Suspect RemoveWAT was used to make used computer appear valid

Page 1 of 2 12 LastLast

  1. Posts : 3
    Windows 7 Home Premium 64bit
       #1

    Suspect RemoveWAT was used to make used computer appear valid


    I purchased a used refurb computer locally from a Mom & Pop Repair Shop. It came with Win7, Word and Excel. It is entirely my responsibility that I did not fully investigate the computer, they checked out with online reviews and were pretty helpful while I was there. They also had a decent amount of other customer traffic while I was looking around. They claim to have been in business 10 years, thou their biz license was only issued 2012, they could have had a different license previous.

    Something is fishy, my Product Keys are all default, and I did not receive COA Product Keys.

    I suspect that RemoveWAT was used because I have NOTHING in the space where Windows Activation is supposed to be (see screenshot)

    Here's my Diagnostic Report
    Code:
    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    
    Validation Code: 0
    Cached Online Validation Code: N/A, hr = 0xc004f012
    Windows Product Key: *****-*****-74XYM-BH4JX-XM76F
    Windows Product Key Hash: KeYfcvXg/a1Q01x73+f8IL/JC4Y=
    Windows Product ID: 00359-112-0000007-85796
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7600.2.00010300.0.0.003
    ID: {16F229F2-E552-401F-BB95-1F67C95E6586}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000009
    Build lab: 7600.win7_gdr.130318-1532
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A
    
    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    
    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002
    
    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002
    
    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Enterprise 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005
    
    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed
    
    File Scan Data-->
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100
    
    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{16F229F2-E552-401F-BB95-1F67C95E6586}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010300.0.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-XM76F</PKey><PID>00359-112-0000007-85796</PID><PIDType>5</PIDType><SID>S-1-5-21-2083349407-628229037-1197225645</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>OptiPlex 755                 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A22</Version><SMBIOSVersion major="2" minor="5"/><Date>20120611000000.000000+000</Date></BIOS><HWID>81BB3607018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B9K    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>17EE25E38C41586</Val><Hash>CSmFLSHpkTpMJgV3g4QMsUFwBlo=</Hash><Pid>89388-707-1105923-65847</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 
    
    Spsys.log Content: 0x80070002
    
    Licensing Data-->
    Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".
    
    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: N/A
    HealthStatus: 0x0000000000000000
    Event Time Stamp: N/A
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Not Registered - 0x80070005
    HealthStatus Bitmask Output:
    
    
    HWID Data-->
    HWID Hash Current: MgAAAAEABAABAAIAAAABAAAAAQABAAEAeqhgqFxTOuyKKJIuKK+2myK9aubauWaOzDE=
    
    OEM Activation 1.0 Data-->
    N/A
    
    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            DELL          B9K   
      FACP            DELL          B9K   
      HPET            DELL          B9K   
      BOOT            DELL          B9K   
      MCFG            DELL          B9K   
      SSDT            DELL        st_ex
      ASF!            DELL          B9K   
      ____            DELL          B9K   
      SLIC            DELL          B9K
    My ideal solution is to simply return the system for a full refund, I already called my bank for dispute information. I will go to the merchant tomorrow (Tue Mar 25 2014) only because I want a friend with me as a material witness in case the merchant tries to weasel out of refunding me. They supposedly have no returns, but do have a 90 or 120 day warranty. At this point, I would not be comfortable if they offered to "fix" the issue. Even if they say "All Sales Final" that does not apply to defective merchandise.

    Questions:
    1) I do not wish to accuse the merchant of shady setup without substantial evidence. Is there any other setting or error that could cause Windows Activation to be blank/missing/removed? Other than RemoveWAT, I could not find any other reason.

    2) Is there any way to look at the log files to see if RemoveWat was actually used? (Or any other activation exploit software if it wasn't RWat specifically)

    I appreciate any insight, I got this far with the help of these forums, so thanks for that already!


    PS I do not want to try and repair or fix the issue, I feel I have better grounds for refund if the system is left as is. So there are a few fixes I've seen and not tried (like sfc /scannow) I attempted to get as much information as I could without changing too much, thou I did run Dell diagnostics, Win Validation (which of course failed), MGADiag and ProduKeys



      My Computer


  2. Posts : 399
    Microsoft Windows 7 Ultimate 32-bit 7601
       #2

    Your question made me wounder how someone would be able to figure out if their computer was activated with remove watt and I found it. If you find these files on your computer it was more than likely illegally activated. Also with remove wat it disables windows update

    Code:
    antiwat.dll
    freewat.dll
    by-pass.dll
    antiwpa.dll
    wpa.dll
    I also did more searching and found another illegal activation method and the way to tell if that was used is to look at your updates and if you are missing KB971033 it's probably illegal, After installing KB971033 if illegal your computer will not pass the genuine test. This method uses a tool called Windows loader and allows the computer to update as long as KB971033 is not installed, I spent about a hour searching for this info and I would share the links but there were some pretty shady sites I went to so I will not share the references
    Last edited by Digital Life; 24 Mar 2014 at 15:40. Reason: Because I can
      My Computer


  3. Posts : 24,479
    Windows 7 Ultimate X64 SP1
       #3

    Something is certainly fishy, the System Properties should also have a Dell logo. They may have used the DAZ loader too, which is difficult to detect.
      My Computer


  4. Posts : 10,485
    W7 Pro SP1 64bit
       #4

    sml156 said:
    Your question made me wounder how someone would be able to figure out if their computer was activated with remove watt and I found it. If you find these files on your computer it was more than likely illegally activated

    Code:
    antiwat.dll
    freewat.dll
    by-pass.dll
    antiwpa.dll
    wpa.dll
    I also did more searching and found another illegal activation method and the way to tell if that was used is to look at your updates and if you are missing KB971033 it's probably illegal, After installing KB971033 if illegal your computer will not pass the genuine test
    Be very careful visiting websites that even discuss this topic. I'm not sure that much more can be said about the KB that you mentioned without breaking this forum's rules - so I'll just say that your info is outdated.



    Britton30 said:
    Something is certainly fishy, the System Properties should also have a Dell logo. They may have used the DAZ loader too, which is difficult to detect.
    Using the Daz loader would install an OEM key - the OP has a retail key. As the OP stated, the key is the Windows default one. When installing W7, just skip putting in a key and you will get the trail key as shown in the OP's MGA report.

    Let's see what Noel has to say
      My Computer


  5. Posts : 3
    Windows 7 Home Premium 64bit
    Thread Starter
       #5

    Thank you all so much - after more digging I found slmgr.vbs.removewat in sys32 folder
    and duh, why didn't I search "removewat" sooner! I think I thought that would be too obvious

    Also helpful was knowing what removewat does - based on this article Confessions of a Windows 7 pirate | Page 2 | ZDNet

    I can see the timestamp on slwga.dll 3/20/14 12:30 PM (the fake dll that removewat installed)
    and the backup slwga.dll.bak 07/13/2009 6:41 PM (the real dll that removewat replaced but left intact for their uninstaller, my guess)

    The merchant did the install on 3/20, that's the earliest date in logs, I bought on 3/21

    More questions later, must unplug, just didn't want to leave you hanging!
      My Computer


  6. Posts : 21,482
    Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
       #6

    The system Definitely shows signs of the use of RemoveWAT - the installed Key is the Default Key for Home Premium, which can NEVER be legally activated, but the report shows it as being activated.

    The three tell-tale errors for RemoveWAT are present.

    Code:
    Licensing Data-->
    Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".

    Code:
    File Scan Data-->
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100

    Is there a COA sticker on the case of the machine?
    The BIOS is dated June 2012 - which places the machine firmly in Windows 7 territory, so there should be - if so, for what edition of WIndows is it valid? (If the edition is not visible, but the Key is, it's another sign of a shady vendor)


    Definitely demand a refund from the vendor - if you can still find them!
      My Computer


  7. Posts : 10,485
    W7 Pro SP1 64bit
       #7

    Thanks Noel.

    @Christy,
    Did you get your money back?
      My Computer


  8. Posts : 3
    Windows 7 Home Premium 64bit
    Thread Starter
       #8

    Got the refund - I won't have closure til it processes fully, my bank said it won't show til tomorrow and can take up to three days to complete. I still have 30 days from purchase to dispute if something goes haywire, it all seems OK thou.

    Vendor has a store front, so I wasn't worried about that

    COA sticker on box was for Vista, and yes entirely my fault for not questioning it, I fired it up in store and doinked around to see what was there. Saw the Win7 info in Control Panel System, verified hardware thru system & physically inside the box.

    Previous to this debacle, I didn't know you could look up a Dell by Service Tag, computer originally shipped 6/2008, he claimed it was 2012 when I was there. Support | Dell US

    So just for fun, I called him anonymously earlier today and asked a bunch of questions and he was consistent with the false information he said in the store - the systems I knew were 2006, he claimed were 2010 and 2008s he claimed 2012. I played it like I was a noob, specifically asked about needing a sticker or code for windows, and he said it was already on the computer.

    When I went to get the refund, they didn't recognize me so I pretended to be looking around and played with one that was on display. Checked Control Panel System - Windows activation spot BLANK, and slmgr.vbs.removewat in Sys32 folder.

    Up til that point, I was still trying to give him the benefit of the doubt that my system was some mistake or oversight, but seeing another invalid machine on display for sale confirmed it proly wasn't in error.

    So I said my Win7 wouldn't verify and I wanted a refund. He said he'd fix it right there, which I declined. He claimed it was an oversight and showed me other systems with actual Win7 COA stickers and the marked thru previous sticker, and "I just got a bad one" [in my head "Umm, so then why is there another invalid one sitting right there?"] Then he told me he was one of 17 Certified Re-manufacturers in the US, blah blah blah - whatever, I said as little as possible, other than to mention I found removewat had been used on my system.

    There is no logical reason I can think of he'd be "working" on a system and wants to put it on display invalid, then when it sells, make it legit.

    Isn't Win 7 pretty cheap, like $60 cost for reseller/remanuf/bulk whatever MS calls it?

    /meaderingventrant

    Please forgive my verbosity, better too much than threads where the OP vanishes? LOL
      My Computer


  9. Posts : 10,485
    W7 Pro SP1 64bit
       #9

    Thanks for the update. It sounds like you did an excellent job of finding them out.

    Microsoft might be interested in hearing about this particular "vendor". I'm not sure which number to call since I've never run into such characters. Perhaps other forum members know how best to report them.
      My Computer


  10. Posts : 21,482
    Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
       #10

    The counterfeit reporting mechanism starts here... How to Tell ? Hardware
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 10:10.
Find Us