[alexstrazza]

Howdy - came across a problem that I can't seem to resolve.  
 
I'm receiving a message saying my win7 install is not runnning authentic windows despite having OEM install from a few years ago and it always being fine. I think I was recently hacked by malware and have run malwarebytes and installed free trial of Mcafee because windows security essentials wouldn't update and then ran Mcafee and Malwarebytes.  It now says everything is clean (malwarebytes cleaned 32 items and Mcafee cleaned some too).
 
Uninstalled Mcafee shortly after but I couldn't run windows update and MS security essentials won't update so have reinstalled Mcafee. I have manually re-entered the OEM key but on the next reboot still get "windows not running authentic windows" pop up.  I have tried running windows legitcheck.hta but get error which says "legitcheck.hta is not a valid win32 application" which i can sort of understand because i am running win7 64 bit home professional
 
Any ideas other than fresh install of win 7?  I have attached OTL logs below.  
 
Many thanks in advance =)

Attached Files

•  OTL.Txt   141.83KB   859 downloads

Edited by alexstrazza, 28 October 2014 - 04:49 AM.

[Advertisements]

Hello alexstrazza,

 

Welcome to Geekstogo.

 

I think you need to talk to microsoft.

Click Start > All Programs > Accessories >  Command Prompt and type slui.exe 4 (note the space... it should be there) and hit Enter.

Select an activation centre near you, call, speak with a real person and explain what happened.

Come back and tell me how your got on. I cannot help you further until the machine is validated.

[emeraldnzl]

Hello alexstrazza,

 

Welcome to Geekstogo.

 

I think you need to talk to microsoft.

Click Start > All Programs > Accessories >  Command Prompt and type slui.exe 4 (note the space... it should be there) and hit Enter.

Select an activation centre near you, call, speak with a real person and explain what happened.

Come back and tell me how your got on. I cannot help you further until the machine is validated.

[alexstrazza]

Hello alexstrazza,

 

Welcome to Geekstogo.

 

I think you need to talk to microsoft.

Click Start > All Programs > Accessories >  Command Prompt and type slui.exe 4 (note the space... it should be there) and hit Enter.

Select an activation centre near you, call, speak with a real person and explain what happened.

Come back and tell me how your got on. I cannot help you further until the machine is validated.

I have verified it is legit using the oem sticker on the case with slui.exe 3. I then try and run windows update and it says I need to restart. When I restart it changes back and says it is not an authentic again and won't load windows update.  Just tried slui.exe 4 and same results...

[emeraldnzl]

 

 Just tried slui.exe 4 and same results...

 

Did you try the instructions at my last post to speak with a real person and explain what happened?

[alexstrazza]

 

 

 Just tried slui.exe 4 and same results...

 

Did you try the instructions at my last post to speak with a real person and explain what happened?

 

So - here's how it works for anyone in Australia.  There are 4 numbers to call when you select slui.exe 4. 2  Toll free and 2 toll.  I tried the first toll free initially 1800 642 008.   This gives you an automated service to quote numbers back and authenticate your product.  Worked as stated above.  Authenticated but then when I tried to run windows update it failed. So I  just tried the second number - the other toll free number.  Spoke to support who ran me through the standard troubleshooting despite my specific post above being repeated many times.  They validated the key twice but still had the problems I did.  To their credit when they tried to sell me paid support and I reiterated the issue with conviction they tried a screenshare.  They could not fix it and tried much of what I had already tried then said they will escalate and call me back tomorrow.  I will provide further updates as they occur. To be continued...

[emeraldnzl]

Yes, we need that validation otherwise we cannot help.

 

Look forward to hearing from you.

[alexstrazza]

Yes, we need that validation otherwise we cannot help.

 

Look forward to hearing from you.

MS second level support called back today (see above).  Valid product key is not the issue.  As mentioned above it has worked for years on OEM install and I have since self validated and MS have validated but it doesn't stick after restart.  MS second level support are now trying a repair but it seems to have failed and they have been on for over 3 hours and have left for the day but said they will try back tomorrow.  The tech said there had been corruption and downloaded IOS to repair.  Just worried I didn't have something really nasty on there that changed the slui.exe 4 numbers and I have now given my pc over to some scammer by giving full control and password via support.me. The number they called me back on although slightly before the agreed time seems to have been microsoft in Redmond main number but I understand many scammers change the caller id.  I wrote an email to the tech to get him to prove he was legit and got a reply from what seemed to be a proper microsoft address. Will post the details below - wait and see I guess

Delivered-To: [email protected]
Received: by 10.221.22.135 with SMTP id qw7csp594798vcb;
        Wed, 5 Nov 2014 01:42:01 -0800 (PST)
X-Received: by 10.68.135.33 with SMTP id pp1mr16173680pbb.120.1415180521137;
        Wed, 05 Nov 2014 01:42:01 -0800 (PST)
Return-Path: <[email protected]>
Received: from smtp.mssupport.microsoft.com (smtp.mssupport.microsoft.com. [131.107.1.44])
        by mx.google.com with ESMTPS id a12si2579744pdm.124.2014.11.05.01.42.00
        for <[email protected]>
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Wed, 05 Nov 2014 01:42:00 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 131.107.1.44 as permitted sender) client-ip=131.107.1.44;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates 131.107.1.44 as permitted sender) [email protected];
       dmarc=pass (p=NONE dis=NONE) header.from=microsoft.com
Received: from cvgmx2.convergys.com (167.1.158.29) by
 TK5-EXMLT-E801.partners.extranet.microsoft.com (131.107.1.44) with Microsoft
 SMTP Server (TLS) id 8.1.291.1; Wed, 5 Nov 2014 01:42:00 -0800
Received: from mail.agent.cvgs.net (CDCMW14.agent.cvgs.net [10.164.42.133])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))	(No client certificate
 requested)	by cvgmx2.convergys.com (Postfix) with ESMTPS id 3jXjYz61Qnz2Dg1
	for <[email protected]>; Wed,  5 Nov 2014 09:41:59 +0000 (UTC)
Received: from CDCMW13.agent.cvgs.net ([fe80::4554:81a8:60b2:beb2]) by
 CDCMW14.agent.cvgs.net ([::1]) with mapi id 14.02.0387.000; Wed, 5 Nov 2014
 04:41:59 -0500
From: Mukesh Kumar Prasad <[email protected]>
To: Ben Roberts <[email protected]>
Subject: RE: Hi
Thread-Topic: Hi
Thread-Index: AQHP+NynCjLexhTGKU2Rxdqg4dSDw5xRx7ow
Date: Wed, 5 Nov 2014 09:41:59 +0000
Message-ID: <[email protected]>
References: <CAJtMzSGLzTNdUdU329EnisEMCzt8L5721s4T-Jxt8z41XUa4Hw@mail.gmail.com>
In-Reply-To: <CAJtMzSGLzTNdUdU329EnisEMCzt8L5721s4T-Jxt8z41XUa4Hw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.164.34.37]
Content-Type: multipart/alternative;
	boundary="_000_40093505EF7AE5458C0F6C73007E29ED3EF2EA27CDCMW13agentcvg_"
MIME-Version: 1.0
Return-Path: [email protected]

--_000_40093505EF7AE5458C0F6C73007E29ED3EF2EA27CDCMW13agentcvg_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

Q29uZmlybWVkIGVtYWls4oCmDQoNCkZyb206IEJlbiBSb2JlcnRzIFttYWlsdG86Ym1haWw3NkBn
bWFpbC5jb21dDQpTZW50OiBXZWRuZXNkYXksIE5vdmVtYmVyIDUsIDIwMTQgMzoxMSBQTQ0KVG86
IE11a2VzaCBLdW1hciBQcmFzYWQNClN1YmplY3Q6IEhpDQoNCg0K

--_000_40093505EF7AE5458C0F6C73007E29ED3EF2EA27CDCMW13agentcvg_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9
DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj
b2xvcjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBz
cGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv
cjojOTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxl
MTcNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGli
cmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28t
c3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJp
Zjt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEu
MGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2Vj
dGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVm
YXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48
IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxv
OmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwh
W2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9IiMwNTYzQzEiIHZs
aW5rPSIjOTU0RjcyIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD
YWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+Q29uZmlybWVkIGVtYWls4oCm
PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9
ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNl
cmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5
OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0
eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fu
cy1zZXJpZiI+IEJlbiBSb2JlcnRzIFttYWlsdG86Ym1haWw3NkBnbWFpbC5jb21dDQo8YnI+DQo8
Yj5TZW50OjwvYj4gV2VkbmVzZGF5LCBOb3ZlbWJlciA1LCAyMDE0IDM6MTEgUE08YnI+DQo8Yj5U
bzo8L2I+IE11a2VzaCBLdW1hciBQcmFzYWQ8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gSGk8bzpwPjwv
bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv
cD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_40093505EF7AE5458C0F6C73007E29ED3EF2EA27CDCMW13agentcvg

Edited by alexstrazza, 05 November 2014 - 06:49 AM.

[emeraldnzl]

Okay let's do this:

 

Please download Farbar Recovery Scan Tool from here and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce a log called (FRST.txt) in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run, it makes also another log (Addition.txt). Please also paste that into your reply.

After that

 

Please run the MGA Diagnostic Tool and post back the report it produces:

• Download MGADiag to your desktop.
• Double-click on MGADiag.exe to launch the program
• Click "Continue"
• Ensure that the "Windows" tab is selected (it should be by default).
• Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
• Paste the MGA Diagnostic Report back here in your next reply.

So when you return please post

FRST.txt

Addition.txt

MGA report