-0334
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{80409215-9A94-4664-BBCA-49BFB01EB123}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-RQ62D</PKey><PID>00426-437-6655695-85858</PID><PIDType>5</PIDType><SID>S-1-5-21-3463364969-3535792361-3485682137</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>GA-970A-UD3</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>F6</Version><SMBIOSVersion major="2" minor="4"/><Date>20120530000000.000000+000</Date></BIOS><HWID>9BB83607018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x46' to display the error text.
Error: 0x46 

Windows Activation Technologies-->
HrOffline: 0x8004FE22
HrOnline: N/A
HealthStatus: 0x0000000000004000
Event Time Stamp: 11:19:2012 08:01
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui


HWID Data-->
HWID Hash Current: NgAAAAIABAABAAEAAAACAAAAAgABAAEAln0go3cW/IgQM9zf3BVU8gbDDDdiPc6arh2v/yAh

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			GBT   		GBTUACPI
  FACP			GBT   		GBTUACPI
  HPET			GBT   		GBTUACPI
  MCFG			GBT   		GBTUACPI
  MSDM			GBT   		GBTUACPI
  EUDS			GBT   		
  MATS			GBT   		
  TAMG			GBT   		GBT   B0
  MATS			GBT   		
  SSDT			AMD   		POWERNOW

NoelDP · 20 Nov 2012

That's an interesting result....

Please run the following command from an Elevated Command Prompt window(1)

Copy and paste set of commands below into the window – once completed, hit the Enter Key to ensure that the last command has run (2)

REG QUERY HKU
REG QUERY HKU\S-1-5-20
REG QUERY HKU\S-1-5-20\Environment
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20"
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"

Copy the whole output to your response(3)

Here are some instructions to make life easier :)
1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.
2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.

Kipac · 20 Nov 2012

Here's the result of Command Prompt. Also, thanks for the guide!

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>REG QUERY HKU

HKEY_USERS\.DEFAULT
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-21-3463364969-3535792361-3485682137-1000
HKEY_USERS\S-1-5-21-3463364969-3535792361-3485682137-1000_Classes
HKEY_USERS\S-1-5-18

C:\Windows\system32>REG QUERY HKU\S-1-5-20
ERROR: The system was unable to find the specified registry key or value.

C:\Windows\system32>REG QUERY HKU\S-1-5-20\Environment
ERROR: The system was unable to find the specified registry key or value.

C:\Windows\system32>REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\ProfileList\S-1-5-20"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-20
ProfileImagePath REG_EXPAND_SZ C:\Windows\ServiceProfiles\NetworkServi
ce
Flags REG_DWORD 0x0
State REG_DWORD 0x0

C:\Windows\system32>REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\ProfileList"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Users
Default REG_EXPAND_SZ %SystemDrive%\Users\Default
Public REG_EXPAND_SZ %SystemDrive%\Users\Public
ProgramData REG_EXPAND_SZ %SystemDrive%\ProgramData

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-19
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-20
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-21-3463364969-3535792361-3485682137-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-21-3463364969-3535792361-3485682137-500

C:\Windows\system32>

NoelDP · 20 Nov 2012

You have some VERY strange results there - I need to ponder on them.....
back tomorrow.

Kipac · 21 Nov 2012

Well... That doesn't sound very good...
Anyway, thanks for the work yesterday.

NoelDP · 21 Nov 2012

The problem appears to be that your NetworkService registry hive is either corrupt or unavailable - let's have a look at a few things....

Open an Elevated Command Prompt, and run the following commands

ICACLS C:\Windows\ServiceProfiles\NetworkService
DIR C:\Windows\ServiceProfiles\NetworkService
DIR C:\Windows\ServiceProfiles\NetworkService /AH

post the results

Kipac · 21 Nov 2012

Here's the result of Command Prompt.

(Why is it automatically changing the : ( to 'frown' emoticon? How do I change it?)

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\NetworkService
C:\Windows\ServiceProfiles\NetworkService NT AUTHORITY\SYSTEM

OI)(CI)(F)
BUILTIN\Administrators

OI)(CI)(F)
NT AUTHORITY\NETWORK SERVICE

OI)(CI)(
F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>DIR C:\Windows\ServiceProfiles\NetworkService
Volume in drive C has no label.
Volume Serial Number is 3AD9-BE71

Directory of C:\Windows\ServiceProfiles\NetworkService

11/18/2012 08:54 AM <DIR> .
11/18/2012 08:54 AM <DIR> ..
07/13/2009 11:45 PM <DIR> Desktop
07/13/2009 11:45 PM <DIR> Documents
07/13/2009 11:45 PM <DIR> Downloads
07/13/2009 11:45 PM <DIR> Favorites
07/13/2009 11:45 PM <DIR> Links
07/13/2009 11:45 PM <DIR> Music
07/13/2009 11:45 PM <DIR> Pictures
07/13/2009 11:45 PM <DIR> Saved Games
07/13/2009 11:45 PM <DIR> Videos
0 File(s) 0 bytes
11 Dir(s) 53,854,347,264 bytes free

C:\Windows\system32>DIR C:\Windows\ServiceProfiles\NetworkService /AH
Volume in drive C has no label.
Volume Serial Number is 3AD9-BE71

Directory of C:\Windows\ServiceProfiles\NetworkService

07/13/2009 11:45 PM <DIR> AppData
11/19/2012 09:51 PM 262,144 NTUSER.DAT
07/14/2009 02:12 AM 1,024 NTUSER.DAT.LOG
11/19/2012 09:51 PM 226,304 NTUSER.DAT.LOG1
07/13/2009 11:45 PM 0 NTUSER.DAT.LOG2
07/14/2009 12:01 AM 65,536 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0b
cde3ec}.TM.blf
07/14/2009 12:01 AM 524,288 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0b
cde3ec}.TMContainer00000000000000000001.regtrans-ms
07/14/2009 12:01 AM 524,288 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0b
cde3ec}.TMContainer00000000000000000002.regtrans-ms
11/18/2012 05:29 PM 65,536 NTUSER.DAT{48a7e2a9-3187-11e2-b348-806e6f
6e6963}.TM.blf
11/18/2012 05:29 PM 524,288 NTUSER.DAT{48a7e2a9-3187-11e2-b348-806e6f
6e6963}.TMContainer00000000000000000001.regtrans-ms
11/18/2012 05:29 PM 524,288 NTUSER.DAT{48a7e2a9-3187-11e2-b348-806e6f
6e6963}.TMContainer00000000000000000002.regtrans-ms
11/18/2012 08:37 AM 65,536 NTUSER.DAT{ed2b25fd-3184-11e2-8d89-806e6f
6e6963}.TM.blf
11/18/2012 08:37 AM 524,288 NTUSER.DAT{ed2b25fd-3184-11e2-8d89-806e6f
6e6963}.TMContainer00000000000000000001.regtrans-ms
11/18/2012 08:37 AM 524,288 NTUSER.DAT{ed2b25fd-3184-11e2-8d89-806e6f
6e6963}.TMContainer00000000000000000002.regtrans-ms
13 File(s) 3,831,808 bytes
1 Dir(s) 53,854,347,264 bytes free

C:\Windows\system32>

NoelDP · 21 Nov 2012

The NTUSER.DAT file appears to be 'stuck' - it should be updated at least at every boot
The question is whether that's a cause, or an effect?

Please run the following commands an post the results.

REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\RpcSs
REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\hivelist
REG QUERY HKLM\SYSTEM\CurrentControlSet\services\sppsvc

Kipac · 21 Nov 2012

Here's the result.

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\RpcSs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
DisplayName REG_SZ @oleres.dll,-5010
Group REG_SZ COM Infrastructure
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k rpcss
Description REG_SZ @oleres.dll,-5011
ObjectName REG_SZ NT AUTHORITY\NetworkService
ErrorControl REG_DWORD 0x1
Start REG_DWORD 0x2
Type REG_DWORD 0x20
DependOnService REG_MULTI_SZ RpcEptMapper\0DcomLaunch
FailureActions REG_BINARY 00000000000000000000000001000000000000000200
000060EA0000
RequiredPrivileges REG_MULTI_SZ SeChangeNotifyPrivilege\0SeCreateGloba
lPrivilege\0SeImpersonatePrivilege
ServiceSidType REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security

C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\hivelist

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
\REGISTRY\MACHINE\HARDWARE REG_SZ
\REGISTRY\MACHINE\SYSTEM REG_SZ \Device\HarddiskVolume4\Windows\System
32\config\SYSTEM
\REGISTRY\USER\.DEFAULT REG_SZ \Device\HarddiskVolume4\Windows\System3
2\config\DEFAULT
\REGISTRY\MACHINE\SAM REG_SZ \Device\HarddiskVolume4\Windows\System32\
config\SAM
\REGISTRY\MACHINE\SECURITY REG_SZ \Device\HarddiskVolume4\Windows\Syst
em32\config\SECURITY
\REGISTRY\MACHINE\SOFTWARE REG_SZ \Device\HarddiskVolume4\Windows\Syst
em32\config\SOFTWARE
\REGISTRY\MACHINE\BCD00000000 REG_SZ \Device\HarddiskVolume1\Boot\BCD
\REGISTRY\USER\S-1-5-19 REG_SZ \Device\HarddiskVolume4\Windows\Service
Profiles\LocalService\NTUSER.DAT
\Registry\User\S-1-5-21-3463364969-3535792361-3485682137-1000 REG_SZ \
Device\HarddiskVolume4\Users\SKIIPA\NTUSER.DAT
\Registry\User\S-1-5-21-3463364969-3535792361-3485682137-1000_Classes REG
_SZ \Device\HarddiskVolume4\Users\SKIIPA\AppData\Local\Microsoft\Windows\UsrC
lass.dat

C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\services\sppsvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sppsvc
DisplayName REG_SZ @%SystemRoot%\system32\sppsvc.exe,-101
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\sppsvc.exe
Description REG_SZ @%SystemRoot%\system32\sppsvc.exe,-100
ObjectName REG_SZ NT AUTHORITY\NetworkService
ErrorControl REG_DWORD 0x1
Start REG_DWORD 0x2
DelayedAutoStart REG_DWORD 0x1
Type REG_DWORD 0x10
DependOnService REG_MULTI_SZ RpcSs
ServiceSidType REG_DWORD 0x1
RequiredPrivileges REG_MULTI_SZ SeAuditPrivilege\0SeChangeNotifyPrivil
ege\0SeCreateGlobalPrivilege\0SeImpersonatePrivilege
FailureActions REG_BINARY 80510100000000000000000003000000140000000100
0000C0D4010001000000E09304000000000000000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sppsvc\Security

C:\Windows\system32>

This computer is not running Genuine Windows

Here's the MGADiag

The result of Command Prompt

Command Prompt Result

Command Prompt Result