Need to get rid of XP activation hack

Hello experts -

I began working with a new client, and several of their machines have had an XP activation hack applied, a service running as reset 5. It seems as if each machine has individual, valid keys, and the hack was applied by a long-gone temporary guy "just in case" the OEM installations might have to be moved to different hardware "some day".

We need to make this right - get rid of the hack, and get these machines activated. Some have run over a year, with entries every day in the event logs complaining that they needed to be activated, but no other noticeable symptoms. WPA won't even start, so to simply activate them now won't work.

I've found several files and registry entries that appear to be related to the hack, and have done some preliminary testing at getting rid of it. I can get the files and services removed, and the registry entries removed so that it doesn't seem like the hack is running, but I cannot get the WPA to work, to go out and activate with MS. I probably have not found all of the files or regedits that this thing has done....

Does anybody know anything about this hack - reset 5 - and how to get rid of it??
TommaXAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Asta CuTechnical consultant & graphic designCommented:
Which Version of XP?  Are you an OEM or someone with limited number of licenses?  More is needed here to help you.
0
Asta CuTechnical consultant & graphic designCommented:
If this was a Hack, report it to Microsoft, please.  Listening further, since hacking information is now allowed here.
0
☠ MASQ ☠Commented:
The "Reset" hacks are pretty insidious. Had a similar issue to the one you're describing & eventually gave up and reinstalled XP.  MS were fine with the legit CD Keys but never got to the bottom of how exactly the hack prevented WPA. Reset 5.02 has been blocked by MS for SP2 apparently. In my case also ended up with two installations which turned out to have been installed from a "Corporate" version!
Reinstalls worked here & saved reinstalling user's software.

@astaec
<<hacking information is now allowed >> ?? I missed this, is there a link you can post??
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

TommaXAuthor Commented:
Thanks MASQUERAID - I really don't have the time right now to figure out how the thing works, either...I guess the sure fix is always to re-install, and that has saved my butt a few times, indeed. Thank God that's possible w/XP, but re-installing is a bit time-consuming and awkward, though, right now.

I have no interest in playing cops, astaec - but I will do the right thing and fix what's wrong once it's my responsibility.....this discussion is about that, and that only.

I'd like to leave this open just a little while for further comments or suggestions to get rid of this thing. If nothing else really comes up, then I'll award the points to MASQUERAID, and re-install.
0
Paul SDesktop Support Manager / Network AdministratorCommented:
what does this do:

Start Menu > Run > "%windir%\system32\oobe\msoobe.exe" /a
0
TommaXAuthor Commented:
msoobe.exe doesn't do anything....it refuses to run.
0
Asta CuTechnical consultant & graphic designCommented:
TommaX -> I would not expect nor want any points here, so however you choose to finalize this is fine by me.  The reason I asked is to ensure Guidelines compliance as noted here: http://www.experts-exchange.com/Operating_Systems/help.jsp#hi100 
0
cwalter9Commented:
Here is a little trick and some explenation but I'm not sure if this would save you anytime over re-installing. If all the machines are the same hardware and system type then you might just be in luck. If you move hardware components around and swap them in out out of machines you will force a re-activation of the system. You need to get the hardware vote below 7 for desktops:

Activation uses a voting mechanism. There are 10 hardware characteristics used in creating the HWID:

Display Adapter
SCSI Adapter
IDE Adapter
Network Adapter MAC Address
RAM Amount Range (i.e. 0-64mb, 64-128mb, etc)
Processor Type
Processor Serial Number
Hard Drive Device Type
Hard Drive Volume Serial Number
CD-ROM/CD-RW/DVD-ROM

Each characteristic is worth one vote, except the network card (NIC), which is worth three votes. When the current HWID is compared to the original hardware HWID, there must be a vote of 7 or more for the two HWIDs to be considered "in tolerance" on a desktop machine.

If the device is a laptop, additional tolerance is allowed and there need only be 4 matching points. Therefore, if the computer is a laptop and the network card is the same, only one other characteristic must be the same for a total vote of 4.

If the network card is the same, then only 4 additional characteristics must match because the network card is worth 3, for a total of 7 votes. This means, for a desktop system with both SCSI and IDE adapters, you can change five components. If you have only an IDE adapter, you can change four components, assuming you have all the others listed.

If the network card is not the same then, for a desktop machine, a total of 7 votes must be obtained from components other than the network card. So, if you have only an IDE adapter and no SCSI card, you can change one other component besides the NIC, assuming you have all the others listed.

You will also note that there is no mention of the motherboard or its chipset. Only the CPU processor type, serial number are considered, along with the IDE adapter if it is built-in to your motherboard, which is the norm with modern boards. This means that a simple motherboard change may or may not trigger a reactivation, depending on what else you change, such as taking the opportunity to go to a faster processor or add more RAM.

So as you can see if you take 2 or 3 systems and move say the NIC and hard drive from one computer to another even though the hardware is the same you would force a re-activation of XP.
0
☠ MASQ ☠Commented:
@asteac -  Aha! <noT allowed> :)
This is not about hacking but removing a hack from XP to allow it to install legitimately.

@The_Computer_Guru_777/cwalter9
Not sure about TommaX's installation but Reset seems to prevent WPA accepting registration even if you try to invoke the Activation Wizard using "%windir%\system32\oobe\msoobe.exe" /a.

Interested to see if the hardware changes would do it although they should invoke the same process because of the database change & have to say changing enough hardware to do this might take more time than an unattended repair/reinstall.

Still listening ...
0
cwalter9Commented:
The time of swapping was my main concern with recomendeding the hardware swap ;(

And like you said if it just kicks off the same old wizard nothing much would be different. Maybe though if the system thinks it needs to register maybe it would force it. If not then there isn't much that could be done in a short amount of time.

If you want to find out for sure what is changed with the hack you could copy all of the files from a clean system and then all from a hacked system over to a Linux or Unix box and run some diff and compares and see what was changed. But all roads lead to a good amount of time figuring out exactly what was changed by Reset.
0
WhitePhantomIT ProfessionalCommented:
Put a WinXP CD in the drive that has integrated the same service pack as that which is installed on the computer, go to a command prompt, and type "sfc /scannow"  Let it replace all the files it finds that are different.

WP
0
TommaXAuthor Commented:
Thanks, all, who offered their assistance with this.

We started the in-place re-installs, have a couple of machines done and properly activated now.

Nothing seemed to force the WPA to run, though, so the re-install was the only way to deal with this....it is pretty insidious, as MASQUERAID mentioned.

Thanks again!
0
Bill KIT ManagerCommented:
Most of the hacks working now replace/rewrite the bytes of winlogon.exe file.  Believe it or not but the hack "usually" slaps a bak extension on the original winlogon file upon replacement.     i wont say anymore...i like it here ;)


advice: find winlogon.bak on hacked pc or goto unhacked xp machine and copy winlogon.exe to the hacked machines :)

this will get wap up and going again

0
orphicfireballCommented:
You could try installing service pack 2 on these machines.  Microsoft builds their service packs so that they repair activation cracks.
0
jer2eydevil88Commented:
Two things you can try to do that are relatively simple and should work.

Reboot into safe mode and attempt to run the activation then (if the activation hack is killing the process then this would get around it)

Try to use the windows xp CD to repair the current installation.  This will fix it but the cost is you lose all the windows updates and possibly some drivers.  I suggest this as a last resort below a full clean restore.

Then again you could try and find the hack the old guy used (maybe contact him) and see if there is a remove feature :).
0
MooliganCommented:
For what it's worth I removed this from a clients computer recently.

After SP2 was installed he was receiving warnings that he had to activate, he ignored it until enough time had passed and he was locked out of his system. I was able to get back in by calling the MS activation phone number and activating using his XP OEM cd key located on the bottom of the laptop. While this did get me in and say that it was a successful activation, after a reboot I would be deactivated again.

To fix it I removed all references to reset5, to do so disable the service, run a search on your PC for reset5, and remove any files found. I beleive there were 2 dll's.

Next search the registry and remove all references, there were quite a number. After doing this the activation request was gone on startup and everything was back to normal.

0
tonyteriCommented:
enter the valid key in the registry hive and then   activate it.
0
stevent10993Commented:
Thanks to Mooligan for your advice; I too needed to get rid of this incideous hack and was able to using your suggestions. I deleted all the reset5 files, removed the registry reference, and ran the activation app fine. Further, many reboots later, all still seems fine.

One thing bugs me though. The reset service, disabled as it is, still shows uo in the services window. Looking further, I see it loads a file: srvany.exe located in the Windows/System32 folder.

Any idea how to get rid of this thing completely?

Thanks,

Steven
0
TommaXAuthor Commented:
@stevent10993

I found that reset5 creates entries for itself in three different locations in the registry - just do a search for reset5 from 'my computer' down, and hit 'find next' until all of its hiding places have been found. Deleting all of these registry entries  was enough to delete the entry from the services window in all of the infected machines that I found....
0
stevent10993Commented:
I failed to find the other listing as I was only using regedit. When I used a new registry editor, Reg Work (which I just bought), I found a whole lot more.

I also traced the srvany.exe file back and deleted it, as well as another reset file in system 32.

BTW, what stumped me was your "reset5." When I looked at the services window, it read "reset 5."

What a difference a space makes <grin>.

Thanks again.

Steven
0
Peter_in_ozCommented:
I have found with machines that have WPA hacks on them that installation of SP1 after the hack (or SP2 for that matter) will disable the WPA hack. Now I would suspect that not all WPA hacks are the same but some simply a couple of Windwos XP files and the Service PAcks overwrite these files with new ones thereby elimnating the hack and reenabling the need to activate.

At least that is what has happened when I have done it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.