locked
Windows Activation and Project ID not displayed under system information RRS feed

  • Question

  • It's not that it's saying "Status not available" - it's not displayed at all under system information!

    I was having a problem with "Build 7601 - This copy of windows is not genuine" after I installed a new service pack and I managed to get rid of it by running this program called "removeWAT", if that makes any sense

    After running this the error disappeared but now it doesn't display the status or product ID at all under the system information.  What do I do?  To be honest I probably shouldn't have ran it, cause I don't really know what I'm doing.

    Can someone help me please.

    Tuesday, April 23, 2013 6:58 PM

Answers

  • That one's not supposed to work :) - it's checked there because there's one piece of malware which appears to create the Key to hook into the system before the real SPPSVC gets a chance to start.

    OMIGAWD!

    I just realised what the problem is...

    I've been posting replies suitable for a Vista installation, rather than Windows 7!  (mea culpa!)

    OK - let's correct that....

    Please open an Elevated Command Prompt, and run the following commands....

    REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\SLSVC /S sc create sppsvc binPath= %SystemRoot%\System32\sppsvc.exe DisplayName= "Software Protection" depend= Rpcss start= delayed-auto obj= "NT AUTHORITY\NetworkService" password= "" sc privs sppsvc SeAuditPrivilege/SeChangeNotifyPrivilege/SeCreateGlobalPrivilege/SeImpersonatePrivilege sc sdset sppsvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;LCRP;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) sc sidtype sppsvc UNRESTRICTED

    .

    post the results, and then reboot twice - run another MGADiag report and post that.

    Sorry about the confusion - simply a case of trying to do too many things at once! :(


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    • Marked as answer by MrBandicoot91 Saturday, April 27, 2013 9:52 AM
    Saturday, April 27, 2013 9:36 AM
    Moderator

All replies

  • RemoveWat is an illegal activation hack. you will have to remove it.

    download watfix

    unceheck the download manager, unzip it and run it

    http://www.datafilehost.com/download-b529e21e.html

    then:

    To properly analyze and solve problems with Activation and Validation, we need to see a full copy of the diagnostic report produced by the MGADiag tool (download and save to desktop - http://go.microsoft.com/fwlink/?linkid=52012 )

    Once downloaded, run the tool.

    Click on the Continue button, after a short time, the Continue button will change to a Copy button.

    Click on the Copy button in the tool (ignore any error messages at this point), and then paste (using either r-click/Paste, or Ctrl+V ) into your post. (please do not edit the report.)

    Tuesday, April 23, 2013 7:42 PM
    Answerer
  • Hi George.  Thanks for your prompt reply.  

    OK I removed the "removeWat" and carried out the steps you suggested.  Here's the diagnostic report as requested.  

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: N/A, hr = 0x80070424
    Windows Product Key: *****-*****-WJ2H8-R6B6D-7QJB7
    Windows Product Key Hash: ckKNc+BBPDWmo1LUlOkraNjlQ34=
    Windows Product ID: 00359-OEM-8992687-00006
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {BFDC3C8F-6026-4B6B-AEE8-2066825B909C}(1)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.9.42.0
    Signed By: Microsoft
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.110622-1506
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Standard Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Users\Pete\AppData\Local\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{BFDC3C8F-6026-4B6B-AEE8-2066825B909C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-7QJB7</PKey><PID>00359-OEM-8992687-00006</PID><PIDType>2</PIDType><SID>S-1-5-21-1311846861-47003359-73108029</SID><SYSTEM><Manufacturer>Acer           </Manufacturer><Model>Aspire 5738                    </Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies LTD</Manufacturer><Version>V1.16.         </Version><SMBIOSVersion major="2" minor="5"/><Date>20090826000000.000000+000</Date></BIOS><HWID>9E373907018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>ACRSYS</OEMID><OEMTableID>ACRPRDCT</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>A5314378930F070</Val><Hash>soKeskPE8IwArxm2JqLuWWiEQ9A=</Hash><Pid>70141-056-0632897-56850</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x80070424' to display the error text.
    Error: 0x80070424 

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 4:2:2013 14:39
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Not Registered - 0x80070424
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: MgAAAAEAAQABAAIAAAACAAAAAwABAAEAeqiu3ILDEscicK4mZBNsRykhUECIlEwBRso=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC PTLTD APIC  
      FACP INTEL CRESTLNE
      HPET INTEL CRESTLNE
      BOOT PTLTD $SBFTBL$
      MCFG INTEL CRESTLNE
      SLIC ACRSYS ACRPRDCT
      SSDT BrtRef DD01BRT
      SSDT BrtRef DD01BRT

    Wednesday, April 24, 2013 3:54 PM
  • have you been running any registry cleaners or speed up my pc type of products? if so name them.
    Wednesday, April 24, 2013 4:06 PM
    Answerer
  • There is a
    problem with your Software Protection Service - something is preventing it from starting on demand the way it should.

    Please use the following in an attempt to isolate the cause.

     

    Click on Start

    in the Search box, type

    SERVICES.MSC

    and hit the Enter key - accept the UAC prompt if you get one.

    Look in the console for the Software Protection service, right-click on it and select
    Properties.

    make sure that the Startup Type is set to Automatic (Delayed Start), and click Apply.

     

    Try starting the service now - do you get an error message?

    Does it start? does it almost immediately stop again?

    Post back with your results, and a new MGADiag report.

     

    If it doesn't start, then please do the following...

    Please open an Elevated (Administrator) Command Prompt window and use the following commands....

     

    net start sppsvc

    sc qc sppsvc

    sc queryex sppsvc

    sc qprivs sppsvc

    sc qsidtype sppsvc

    sc sdshow sppsvc

     

    Copy and paste the output to your reply.

      Here are some instructions to make life easier :)

    1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt. 

    2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once. 

    3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.     



    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Wednesday, April 24, 2013 5:33 PM
    Moderator
  • Hi Noel 

    The software protection service isn't in the list under services.msc.  I actually checked this yesterday as I remember reading something elsewhere about this being a potential cause of the problem.  

    I ran the commands anyway - here's what I got 

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>net start sppsvc
    The service name is invalid.

    More help is available by typing NET HELPMSG 2185.


    C:\Windows\system32>sc qc sppsvc
    [SC] OpenService FAILED 1060:

    The specified service does not exist as an installed service.


    C:\Windows\system32>sc queryex sppsvc
    [SC] EnumQueryServicesStatus:OpenService FAILED 1060:

    The specified service does not exist as an installed service.


    C:\Windows\system32>sc qprivs sppsvc
    [SC] OpenService FAILED 1060:

    The specified service does not exist as an installed service.


    C:\Windows\system32>sc qsidtype sppsvc
    [SC] OpenService FAILED 1060:

    The specified service does not exist as an installed service.


    C:\Windows\system32>sc sdshow sppsvc



    Wednesday, April 24, 2013 6:10 PM
  • Hi George - No not that I'm aware of.  I never seen much use for them.  I always defragment my PC.

    Wednesday, April 24, 2013 6:11 PM
  • That is almost certainly the result of either

    1) using a registry cleaner

    or

    2) a malware infection - probably a form of Sirefef or ZeroAccess.

    Highlight ALL the text (including the blank lines) code box, and hit CTRL+C (or right-click and select Copy)

    sc create slsvc binPath= %SystemRoot%\System32\SLsvc.exe DisplayName= "Software Licensing" depend= Rpcss start= auto obj= "NT AUTHORITY\NetworkService" password= "" sc privs slsvc SeAuditPrivilege/SeChangeNotifyPrivilege/SeCreateGlobalPrivilege/SeImpersonatePrivilege sc sdset slsvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) sc sidtype slsvc UNRESTRICTED

     

     

     

    Open an Elevated Command Prompt window - click on the Start button, and in the Search box, type CMD. wait for the system to find the one file, then right-click on that and select Run as Administrator. Accept the UAC prompt if you get one

     

    Right-click on the C:\ icon  (top left of the window) and select Edit... >Paste

     

    You should get Success responses after each line of code

     

    when complete, reboot.

     

     

    Test the outcome (MGADiag should now report properly on the state of the license), and post the MGADiag report.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Wednesday, April 24, 2013 6:28 PM
    Moderator
  • Hi Noel 

    I carried out the steps you suggested and still no luck.  It still says the status ID and Product ID is not available.  I've provided another report.  Thanks for your help so far by the way, I appreciate it.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: N/A, hr = 0x80070424
    Windows Product Key: *****-*****-WJ2H8-R6B6D-7QJB7
    Windows Product Key Hash: ckKNc+BBPDWmo1LUlOkraNjlQ34=
    Windows Product ID: 00359-OEM-8992687-00006
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {BFDC3C8F-6026-4B6B-AEE8-2066825B909C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.9.42.0
    Signed By: Microsoft
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.110622-1506
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Standard Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Users\Pete\AppData\Local\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{BFDC3C8F-6026-4B6B-AEE8-2066825B909C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-7QJB7</PKey><PID>00359-OEM-8992687-00006</PID><PIDType>2</PIDType><SID>S-1-5-21-1311846861-47003359-73108029</SID><SYSTEM><Manufacturer>Acer           </Manufacturer><Model>Aspire 5738                    </Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies LTD</Manufacturer><Version>V1.16.         </Version><SMBIOSVersion major="2" minor="5"/><Date>20090826000000.000000+000</Date></BIOS><HWID>9E373907018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>ACRSYS</OEMID><OEMTableID>ACRPRDCT</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>A5314378930F070</Val><Hash>soKeskPE8IwArxm2JqLuWWiEQ9A=</Hash><Pid>70141-056-0632897-56850</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x80070424' to display the error text.
    Error: 0x80070424 

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 4:2:2013 14:39
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Not Registered - 0x80070424
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: MAAAAAEAAQABAAIAAAABAAAAAwABAAEAeqiu3ILDEscicK4mZBNsR1BAiJRMAUbK

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC PTLTD APIC  
      FACP INTEL CRESTLNE
      HPET INTEL CRESTLNE
      BOOT PTLTD $SBFTBL$
      MCFG INTEL CRESTLNE
      SLIC ACRSYS ACRPRDCT
      SSDT BrtRef DD01BRT
      SSDT BrtRef DD01BRT

    Wednesday, April 24, 2013 9:51 PM
  •  - and it still says that the service is not installed :(

    Please run the following commands and post the results.

    REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\SLSVC

    REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\SLSVC

    REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\SPLDR

    Then please download the Farbar Service Scanner from

     

    http://www.bleepingcomputer.com/download/farbar-service-scanner/

     

    Right-click on the saved file and select 'Run as Administrator', and tick all the options, then click on the Scan button - copy and paste the report to your response.

     

     

     


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, April 25, 2013 6:39 AM
    Moderator
  • Hi Noel.  Here's the results from the first set of commands 

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\SLSVC

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SLSVC
        Type    REG_DWORD    0x10
        Start    REG_DWORD    0x2
        ErrorControl    REG_DWORD    0x1
        ImagePath    REG_EXPAND_SZ    C:\Windows\System32\SLsvc.exe
        DisplayName    REG_SZ    Software Licensing
        DependOnService    REG_MULTI_SZ    Rpcss
        ObjectName    REG_SZ    NT AUTHORITY\NetworkService
        RequiredPrivileges    REG_MULTI_SZ    SeAuditPrivilege\0SeChangeNotifyPrivil
    ege\0SeCreateGlobalPrivilege\0SeImpersonatePrivilege
        ServiceSidType    REG_DWORD    0x1
        DelayedAutostart    REG_DWORD    0x0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SLSVC\Security

    C:\Windows\system32>
    C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\SLSVC
    ERROR: The system was unable to find the specified registry key or value.

    C:\Windows\system32>
    C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\SPLDR

    And here's the results from FSS 

    Farbar Service Scanner Version: 14-04-2013
    Ran by Pete (administrator) on 25-04-2013 at 12:11:12
    Running from "C:\Users\Pete\Desktop"
    Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Attempt to access Yahoo IP returned error. Yahoo IP is offline
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy: 
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy: 
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy: 
    ============================


    Windows Defender:
    ==============

    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\ipnathlp.dll => MD5 is legit
    C:\Windows\System32\iphlpsvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****

    Thursday, April 25, 2013 11:16 AM
  • The last registry query didn't run - please try it again...

    REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\SPLDR

    post the results.

    Your firewall also appears to be turned off - are you using a third-party firewall?


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, April 25, 2013 2:56 PM
    Moderator
  • My firewall runs off Norton 

    Here's the results:

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\SPLDR
    ERROR: The system was unable to find the specified registry key or value.

    C:\Windows\system32>

    Thursday, April 25, 2013 6:01 PM
  • That explains a lot!

    I've been playing pool tonight - so not in a fit state to prescribe :)

    If you haven't heard from me in 24 hrs, SHOUT!


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Thursday, April 25, 2013 10:02 PM
    Moderator
  • Haha 

    No problem buddy.  I'll wait for your response.  Thanks for your help so far.


    Friday, April 26, 2013 10:38 AM
  • Ooops!

    just realised that I'd posted the wrong Key name....

    Please run this command - I've test it this time :)

    REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR /s

    post the results.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Friday, April 26, 2013 11:34 AM
    Moderator
  • Here's the results 

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPL
    DR /s

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR
        NextInstance    REG_DWORD    0x1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR\0000
        Service    REG_SZ    spldr
        Legacy    REG_DWORD    0x1
        ConfigFlags    REG_DWORD    0x400
        Class    REG_SZ    LegacyDriver
        ClassGUID    REG_SZ    {8ECC055D-047F-11D1-A537-0000F8753ED1}
        DeviceDesc    REG_SZ    Security Processor Loader Driver
        Capabilities    REG_DWORD    0x0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPLDR\0000\Control
        ActiveService    REG_SZ    spldr


    C:\Windows\system32>

    Saturday, April 27, 2013 8:46 AM
  • Ok I ran the updated command and this seems to work.  I posted the results in my previous comment.  The second command also seems to fail though?

    Here's what I get when I run the second command 

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Enum\Root\SLSVC
    ERROR: The system was unable to find the specified registry key or value.

    C:\Windows\system32>

    Saturday, April 27, 2013 9:18 AM
  • That one's not supposed to work :) - it's checked there because there's one piece of malware which appears to create the Key to hook into the system before the real SPPSVC gets a chance to start.

    OMIGAWD!

    I just realised what the problem is...

    I've been posting replies suitable for a Vista installation, rather than Windows 7!  (mea culpa!)

    OK - let's correct that....

    Please open an Elevated Command Prompt, and run the following commands....

    REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\SLSVC /S sc create sppsvc binPath= %SystemRoot%\System32\sppsvc.exe DisplayName= "Software Protection" depend= Rpcss start= delayed-auto obj= "NT AUTHORITY\NetworkService" password= "" sc privs sppsvc SeAuditPrivilege/SeChangeNotifyPrivilege/SeCreateGlobalPrivilege/SeImpersonatePrivilege sc sdset sppsvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;LCRP;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) sc sidtype sppsvc UNRESTRICTED

    .

    post the results, and then reboot twice - run another MGADiag report and post that.

    Sorry about the confusion - simply a case of trying to do too many things at once! :(


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    • Marked as answer by MrBandicoot91 Saturday, April 27, 2013 9:52 AM
    Saturday, April 27, 2013 9:36 AM
    Moderator
  • Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\SLSVC /S
    ERROR: Invalid syntax.
    Type "REG DELETE /?" for usage.

    C:\Windows\system32>sc create sppsvc binPath= %SystemRoot%\System32\sppsvc.exe D
    isplayName= "Software Protection" depend= Rpcss start= delayed-auto obj= "NT AUT
    HORITY\NetworkService" password= ""
    [SC] CreateService FAILED 1073:

    The specified service already exists.


    C:\Windows\system32>sc privs sppsvc SeAuditPrivilege/SeChangeNotifyPrivilege/SeC
    reateGlobalPrivilege/SeImpersonatePrivilege
    [SC] ChangeServiceConfig2 SUCCESS

    C:\Windows\system32>sc sdset sppsvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRP
    WPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;LCRP;;
    ;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
    [SC] SetServiceObjectSecurity SUCCESS

    C:\Windows\system32>sc sidtype sppsvc UNRESTRICTED
    [SC] ChangeServiceConfig2 SUCCESS

    C:\Windows\system32>.

    Ok about to reboot

    Saturday, April 27, 2013 9:42 AM
  • Ok and here's the results of the MGA report after rebooting. 

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-WJ2H8-R6B6D-7QJB7
    Windows Product Key Hash: ckKNc+BBPDWmo1LUlOkraNjlQ34=
    Windows Product ID: 00359-OEM-8992687-00006
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {BFDC3C8F-6026-4B6B-AEE8-2066825B909C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: Registered, 1.9.42.0
    Signed By: Microsoft
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.110622-1506
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Standard Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Users\Pete\AppData\Local\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{BFDC3C8F-6026-4B6B-AEE8-2066825B909C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-7QJB7</PKey><PID>00359-OEM-8992687-00006</PID><PIDType>2</PIDType><SID>S-1-5-21-1311846861-47003359-73108029</SID><SYSTEM><Manufacturer>Acer           </Manufacturer><Model>Aspire 5738                    </Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies LTD</Manufacturer><Version>V1.16.         </Version><SMBIOSVersion major="2" minor="5"/><Date>20090826000000.000000+000</Date></BIOS><HWID>9E373907018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>ACRSYS</OEMID><OEMTableID>ACRPRDCT</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>A5314378930F070</Val><Hash>soKeskPE8IwArxm2JqLuWWiEQ9A=</Hash><Pid>70141-056-0632897-56850</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, HomePremium edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: d2c04e90-c3dd-4260-b0f3-f845f5d27d64
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00359-00178-926-800006-02-1033-7600.0000-2332009
    Installation ID: 015493000263767020935652427986298135541514616310722561
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 7QJB7
    License Status: Licensed
    Remaining Windows rearm count: 2
    Trusted time: 27/04/2013 10:49:34

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 4:2:2013 14:39
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Not Registered - 0x80070424
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: MAAAAAEAAQABAAIAAAABAAAAAwABAAEAeqiu3ILDEscicK4mZBNsR1BAiJRMAUbK

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC PTLTD APIC  
      FACP INTEL CRESTLNE
      HPET INTEL CRESTLNE
      BOOT PTLTD $SBFTBL$
      MCFG INTEL CRESTLNE
      SLIC ACRSYS ACRPRDCT
      SSDT BrtRef DD01BRT
      SSDT BrtRef DD01BRT

    Saturday, April 27, 2013 9:50 AM
  • OMG - it worked!!.  Now showing as activated and the product ID!!  Thank you so much.  Your a god.  Hope I'm as smart as you some day.  What was the problem then?  Was it a Malware infection?
    Saturday, April 27, 2013 9:52 AM
  • Also - What other problems might this have caused?
    Saturday, April 27, 2013 10:06 AM
  • Let's see if it was malware, and if so, what other damage it did.....

    Please download the Farbar Service Scanner from

     

    http://www.bleepingcomputer.com/download/farbar-service-scanner/

     

    Right-click on the saved file and select 'Run as Administrator', and tick all the options, then click on the Scan button - copy and paste the report to your response.

     

     

    Please download and install  Malwarebytes Anti-malware (free version) from  http://www.malwarebytes.org/products/malwarebytes_free/ - UNtick 'Enable free trial of MBAM PRO' at the end of the installation -  and update it, then run a full scan  in your main account, and Quick scans in any other user accounts.

     

    Delete everything it finds   

    post back with the results.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Saturday, April 27, 2013 10:13 AM
    Moderator
  • Farbar Service Scanner Version: 14-04-2013
    Ran by Pete (administrator) on 27-04-2013 at 11:17:40
    Running from "C:\Users\Pete\Downloads"
    Windows 7 Home Premium Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Attempt to access Yahoo IP returned error. Yahoo IP is offline
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy: 
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy: 
    ========================


    Action Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy: 
    ============================


    Windows Defender:
    ==============

    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\mpssvc.dll => MD5 is legit
    C:\Windows\System32\bfe.dll => MD5 is legit
    C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\System32\SDRSVC.dll => MD5 is legit
    C:\Windows\System32\vssvc.exe => MD5 is legit
    C:\Windows\System32\wscsvc.dll => MD5 is legit
    C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\System32\wuaueng.dll => MD5 is legit
    C:\Windows\System32\qmgr.dll => MD5 is legit
    C:\Windows\System32\es.dll => MD5 is legit
    C:\Windows\System32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\System32\ipnathlp.dll => MD5 is legit
    C:\Windows\System32\iphlpsvc.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****

    I'm running the scan now for the malware.  It has detected 6 items so far.  I haven't renewed my Norton since Christmas so it's probably out of date with regards to virus definitions, might this be a potential cause??  

    Saturday, April 27, 2013 10:33 AM
  • Also - Would it be worth turning on my windows firewall as well as my Norton one?

    Saturday, April 27, 2013 10:34 AM
  • You can check the status of Norton in their control panel. - do not try to run with both firewalls, as they will end up conflicting.

    Personally, I would uninstall Norton completely, and run their removal tool, then install Microsoft Security Essentials

    First uninstall Norton using the entry in Programs&Features

    then download the Norton Removal Tool from here https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?lg=english&ct=united+states&docid=20080710133834EN&product=home&version=1&pvid=f-home

     

    Close all other programs, then run the tool. When it's complete, reboot the machine  whether it asks for it or not.

     

    After the reboot, open an Elevated Command Prompt, and run the following command

     

    NETSH WINSOCK RESET

     

    You'll be advised to reboot - do so.

    The download MSE from here...

    http://windows.microsoft.com/en-GB/windows/security-essentials-download

    It has the big advantage of being free - and almost hassle-free so long as the initial install is OK.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Saturday, April 27, 2013 11:13 AM
    Moderator
  • I just checked my subscription.  It was renewed.  But I haven't ran any scans.  I need to look into this.  Here's the report from the malware scanner.  Detected 10 in total.  I've deleted them.  Can you shed any light on this and explained what has happened.  Just so I can avoid the problem in the future.

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.04.27.02

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Pete :: PETE-PC [administrator]

    27/04/2013 11:22:23
    MBAM-log-2013-04-27 (12-40-46).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 396681
    Time elapsed: 1 hour(s), 14 minute(s), 6 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 4
    HKCR\AppID\{11C27351-716B-4052-9361-E3B0A3F8221C} (Adware.ClickPotato) -> No action taken.
    HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> No action taken.

    Registry Values Detected: 1
    HKLM\SOFTWARE\Mozilla\Firefox\extensions|ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Data: C:\Program Files (x86)\ClickPotatoLite\bin\10.0.536.0\firefox\extensions -> No action taken.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 1
    C:\ProgramData\IBUpdaterService (PUP.InstallBrain) -> No action taken.

    Files Detected: 4
    C:\$Recycle.Bin\S-1-5-21-1311846861-47003359-73108029-1000\$RSIQWV7.rar (HackTool.Wpakill) -> No action taken.
    C:\$Recycle.Bin\S-1-5-21-1311846861-47003359-73108029-1000\$RZHCXL5.5\RemoveWAT.2.2.5.Hazar.carter67\RemoveWAT.exe (HackTool.Wpakill) -> No action taken.
    C:\Program Files (x86)\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll (Adware.ClickPotato) -> No action taken.
    C:\ProgramData\IBUpdaterService\repository.xml (PUP.InstallBrain) -> No action taken.

    (end)

    Saturday, April 27, 2013 11:44 AM
  • I see that you didn't remove any of the found items?

    Most of them aren't too bad (just adware) but there are two which MUST be removed or your system is likely to become re-infected.

    HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> No action taken.

    Both may have come as part of the package when you attempted to use the two activation hacks that are in the Recycle bin :)

    Please run the following command as a final check that the SPPSVC is now properly configured.

    REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\SPPSVC /S

    post the results and then I think we can say we're done :)


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Saturday, April 27, 2013 2:24 PM
    Moderator
  • Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\SPPSVC /S

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPPSVC
        Type    REG_DWORD    0x10
        Start    REG_DWORD    0x2
        ErrorControl    REG_DWORD    0x1
        ImagePath    REG_EXPAND_SZ    C:\Windows\System32\sppsvc.exe
        DisplayName    REG_SZ    Software Protection
        DependOnService    REG_MULTI_SZ    Rpcss
        ObjectName    REG_SZ    NT AUTHORITY\NetworkService
        DelayedAutostart    REG_DWORD    0x1
        RequiredPrivileges    REG_MULTI_SZ    SeAuditPrivilege\0SeChangeNotifyPrivil
    ege\0SeCreateGlobalPrivilege\0SeImpersonatePrivilege
        ServiceSidType    REG_DWORD    0x1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SPPSVC\Security
        Security    REG_BINARY    01001480A0000000AC000000140000003000000002001C0001
    00000002801400FF010F00010100000000000100000000020070000500000000001400FD01020001
    010000000000051200000000001800FF010F0001020000000000052000000020020000000014009D
    010200010100000000000504000000000014009D0102000101000000000005060000000000140014
    00000001010000000000050B000000010100000000000512000000010100000000000512000000


    C:\Windows\system32>

    Sorry, I copied the results before I deleted them.  I'm going to run the malware scanner one last time just for safety.

    Saturday, April 27, 2013 2:31 PM
  • There's just the minor error of missing Failure actions....

    Click on the Start button

    In the Search box, type

    services.msc

    and hit the Enter key

    The Services console should open

    Find the Software Protection service and double-click on it.

    Click on the Recovery tab in the resulting popup.

    Set the following settings....

    First failure - Restart the Service

    Second failure - Restart the Service

    Subsequent failures - Take No Action

    Reset fail count after - 1 day

    Restart service after -  2 minutes

    Click Apply, and the OK.

    ...and we're done :)


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Saturday, April 27, 2013 3:03 PM
    Moderator
  • Ok - What does this do?
    Saturday, April 27, 2013 7:40 PM
  • It just ensures that the service restarts properly if it gets blocked for any reason.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Saturday, April 27, 2013 7:57 PM
    Moderator
  • OK excellent.  Thanks again for all your help :)  
    Sunday, April 28, 2013 11:51 AM
  • Good luck :)

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    No - I do not work for Microsoft, or any of its contractors.

    Monday, April 29, 2013 9:28 AM
    Moderator