locked
windows7 update fails 80070426, MGADiag report RRS feed

  • Question

  • I found instructions about downloading and running MGADiag.  The report is below. On Wednesday 6/15, I started doing an update.  I think there were about 17 updates. after it did some of them, it failed.   multiple reboots etc have not helped.  I found posts about 80070426, and they mentioned things like Software License Services -- but that does not seem to exist on W7.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {133F70CE-106D-478E-BE0B-A1F6328D0AEE}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.110408-1631
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: proxy.proxy.lucent.com:8000
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x80070426

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{133F70CE-106D-478E-BE0B-A1F6328D0AEE}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-150820050-3310638546-1031788635</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8100 Elite SFF PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786H1 v01.05</Version><SMBIOSVersion major="2" minor="6"/><Date>20100609000000.000000+000</Date></BIOS><HWID>41113607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00178-926-700008-02-1033-7600.0000-2052009
    Installation ID: 012096535692831173840681899194722295701916732953652420
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 6P6GT
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 6/17/2011 10:49:33 AM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x80072EE2
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 6:9:2011 17:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAEAAAABAAAAAwABAAEAln32pXCcmJHIUJB6pmAiT3KKvkF2Vg==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   COMPAQ  IBEXPEAK
      FACP   COMPAQ  IBEXPEAK
      HPET   COMPAQ  IBEXPEAK
      MCFG   COMPAQ  IBEXPEAK
      ASF!   COMPAQ  IBEXPEAK
      TCPA   COMPAQ  IBEXPEAK
      SLIC   HPQOEM  SLIC-BPC
      DMAR   COMPAQ  IBEXPEAK

     

    Friday, June 17, 2011 3:02 PM

Answers

  • Hello.  I think this is fixed, but it's werid.  The short description of what I did is to change Cryptographic Services to log in using "Network Services"; it was set up using the upper radio button: Local System account.

    Here's how I got there... take everything I say with a grain of salt, because I'm really just a kid using grownup words I don't understand.

    following your suggestion, I went to http://supportservices.microsoft.com/support/services/virus_malware_removal and worked with one agent. after a while, she kicked me on to a higher level expert.  Not sure if it's appropriate to drop his id, so I'll leave it out.

    At some point, he started to focus on cryptographic services; it was not running.  When he tried to start it form the services panel, it failed with error 1079.  The error text is roughly "the account specified for this service is different from account specified for other services running in the same process".  NOTE: in retrospect, there was a big indication of this issue... I was surprised that when we ran various items such as services.msc, windows warned me the publisher was unknown. Now, I assume it couldn't verify the signature.

    After poking around a bit more, the second expert decided there was probably nothing else to do without getting my IT group involved, and we ended that chat session.

    I tried to figure out what process it might be that handles crypto services. Then I searched around and came up with another blackviper page: http://www.blackviper.com/wiki/Cryptographic_Services.  I noticed that it says the Log On As is is "Network Service".  (now that I look at this again, I see there are multiple sections for different windows versions, and at least some of those specify Local System Account.  But I was lucky and focused on the Windows 7 section without realizing it.)

    So I looked at the properties for other things that are started as network services.  then I modified the properties of cryptographic services to log in as Network Services.  I just cleared out the password fields.  After this, I was able to start crypto.

    Following this, I ran microsoft update and picked a single windows patch to install.  it worked. I had to reboot.  since then, I have done 2 more updates and have now installed everything.

    ** SO I don't know how this change happened.  Maybe it was something pushed by our corporate IT group; I think this is done with "SMS", but again, it's not something I understand. 

    Finally, I ran MGADiag again.  It's healed!  I will ask the other guy here who has the same PC to check his crypto service setup.  He told me he ran an update recently without problems, so I don't know why his worked.

    Finally finally: it's still the case that "sc queryex sppsvc" will show state STOPPED after I've been up for a while.  I wasn't running this repeatedly, so I don't know if it was up when I logged in and then went away.

    Thanks again for all the suggestions and hand-holding.  If there's anything else you want me to examine, or you have suggestions about things I should ask our IT people, please let me know.

    Ned

    MGADiag output:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {CAFC6D9A-637C-43C2-AA86-D4FB2D2FE7B8}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.110408-1631
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: proxy.proxy.lucent.com:8000
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{CAFC6D9A-637C-43C2-AA86-D4FB2D2FE7B8}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-150820050-3310638546-1031788635</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8100 Elite SFF PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786H1 v01.05</Version><SMBIOSVersion major="2" minor="6"/><Date>20100609000000.000000+000</Date></BIOS><HWID>41113607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00178-926-700008-02-1033-7600.0000-2052009
    Installation ID: 012096535692831173840681899194722295701916732953652420
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 6P6GT
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 6/21/2011 4:40:11 PM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x80072EE2
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 6:9:2011 17:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAEAAAABAAAAAwABAAEAln32pXCcmJHIUJB6pmAiT3KKvkF2Vg==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   COMPAQ  IBEXPEAK
      FACP   COMPAQ  IBEXPEAK
      HPET   COMPAQ  IBEXPEAK
      MCFG   COMPAQ  IBEXPEAK
      ASF!   COMPAQ  IBEXPEAK
      TCPA   COMPAQ  IBEXPEAK
      SLIC   HPQOEM  SLIC-BPC
      DMAR   COMPAQ  IBEXPEAK

     

    Tuesday, June 21, 2011 9:03 PM
  • "Ned Kittlitz" wrote in message news:c68e6ec2-5818-4bef-afe4-fa76cc3b207c...

    Hello.  I think this is fixed, but it's werid.  The short description of what I did is to change Cryptographic Services to log in using "Network Services"; it was set up using the upper radio button: Local System account.

    Here's how I got there... take everything I say with a grain of salt, because I'm really just a kid using grownup words I don't understand.

    following your suggestion, I went to http://supportservices.microsoft.com/support/services/virus_malware_removal and worked with one agent. after a while, she kicked me on to a higher level expert.  Not sure if it's appropriate to drop his id, so I'll leave it out.

    At some point, he started to focus on cryptographic services; it was not running.  When he tried to start it form the services panel, it failed with error 1079.  The error text is roughly "the account specified for this service is different from account specified for other services running in the same process".  NOTE: in retrospect, there was a big indication of this issue... I was surprised that when we ran various items such as services.msc, windows warned me the publisher was unknown. Now, I assume it couldn't verify the signature.

    After poking around a bit more, the second expert decided there was probably nothing else to do without getting my IT group involved, and we ended that chat session.

    I tried to figure out what process it might be that handles crypto services. Then I searched around and came up with another blackviper page: http://www..blackviper.com/wiki/Cryptographic_Services.  I noticed that it says the Log On As is is "Network Service".  (now that I look at this again, I see there are multiple sections for different windows versions, and at least some of those specify Local System Account.  But I was lucky and focused on the Windows 7 section without realizing it.)

    So I looked at the properties for other things that are started as network services.  then I modified the properties of cryptographic services to log in as Network Services.  I just cleared out the password fields.  After this, I was able to start crypto.

    Following this, I ran microsoft update and picked a single windows patch to install.  it worked. I had to reboot.  since then, I have done 2 more updates and have now installed everything.

    ** SO I don't know how this change happened.  Maybe it was something pushed by our corporate IT group; I think this is done with "SMS", but again, it's not something I understand. 

    Finally, I ran MGADiag again.  It's healed!  I will ask the other guy here who has the same PC to check his crypto service setup.  He told me he ran an update recently without problems, so I don't know why his worked.

    Finally finally: it's still the case that "sc queryex sppsvc" will show state STOPPED after I've been up for a while.  I wasn't running this repeatedly, so I don't know if it was up when I logged in and then went away.

    Thanks again for all the suggestions and hand-holding.  If there's anything else you want me to examine, or you have suggestions about things I should ask our IT people, please let me know.

    Ned

    MGADiag output:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048

     


    Give that man a banana!
     
    Well done and thank you VERY much for coming back to us with this report!
    This at least gives us somewhere to start with the process of troubleshooting the other threads in future.
    Can you do me a favour an run the following commands for me?
     
    sc qc cryptsvc
    sc queryex cryptsvc
    sc qprivs cryptsvc
    sc qsidtype cryptsvc
    sc sdshow cryptsvc
     
    (I can then check it against my default system and see it there's any nasty gotchas that may catch up with either you or others at a later date.)
     
    Well done again!

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by Ned Kittlitz Friday, June 24, 2011 3:17 PM
    Tuesday, June 21, 2011 9:26 PM
    Moderator

All replies

  • "Ned Kittlitz" wrote in message news:14f6a323-5f45-4f0f-b2e0-63e69e6359ac...

    I found instructions about downloading and running MGADiag.  The report is below. On Wednesday 6/15, I started doing an update.  I think there were about 17 updates. after it did some of them, it failed.   multiple reboots etc have not helped.  I found posts about 80070426, and they mentioned things like Software License Services -- but that does not seem to exist on W7.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x80070426

     

    It's the Software Protection Service that you need to look for - SPPSVC :)
    (Software Licensing Service was the Vista name for much the same thing)
     
    You have a HUGE number of disabled services here (which I've never seen before) and I can't believe that your system is actually running with that many disabled, so I suspect that it's either corruption or malware issues.
     

    try a CHKDSK, followed by an SFC, as follows.
     
    Click on the Start button
    type in the Search box
    CMD.EXE
    right-click on the only file that is found
    Select Run as Administrator
    - the Elevated Command Prompt window should pop up
    At the Command prompt, type
    CHKDSK   C:   /R
    and hit the Enter key
    You will be told that the drive is locked, and the CHKDSK will run at he next boot - hit the Y key, and then reboot. The chkdsk will take a few hours depending on the size of the drive, so be patient!
     
    After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) - then run the SFC
     
    SFC -System File Checker - Instructions
    Click on the Start button
    type in the Search  box
    CMD.EXE
    right-click on the only file that is found
    Select Run as Administrator
     - the Elevated Command Prompt window should pop up
    At the Command prompt, type
     
    SFC   /SCANNOW
     
    and hit the Enter key
    Wait for the scan to finish - make a note of any error messages - and then reboot.
     
    run another MGADiag report, and post the results.
     
     

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, June 17, 2011 3:20 PM
    Moderator
  • Hello.  Thank you for the response.  The chkdsk tool a little over an hour.  For much of it, I saw a file count of 119680.  Then in stage 4, it dropped to 119664 (16 fewer).  I note that there are 17 error lines in the MCADiag report.

    After I ran sfc, it told me to look in the CBS.log file.  I've never seen that before.  There are a lot of entries over multiple days, although the first entry is probably around the time I first got the problem - June 15 11:33:34.  Even looking at just the lines starting today around 13:21, there's a lot of stuff. I'm not sure how to condense it.

    After rerunning MCADiag, the data looks similar to me.

    As far as malware --- well, there is corporate IT, and they have some administrative control mechanism.  They will sometimes install software, control antivius things, etc..  And we're mostly XP, although I recently learned that there is some kind of corporate W7 image.  But the PC I have was ordered independently, which of course means that our IT group refuses to support it.

    Another thing I notice is that the McAfee antivirus icon in the system tray says it's disabled... and because of that admin control, I can't even try to re-enable it.  Yesterday, it was disabled too, and then this morning it was on; so I don't know if there was an administrative action over night. 

    One other thing ...  I've come in to work several times in the past weeks to find the PC has rebooted.  I assumed it was power failure, but maybe not.  I think that happened earlier this week.

    Ned

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {133F70CE-106D-478E-BE0B-A1F6328D0AEE}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.110408-1631
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: proxy.proxy.lucent.com:8000
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x80070426

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{133F70CE-106D-478E-BE0B-A1F6328D0AEE}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-150820050-3310638546-1031788635</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8100 Elite SFF PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786H1 v01.05</Version><SMBIOSVersion major="2" minor="6"/><Date>20100609000000.000000+000</Date></BIOS><HWID>41113607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00178-926-700008-02-1033-7600.0000-2052009
    Installation ID: 012096535692831173840681899194722295701916732953652420
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 6P6GT
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 6/17/2011 1:36:57 PM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x80072EE2
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 6:9:2011 17:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAEAAAABAAAAAwABAAEAln32pXCcmJHIUJB6pmAiT3KKvkF2Vg==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   COMPAQ  IBEXPEAK
      FACP   COMPAQ  IBEXPEAK
      HPET   COMPAQ  IBEXPEAK
      MCFG   COMPAQ  IBEXPEAK
      ASF!   COMPAQ  IBEXPEAK
      TCPA   COMPAQ  IBEXPEAK
      SLIC   HPQOEM  SLIC-BPC
      DMAR   COMPAQ  IBEXPEAK

     

    Friday, June 17, 2011 5:52 PM
  • McAfee icon in system tray recently switched to "enabled".  No idea why..

    Also, it's an HP-PC, and so it seems there is some other kind of maintenance software installed that might be doing things.

    In fact, probably everybody in the world except me is allowed to do something or another on this box.

    Friday, June 17, 2011 6:09 PM
  • "Ned Kittlitz" wrote in message news:133abd82-bc10-46f0-8336-c52f6d4c8666...

    Hello.  Thank you for the response.  The chkdsk tool a little over an hour.  For much of it, I saw a file count of 119680.  Then in stage 4, it dropped to 119664 (16 fewer).  I note that there are 17 error lines in the MCADiag report.

    After I ran sfc, it told me to look in the CBS.log file.  I've never seen that before.  There are a lot of entries over multiple days, although the first entry is probably around the time I first got the problem - June 15 11:33:34.  Even looking at just the lines starting today around 13:21, there's a lot of stuff. I'm not sure how to condense it.

    After rerunning MCADiag, the data looks similar to me.

    As far as malware --- well, there is corporate IT, and they have some administrative control mechanism.  They will sometimes install software, control antivius things, etc..  And we're mostly XP, although I recently learned that there is some kind of corporate W7 image.  But the PC I have was ordered independently, which of course means that our IT group refuses to support it.

    Another thing I notice is that the McAfee antivirus icon in the system tray says it's disabled... and because of that admin control, I can't even try to re-enable it.  Yesterday, it was disabled too, and then this morning it was on; so I don't know if there was an administrative action over night. 

    One other thing ...  I've come in to work several times in the past weeks to find the PC has rebooted.  I assumed it was power failure, but maybe not.  I think that happened earlier this week.

    Ned

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x80070426

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Partial Product Key: 6P6GT
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 6/17/2011 1:36:57 PM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x80072EE2

     


    OK - nothing has changed in the report so we'll have to do some digging.
     
    Please open a Command Prompt window and use the following commands....
     
    sc qc sppsvc
    sc queryex sppsvc
    sc qprivs sppsvc
    sc qsidtype sppsvc
    sc sdshow sppsvc
     
    copy and paste the results into your response.
    This may show us what's wrong with at least one of the files.
     
    Don't worry too much about McAfee yet - I take it that it's a corporate version rather than retail?
     

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, June 17, 2011 7:09 PM
    Moderator
  • I appreciate the quick responses. it's 1517 US EDT (1917 UTC), and I must leave work in about 30 minutes.  Then I'm not sure if I'll be able to do things via remote desktop from home. so it may be next week before I can proceed.

    You didn't mention "run as administrator", so I just did the normal run.

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\nkittlit>sc qc sppsvc
    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: sppsvc
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START  (DELAYED)
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Windows\system32\sppsvc.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Software Protection
            DEPENDENCIES       : RpcSs
            SERVICE_START_NAME : NT AUTHORITY\NetworkService

    C:\Users\nkittlit>sc queryex sppsvc

    SERVICE_NAME: sppsvc
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 1  STOPPED
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 0
            FLAGS              :

    C:\Users\nkittlit>sc qprivs sppsvc
    [SC] QueryServiceConfig2 SUCCESS

    SERVICE_NAME: sppsvc
            PRIVILEGES       : SeAuditPrivilege
                             : SeChangeNotifyPrivilege
                             : SeCreateGlobalPrivilege
                             : SeImpersonatePrivilege

    C:\Users\nkittlit>sc qsidtype sppsvc
    [SC] QueryServiceConfig2 SUCCESS

    SERVICE_NAME: sppsvc
    SERVICE_SID_TYPE:  UNRESTRICTED

    C:\Users\nkittlit>sc sdshow sppsvc

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO
    CRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;LCRP;;;AU)

    C:\Users\nkittlit>

    Friday, June 17, 2011 7:19 PM
  • "Ned Kittlitz" wrote in message news:a756207d-1790-41a4-8d80-44e48656268f...

    I appreciate the quick responses. it's 1517 US EDT (1917 UTC), and I must leave work in about 30 minutes.  Then I'm not sure if I'll be able to do things via remote desktop from home. so it may be next week before I can proceed.

    You didn't mention "run as administrator", so I just did the normal run.

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\nkittlit>sc qc sppsvc
    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: sppsvc
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START  (DELAYED)
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Windows\system32\sppsvc.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Software Protection
            DEPENDENCIES       : RpcSs
            SERVICE_START_NAME : NT AUTHORITY\NetworkService

    C:\Users\nkittlit>sc queryex sppsvc

    SERVICE_NAME: sppsvc
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 1  STOPPED
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 0
            FLAGS              :

    C:\Users\nkittlit>sc qprivs sppsvc
    [SC] QueryServiceConfig2 SUCCESS

    SERVICE_NAME: sppsvc
            PRIVILEGES       : SeAuditPrivilege
                             : SeChangeNotifyPrivilege
                             : SeCreateGlobalPrivilege
                             : SeImpersonatePrivilege

    C:\Users\nkittlit>sc qsidtype sppsvc
    [SC] QueryServiceConfig2 SUCCESS

    SERVICE_NAME: sppsvc
    SERVICE_SID_TYPE:  UNRESTRICTED

    C:\Users\nkittlit>sc sdshow sppsvc

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO
    CRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;LCRP;;;AU)

    C:\Users\nkittlit>


    It's only when you need to make changes that you need the Admin privileges.
    Very odd - everything looks pretty normal, except for the fact that the service is indeed switched off.
     
    Open an Admin command window - use the following command
    net start sppsvc
    what happens?

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, June 17, 2011 7:27 PM
    Moderator
  • BTW - I **really** want to get to the bottom of this one - this set of files often comes up in this forum, although with a different error tag.
    I reckon this could be a wonderful case to see what the commonality is.

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, June 17, 2011 7:31 PM
    Moderator
  • it started successfully.   I'm not a windows expert, but I ran services.msc and now I see Software Protection, and it's started.  I could swear it wasn't even there before.
    Friday, June 17, 2011 7:32 PM
  • well, I can poke around and do other experiments if you want... or I could try running windows/microsoft update again.
    Friday, June 17, 2011 7:34 PM
  • "Ned Kittlitz" wrote in message news:07fcee36-5bb4-427d-a65a-7ed00053c111...
    well, I can poke around and do other experiments if you want... or I could try running windows/microsoft update again.

    Not until after a reboot, you can't! :)
    please run another MGADiag report before and after the reboot. - post both.
     
     

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, June 17, 2011 7:50 PM
    Moderator
  • here is the one before the reboot. 

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {133F70CE-106D-478E-BE0B-A1F6328D0AEE}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.110408-1631
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: proxy.proxy.lucent.com:8000
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x80070426

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{133F70CE-106D-478E-BE0B-A1F6328D0AEE}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-150820050-3310638546-1031788635</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8100 Elite SFF PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786H1 v01.05</Version><SMBIOSVersion major="2" minor="6"/><Date>20100609000000.000000+000</Date></BIOS><HWID>41113607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00178-926-700008-02-1033-7600.0000-2052009
    Installation ID: 012096535692831173840681899194722295701916732953652420
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 6P6GT
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 6/17/2011 3:52:35 PM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x80072EE2
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 6:9:2011 17:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAEAAAABAAAAAwABAAEAln32pXCcmJHIUJB6pmAiT3KKvkF2Vg==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   COMPAQ  IBEXPEAK
      FACP   COMPAQ  IBEXPEAK
      HPET   COMPAQ  IBEXPEAK
      MCFG   COMPAQ  IBEXPEAK
      ASF!   COMPAQ  IBEXPEAK
      TCPA   COMPAQ  IBEXPEAK
      SLIC   HPQOEM  SLIC-BPC
      DMAR   COMPAQ  IBEXPEAK

     

    Friday, June 17, 2011 7:56 PM
  • after the reboot.  from my quick scans, things don't seem to change.

    should I attempt the update now?  I need to leave work in less than 15 minutes.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {133F70CE-106D-478E-BE0B-A1F6328D0AEE}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.110408-1631
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: proxy.proxy.lucent.com:8000
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x80070426
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x80070426

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{133F70CE-106D-478E-BE0B-A1F6328D0AEE}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-150820050-3310638546-1031788635</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8100 Elite SFF PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786H1 v01.05</Version><SMBIOSVersion major="2" minor="6"/><Date>20100609000000.000000+000</Date></BIOS><HWID>41113607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00178-926-700008-02-1033-7600.0000-2052009
    Installation ID: 012096535692831173840681899194722295701916732953652420
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 6P6GT
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 6/17/2011 4:00:36 PM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x80072EE2
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 6:9:2011 17:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAEAAAABAAAAAwABAAEAln32pXCcmJHIUJB6pmAiT3KKvkF2Vg==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   COMPAQ  IBEXPEAK
      FACP   COMPAQ  IBEXPEAK
      HPET   COMPAQ  IBEXPEAK
      MCFG   COMPAQ  IBEXPEAK
      ASF!   COMPAQ  IBEXPEAK
      TCPA   COMPAQ  IBEXPEAK
      SLIC   HPQOEM  SLIC-BPC
      DMAR   COMPAQ  IBEXPEAK

     

    Friday, June 17, 2011 8:02 PM
  • "Ned Kittlitz" wrote in message news:5ffa2e2c-c7a4-403a-bcae-a097ae307b0e...

    here is the one before the reboot. 

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048

    File Scan Data-->
    <snip>

    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80070426
    <snip>


    I'll guess that after the reboot, it'll not be running again - if so, then please start it again, wait 10 minutes, and then use the
    SC QUERYEX SPPSVC
    command again - if it says that it's stopped, we can probably assume that it's the action of some form of malware.
     

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, June 17, 2011 8:04 PM
    Moderator
  • if I'm doing this right.... run services.msc.  I see "Software Protection"  status is started. startup type is Automatic (delayed start). Logon as network service.

    (I can't see any way to copy/paste the actual line from the app)

    Since I need to leave soon, I'll try to check on this later and see if it is still running.  If so, I'll try the update.

    Friday, June 17, 2011 8:08 PM
  • by the way, I meant to say that it was already running. I didn't start it.
    Friday, June 17, 2011 8:09 PM
  • I forgot to ask... is there any way to get a detailed report on the issues found with the files? or to do something like an md5 checksum and compare it with an expected value?  since I'm not win-ignorant, maybe it's even looking at other stuff like registry values even though the message just says "file mismatch".
    Friday, June 17, 2011 8:11 PM
  • sorry, now that I actually READ your instructions, I see that it was stopped.  I started it and it seemed OK.  So I'll try to check on it later from home.

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>sc queryex sppsvc

    SERVICE_NAME: sppsvc
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 1  STOPPED
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 0
            FLAGS              :

    C:\Windows\system32>net start sppsvc
    The Software Protection service is starting.
    The Software Protection service was started successfully.

    C:\Windows\system32>sc queryex sppsvc

    SERVICE_NAME: sppsvc
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 4  RUNNING
                                    (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 2932
            FLAGS              :

    C:\Windows\system32>

    Friday, June 17, 2011 8:19 PM
  • "Ned Kittlitz" wrote in message news:c1b37e86-072f-4c57-b301-6ee94f3d3c13...
    I forgot to ask... is there any way to get a detailed report on the issues found with the files? or to do something like an md5 checksum and compare it with an expected value?  since I'm not win-ignorant, maybe it's even looking at other stuff like registry values even though the message just says "file mismatch".

    If only.......
    the problem with those files is simply that they are not running - and Windows seems to think that they should be :)
    I'm going to have some fun this weekend and see if I can come up with something to duplicate the errors and solve them.
    at least I have more information than I did a coupe of hours ago to base some work on.
     
    Thanks for sticking with it!

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, June 17, 2011 8:26 PM
    Moderator
  • I just got to log in from home.  It seems that the service is stopped. 

    Then I started it again, and just reran the sc queryex command about every minute.  it stopped again.  I had an initial timestamp, but it scrolled off the window.  Still, I think it was less than 10 minutes.

    is it likely this is malware?  or could there be some other reason it might have stopped on its own?

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>sc queryex sppsvc

    SERVICE_NAME: sppsvc
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 1  STOPPED
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 0
            FLAGS              :

    C:\Windows\system32>

    Friday, June 17, 2011 11:29 PM
  • "Ned Kittlitz" wrote in message news:229d36de-ab83-4dad-87df-d62e711451ee...

    I just got to log in from home.  It seems that the service is stopped. 

    Then I started it again, and just reran the sc queryex command about every minute.  it stopped again.  I had an initial timestamp, but it scrolled off the window.  Still, I think it was less than 10 minutes.

    is it likely this is malware?  or could there be some other reason it might have stopped on its own?    :

    C:\Windows\system32>


    Certainly the most likely cause is malware -
    Since this seems to be something that is time based, I wonder if there are any  strange entries in the Task Scheduler?
    Please see if you can find anything there.
    Please also install, run, and update Malwarebytes Anti-Malware (free- www.malwarebytes.org) - do NOT activate the Real-time scanner, as it may interfere with a conventional Anti-Virus.
    Run a full system scan in your usual account, and Quick scans in any other user accounts.
    Delete everything it finds.
     
    Then check the system out with a full McAfee scan as well - check that that is also fully updated first.
     
     

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Saturday, June 18, 2011 12:00 AM
    Moderator
  • On Friday or Saturday, I thought I saw a web page claiming that sppsvc could automatically stop if it was not used for a while. http://www.blackviper.com/wiki/Software_Protection 

    Over the weekend, I tried doing a system restore using the backup done just before my June 15 update attempt.  All of the "app" type updates are OK (.net, office 2010, silverlight, communicator 2005), but as soon as I try to do anything that is a "microsoft windows" update, I still get that error.

    Today, I ran malwarebytes twice -- it didn't find anything.  I also ran mcaffee twice.  first time the summary in the app sub-window reported some small number of items (less than 20). I tried looking at the log, but nothing was really obvious.  I ran it again, and the number was down to 3.  I forgot to make a note of the exact text that appears as a status line in the window.  when I look at the log, the only obvious thing is 3 items that were not scanned because they are encrypted.

    I looked at my installation/update history.  Prior to June 15, several Windows items were installed June 1.  They were:

    http://support.microsoft.com/?kbid=2541014

    http://support.microsoft.com/?kbid=2534366

    http://support.microsoft.com/?kbid=2533552

    2534366 and 2533552 seem to be related to problems installing SP1; since I've been running that for a long time, I assume they didn't really matter to me. 2541014 related to hibernation mode and crash dumps.  Previous Windows changes were April 27.

    I wonder if it might be worth trying to uninstall these 3 changes.

    from:mcaffee log:

    6/20/2011 12:59:17 PM Not scanned (The file is encrypted) nkittlit ODS(ned-daily-scan) c:\users\nkittlit\appdata\roaming\microsoft\windows\cookies\low\nkittlit@adbrite[2].txt\00000414.ie

    6/20/2011 12:59:20 PM Not scanned (The file is encrypted) nkittlit ODS(ned-daily-scan) c:\users\nkittlit\application data\microsoft\windows\cookies\low\nkittlit@adbrite[2].txt\00000414.ie

    6/20/2011 12:59:22 PM Not scanned (The file is encrypted) nkittlit ODS(ned-daily-scan) c:\users\nkittlit\cookies\low\nkittlit@adbrite[2].txt\00000414.ie

    Monday, June 20, 2011 6:49 PM
  • "Ned Kittlitz" wrote in message news:197f753b-2ad5-427f-9fb4-22f73a1e3cc2...

    On Friday or Saturday, I thought I saw a web page claiming that sppsvc could automatically stop if it was not used for a while. http://www.blackviper.com/wiki/Software_Protection 

    Over the weekend, I tried doing a system restore using the backup done just before my June 15 update attempt.  All of the "app" type updates are OK (.net, office 2010, silverlight, communicator 2005), but as soon as I try to do anything that is a "microsoft windows" update, I still get that error.

    Today, I ran malwarebytes twice -- it didn't find anything.  I also ran mcaffee twice.  first time the summary in the app sub-window reported some small number of items (less than 20). I tried looking at the log, but nothing was really obvious.  I ran it again, and the number was down to 3.  I forgot to make a note of the exact text that appears as a status line in the window.  when I look at the log, the only obvious thing is 3 items that were not scanned because they are encrypted.

    I looked at my installation/update history.  Prior to June 15, several Windows items were installed June 1.  They were:

    http://support.microsoft.com/?kbid=2541014

    http://support.microsoft.com/?kbid=2534366

    http://support.microsoft.com/?kbid=2533552

    2534366 and 2533552 seem to be related to problems installing SP1; since I've been running that for a long time, I assume they didn't really matter to me. 2541014 related to hibernation mode and crash dumps.  Previous Windows changes were April 27.

    I wonder if it might be worth trying to uninstall these 3 changes.

    from:mcaffee log:

    6/20/2011 12:59:17 PM Not scanned (The file is encrypted) nkittlit ODS(ned-daily-scan) c:\users\nkittlit\appdata\roaming\microsoft\windows\cookies\low\nkittlit@adbrite[2].txt\00000414.ie

    6/20/2011 12:59:20 PM Not scanned (The file is encrypted) nkittlit ODS(ned-daily-scan) c:\users\nkittlit\application data\microsoft\windows\cookies\low\nkittlit@adbrite[2].txt\00000414.ie

    6/20/2011 12:59:22 PM Not scanned (The file is encrypted) nkittlit ODS(ned-daily-scan) c:\users\nkittlit\cookies\low\nkittlit@adbrite[2].txt\00000414.ie


    Cookies should not be encrypted - they are supposed to be plain-text files. I would suggest deleting them.
    However, I don't believe that they are related to your problem with WGA.
     
    (BlackViper is also my reference for services <g>) lemme take a look at your link....
    Ah - I see your confusion.... yes the service will stop, but it switches into a standby state rather than being switched off, and should normally show as running. This is especially the case when an MGADiag report is being run, as it specifically calls on the service to do some of the diagnosis.
    In your case, the fact that the service shows as being Stopped a couple of minutes after starting it means that something is actively switching it off, and we need to discover what this is.
    It could well be worth giving the guys on Malware Support a try. - point them at this thread - start here....
     
     

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, June 21, 2011 5:23 AM
    Moderator
  • Hello.  I think this is fixed, but it's werid.  The short description of what I did is to change Cryptographic Services to log in using "Network Services"; it was set up using the upper radio button: Local System account.

    Here's how I got there... take everything I say with a grain of salt, because I'm really just a kid using grownup words I don't understand.

    following your suggestion, I went to http://supportservices.microsoft.com/support/services/virus_malware_removal and worked with one agent. after a while, she kicked me on to a higher level expert.  Not sure if it's appropriate to drop his id, so I'll leave it out.

    At some point, he started to focus on cryptographic services; it was not running.  When he tried to start it form the services panel, it failed with error 1079.  The error text is roughly "the account specified for this service is different from account specified for other services running in the same process".  NOTE: in retrospect, there was a big indication of this issue... I was surprised that when we ran various items such as services.msc, windows warned me the publisher was unknown. Now, I assume it couldn't verify the signature.

    After poking around a bit more, the second expert decided there was probably nothing else to do without getting my IT group involved, and we ended that chat session.

    I tried to figure out what process it might be that handles crypto services. Then I searched around and came up with another blackviper page: http://www.blackviper.com/wiki/Cryptographic_Services.  I noticed that it says the Log On As is is "Network Service".  (now that I look at this again, I see there are multiple sections for different windows versions, and at least some of those specify Local System Account.  But I was lucky and focused on the Windows 7 section without realizing it.)

    So I looked at the properties for other things that are started as network services.  then I modified the properties of cryptographic services to log in as Network Services.  I just cleared out the password fields.  After this, I was able to start crypto.

    Following this, I ran microsoft update and picked a single windows patch to install.  it worked. I had to reboot.  since then, I have done 2 more updates and have now installed everything.

    ** SO I don't know how this change happened.  Maybe it was something pushed by our corporate IT group; I think this is done with "SMS", but again, it's not something I understand. 

    Finally, I ran MGADiag again.  It's healed!  I will ask the other guy here who has the same PC to check his crypto service setup.  He told me he ran an update recently without problems, so I don't know why his worked.

    Finally finally: it's still the case that "sc queryex sppsvc" will show state STOPPED after I've been up for a while.  I wasn't running this repeatedly, so I don't know if it was up when I logged in and then went away.

    Thanks again for all the suggestions and hand-holding.  If there's anything else you want me to examine, or you have suggestions about things I should ask our IT people, please let me know.

    Ned

    MGADiag output:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {CAFC6D9A-637C-43C2-AA86-D4FB2D2FE7B8}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.110408-1631
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: proxy.proxy.lucent.com:8000
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Internet Explorer\IEXPLORE.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{CAFC6D9A-637C-43C2-AA86-D4FB2D2FE7B8}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-6P6GT</PKey><PID>00371-OEM-8992671-00008</PID><PIDType>2</PIDType><SID>S-1-5-21-150820050-3310638546-1031788635</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP Compaq 8100 Elite SFF PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>786H1 v01.05</Version><SMBIOSVersion major="2" minor="6"/><Date>20100609000000.000000+000</Date></BIOS><HWID>41113607018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>1</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-BPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
    Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00371-00178-926-700008-02-1033-7600.0000-2052009
    Installation ID: 012096535692831173840681899194722295701916732953652420
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 6P6GT
    License Status: Licensed
    Remaining Windows rearm count: 3
    Trusted time: 6/21/2011 4:40:11 PM

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x80072EE2
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 6:9:2011 17:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAEAAAABAAAAAwABAAEAln32pXCcmJHIUJB6pmAiT3KKvkF2Vg==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20001
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   COMPAQ  IBEXPEAK
      FACP   COMPAQ  IBEXPEAK
      HPET   COMPAQ  IBEXPEAK
      MCFG   COMPAQ  IBEXPEAK
      ASF!   COMPAQ  IBEXPEAK
      TCPA   COMPAQ  IBEXPEAK
      SLIC   HPQOEM  SLIC-BPC
      DMAR   COMPAQ  IBEXPEAK

     

    Tuesday, June 21, 2011 9:03 PM
  • "Ned Kittlitz" wrote in message news:c68e6ec2-5818-4bef-afe4-fa76cc3b207c...

    Hello.  I think this is fixed, but it's werid.  The short description of what I did is to change Cryptographic Services to log in using "Network Services"; it was set up using the upper radio button: Local System account.

    Here's how I got there... take everything I say with a grain of salt, because I'm really just a kid using grownup words I don't understand.

    following your suggestion, I went to http://supportservices.microsoft.com/support/services/virus_malware_removal and worked with one agent. after a while, she kicked me on to a higher level expert.  Not sure if it's appropriate to drop his id, so I'll leave it out.

    At some point, he started to focus on cryptographic services; it was not running.  When he tried to start it form the services panel, it failed with error 1079.  The error text is roughly "the account specified for this service is different from account specified for other services running in the same process".  NOTE: in retrospect, there was a big indication of this issue... I was surprised that when we ran various items such as services.msc, windows warned me the publisher was unknown. Now, I assume it couldn't verify the signature.

    After poking around a bit more, the second expert decided there was probably nothing else to do without getting my IT group involved, and we ended that chat session.

    I tried to figure out what process it might be that handles crypto services. Then I searched around and came up with another blackviper page: http://www..blackviper.com/wiki/Cryptographic_Services.  I noticed that it says the Log On As is is "Network Service".  (now that I look at this again, I see there are multiple sections for different windows versions, and at least some of those specify Local System Account.  But I was lucky and focused on the Windows 7 section without realizing it.)

    So I looked at the properties for other things that are started as network services.  then I modified the properties of cryptographic services to log in as Network Services.  I just cleared out the password fields.  After this, I was able to start crypto.

    Following this, I ran microsoft update and picked a single windows patch to install.  it worked. I had to reboot.  since then, I have done 2 more updates and have now installed everything.

    ** SO I don't know how this change happened.  Maybe it was something pushed by our corporate IT group; I think this is done with "SMS", but again, it's not something I understand. 

    Finally, I ran MGADiag again.  It's healed!  I will ask the other guy here who has the same PC to check his crypto service setup.  He told me he ran an update recently without problems, so I don't know why his worked.

    Finally finally: it's still the case that "sc queryex sppsvc" will show state STOPPED after I've been up for a while.  I wasn't running this repeatedly, so I don't know if it was up when I logged in and then went away.

    Thanks again for all the suggestions and hand-holding.  If there's anything else you want me to examine, or you have suggestions about things I should ask our IT people, please let me know.

    Ned

    MGADiag output:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-788W3-H689G-6P6GT
    Windows Product Key Hash: yr8OHoeXhbT4dc6MxGYjdAStSPY=
    Windows Product ID: 00371-OEM-8992671-00008
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.1.7601.2.00010100.1.0.048

     


    Give that man a banana!
     
    Well done and thank you VERY much for coming back to us with this report!
    This at least gives us somewhere to start with the process of troubleshooting the other threads in future.
    Can you do me a favour an run the following commands for me?
     
    sc qc cryptsvc
    sc queryex cryptsvc
    sc qprivs cryptsvc
    sc qsidtype cryptsvc
    sc sdshow cryptsvc
     
    (I can then check it against my default system and see it there's any nasty gotchas that may catch up with either you or others at a later date.)
     
    Well done again!

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by Ned Kittlitz Friday, June 24, 2011 3:17 PM
    Tuesday, June 21, 2011 9:26 PM
    Moderator
  • Just a thought - but I doubt it's something pushed by your IT people, it's more likely that a minor piece of malware got in and did the trick - and was then eaten by the next update of the AV, which failed to properly repair the registry. - you might ask your IT guys to have a look at the logs and see if they can pull the rabbit out of the hat:)

     

     

    Thanks again


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, June 21, 2011 9:32 PM
    Moderator
  • What is "AV"?

    Since I'm new to the forums, I'm not sure of the conventions.  I see two items were "proposed as answers".  one of them was your suggestion to contact microsoft malware assistance. The other was my previous update.  I suppose in some sense, both of them might be answers, although ignorance prevents me from knowing that my posting really could have wider applicability. Let me know.

    Here's the stuff you requested. Thanks again.

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>sc qc cryptsvc
    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: cryptsvc
            TYPE               : 20  WIN32_SHARE_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k NetworkService
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Cryptographic Services
            DEPENDENCIES       : RpcSs
            SERVICE_START_NAME : NT AUTHORITY\NetworkService

    C:\Windows\system32>sc queryex cryptsvc

    SERVICE_NAME: cryptsvc
            TYPE               : 20  WIN32_SHARE_PROCESS
            STATE              : 4  RUNNING
                                    (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 1412
            FLAGS              :

    C:\Windows\system32>sc qprivs cryptsvc
    [SC] QueryServiceConfig2 SUCCESS

    SERVICE_NAME: cryptsvc
            PRIVILEGES       : SeChangeNotifyPrivilege
                             : SeCreateGlobalPrivilege
                             : SeImpersonatePrivilege

    C:\Windows\system32>sc qsidtype cryptsvc
    [SC] QueryServiceConfig2 SUCCESS

    SERVICE_NAME: cryptsvc
    SERVICE_SID_TYPE:  UNRESTRICTED

    C:\Windows\system32>sc sdshow cryptsvc

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
    RC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    C:\Windows\system32>

    Wednesday, June 22, 2011 2:46 PM
  • AV = antivirus.
    Colin Barnhorst Windows 7 Ultimate x64 on DIY with 6GB ram.
    Wednesday, June 22, 2011 2:48 PM
    Answerer
  • "Ned Kittlitz" wrote in message news:00907f9c-e83e-48b2-8126-2e80485726bb...

    What is "AV"?

    Since I'm new to the forums, I'm not sure of the conventions.  I see two items were "proposed as answers".  one of them was your suggestion to contact microsoft malware assistance. The other was my previous update.  I suppose in some sense, both of them might be answers, although ignorance prevents me from knowing that my posting really could have wider applicability. Let me know.

    Here's the stuff you requested. Thanks again.

     

     


    Thanks for the update - I see Colin has already told you that AV= Anti-Virus :)
     
    There's no need for you to make a choice if you're unsure - and as far as I know you could mark both as answers :)
     
    Good luck.
    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, June 24, 2011 1:35 PM
    Moderator