ACER OEM W7x64 Non Genuine after HDD/Malware Issues

NoelDP · 12 Apr 2014

Hmm - I need to revise my thinking a bit :(

Assuming the MGADiag comes back unchanged, please run these commands ...

TAKEOWN /F ICACLS C:\Windows\ServiceProfiles\NetworkService /R
ICACLS C:\Windows\ServiceProfiles\NetworkService /grant:r "NT AUTHORITY\SYSTEM":(OI)(CI)(F)
ICACLS C:\Windows\ServiceProfiles\NetworkService /grant:r Administrators:(OI)(CI)(F)
ICACLS C:\Windows\ServiceProfiles\NetworkService /grant:r "NT AUTHORITY\NETWORK SERVICE":(OI)(CI)(F)
ICACLS C:\Windows\ServiceProfiles\NetworkService
ICACLS C:\Windows\ServiceProfiles\NetworkService /e /Q
ICACLS C:\Windows\ServiceProfiles\NetworkService\AppData

I have to go out now - back later to check how you got on!

bjsracer · 12 Apr 2014

Code:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-WJ2H8-R6B6D-7QJB7
Windows Product Key Hash: ckKNc+BBPDWmo1LUlOkraNjlQ34=
Windows Product ID: 00359-OEM-8992687-00006
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {E5FB64D2-6F10-45AB-8C58-173A0A925D38}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.130828-1532
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Users\LCLS\AppData\Local\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{E5FB64D2-6F10-45AB-8C58-173A0A925D38}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-7QJB7</PKey><PID>00359-OEM-8992687-00006</PID><PIDType>2</PIDType><SID>S-1-5-21-987475376-978822867-1750259723</SID><SYSTEM><Manufacturer>Acer</Manufacturer><Model>Aspire X3960</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P01-A0                 </Version><SMBIOSVersion major="2" minor="6"/><Date>20101120000000.000000+000</Date></BIOS><HWID>F9F93607018400FE</HWID><UserLCID>0C09</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>AUS Eastern Standard Time(GMT+10:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>ACRSYS</OEMID><OEMTableID>ACRPRDCT</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
C:\Windows\system32\slmgr.vbs(1131, 5) Microsoft VBScript runtime error: Permission denied

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: KgAAAAEAAQABAAEAAAABAAAAAQABAAEA6GHWfThNnBd4duwOCE50zy5z

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			ACRSYS		ACRPRDCT
  FACP			ACRSYS		ACRPRDCT
  HPET			ACRSYS		ACRPRDCT
  MCFG			ACRSYS		ACRPRDCT
  SSDT			AMICPU		PROC
  SLIC			ACRSYS		ACRPRDCT

NoelDP · 12 Apr 2014

That's different! :)

Licensing Data-->
C:\Windows\system32\slmgr.vbs(1131, 5) Microsoft VBScript runtime error: Permission denied

Please run these commands again so we can see the current status....

ICACLS C:\Windows\ServiceProfiles\NetworkService\AppData
ICACLS C:\Windows\ServiceProfiles\Networkservice
ICACLS C:\Windows\ServiceProfiles
ICACLS C:\Windows\ServiceProfiles\Localservice

bjsracer · 12 Apr 2014

Code:

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\NetworkService\AppData
C:\Windows\ServiceProfiles\NetworkService\AppData NT AUTHORITY\SYSTEM:(F)
                                                  BUILTIN\Administrators:(F)
                                                  BUILTIN\Administrators:(I)(OI)
(CI)(F)
                                                  NT SERVICE\TrustedInstaller:(I
)(F)
                                                  NT SERVICE\TrustedInstaller:(I
)(CI)(IO)(F)
                                                  NT AUTHORITY\SYSTEM:(I)(F)
                                                  NT AUTHORITY\SYSTEM:(I)(OI)(CI
)(IO)(F)
                                                  BUILTIN\Administrators:(I)(OI)
(CI)(IO)(F)
                                                  BUILTIN\Users:(I)(RX)
                                                  BUILTIN\Users:(I)(OI)(CI)(IO)(
GR,GE)
                                                  LCLS-PC\Brad:(I)(F)
                                                  CREATOR OWNER:(I)(OI)(CI)(IO)(
F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\Networkservice
C:\Windows\ServiceProfiles\Networkservice NT AUTHORITY\SYSTEM:(F)
                                          BUILTIN\Administrators:(F)
                                          BUILTIN\Administrators:(OI)(CI)(F)
                                          NT SERVICE\TrustedInstaller:(I)(F)
                                          NT SERVICE\TrustedInstaller:(I)(CI)(IO
)(F)
                                          NT AUTHORITY\SYSTEM:(I)(F)
                                          NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)

                                          BUILTIN\Administrators:(I)(F)
                                          BUILTIN\Administrators:(I)(OI)(CI)(IO)
(F)
                                          BUILTIN\Users:(I)(RX)
                                          BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                          LCLS-PC\Brad:(I)(F)
                                          CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles
C:\Windows\ServiceProfiles NT SERVICE\TrustedInstaller:(I)(F)
                           NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                           NT AUTHORITY\SYSTEM:(I)(F)
                           NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                           BUILTIN\Administrators:(I)(F)
                           BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                           BUILTIN\Users:(I)(RX)
                           BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                           CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\Localservice
C:\Windows\ServiceProfiles\Localservice NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                        BUILTIN\Administrators:(OI)(CI)(F)
                                        NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>

NoelDP · 13 Apr 2014

How on earth did TrustedInstaller (and your User account) get in there? - Must be the propagation command I used

It has no rights to be there.

Please run the following commands, and post the results - then I'll try and tidy up a little, since the 'replace' and propagation commands I attempted to use obviously worked differently to what I expected

ICACLS C:\Windows\ServiceProfiles\Networkservice /remove TrustedInstaller /T
ICACLS C:\Windows\ServiceProfiles\Networkservice /remove Brad /T

bjsracer · 13 Apr 2014

Completed, didn't think I needed to paste at least 1829 lines:)

Code:

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\Networkservice /remove TrustedInstaller /T
Successfully processed 0 files; Failed processing 0 files

ICACLS C:\Windows\ServiceProfiles\Networkservice /remove Brad /T
............
Successfully processed 1829 files; Failed processing 0 files

NoelDP · 13 Apr 2014

Oh wow! Ooops, big time...
:)
Let's have another look at them now.

ICACLS C:\Windows\ServiceProfiles\NetworkService\AppData
ICACLS C:\Windows\ServiceProfiles\Networkservice
ICACLS C:\Windows\ServiceProfiles

(the LocalService appears to be OK)

bjsracer · 13 Apr 2014

Code:

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\NetworkService\AppData
C:\Windows\ServiceProfiles\NetworkService\AppData NT AUTHORITY\SYSTEM:(F)
                                                  BUILTIN\Administrators:(F)
                                                  BUILTIN\Administrators:(I)(OI)(CI)(F)
                                                  NT SERVICE\TrustedInstaller:(I)(F)
                                                  NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                                  NT AUTHORITY\SYSTEM:(I)(F)
                                                  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                                  BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                                  BUILTIN\Users:(I)(RX)
                                                  BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                                  LCLS-PC\Brad:(I)(F)
                                                  CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\Networkservice
C:\Windows\ServiceProfiles\Networkservice NT AUTHORITY\SYSTEM:(F)
                                          BUILTIN\Administrators:(F)
                                          BUILTIN\Administrators:(OI)(CI)(F)
                                          NT SERVICE\TrustedInstaller:(I)(F)
                                          NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                          NT AUTHORITY\SYSTEM:(I)(F)
                                          NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                          BUILTIN\Administrators:(I)(F)
                                          BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                          BUILTIN\Users:(I)(RX)
                                          BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                          LCLS-PC\Brad:(I)(F)
                                          CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles
C:\Windows\ServiceProfiles NT SERVICE\TrustedInstaller:(I)(F)
                           NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                           NT AUTHORITY\SYSTEM:(I)(F)
                           NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                           BUILTIN\Administrators:(I)(F)
                           BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                           BUILTIN\Users:(I)(RX)
                           BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                           CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>

... and I just realised I do not have non genuine showing on desktop.... der

NoelDP · 13 Apr 2014

I think I see what's needed...
Please run the following commands in an Elevated Command Prompt, and post the results.

ICACLS C:\Windows\ServiceProfiles\Networkservice /d /q
ICACLS C:\Windows\ServiceProfiles\Networkservice

It should only be a few lines :)

bjsracer · 13 Apr 2014

:)
C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\Networkservice /d /q
Invalid parameter "/d"