locked
Windows 7 suddenly reported as not genuine, can not system restore or use slui.exe RRS feed

  • Question

  • It's a legitimate copy of Win 7 through MSDNAA, and has only recently shown this message. sfc /scannow shows corrupt files that it can't fix. MGATool unable to copy, so I'll paste Windows and licensing screenshots here (can only print 2; will upload more if needed): Thank you!

    

    Saturday, February 25, 2012 9:16 PM

Answers

  • "arwenner" wrote in message news:98bd197d-71a4-484e-9822-f6a235cd96b9...

    Thank you very much. Yes, since I couldn't open or upload the log file, I followed the KB message on how to obtain the contents. Here is the list of results -- did I get everything?

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.




    C:\Windows\system32>ICACLS C:\Windows\System32\sppcomapi.dll
    C:\Windows\System32\sppcomapi.dll Everyone:(F)
                                      NT SERVICE\TrustedInstaller:(F)
                                      BUILTIN\Administrators:(RX)
                                      NT AUTHORITY\SYSTEM:(RX)
                                      BUILTIN\Users:(RX)


    C:\Windows\system32>ICACLS C:\Windows\System32\SPPWMI.DLL
    C:\Windows\System32\SPPWMI.DLL Everyone:(F)
                                   NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Administrators:(RX)
                                   NT AUTHORITY\SYSTEM:(RX)
                                   BUILTIN\Users:(RX)


    C:\Windows\system32>ICACLS C:\Windows\System32\SLWGA.DLL
    C:\Windows\System32\SLWGA.DLL Everyone:(F)
                                  NT SERVICE\TrustedInstaller:(F)
                                  BUILTIN\Administrators:(RX)
                                  NT AUTHORITY\SYSTEM:(RX)
                                  BUILTIN\Users:(RX)


    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    ProfileList\S-1-5-20
    ERROR: Invalid syntax.
    Type "REG QUERY /?" for usage.


    C:\Windows\system32>

    AR Wenner

    Bother – I thought I’d included the correct quoting for that last command! – never mind....
     
    I’ve highlighted the ‘errors’  - they are not errors as such, but they are security holes which something has obviously jumped through.
     
    My immediate reaction is that this install is unrecoverable – probably as the result of a malware infestation.
     
    I really do recommend a clean install now :(
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by Darin Smith MS Tuesday, February 28, 2012 12:27 AM
    Sunday, February 26, 2012 3:47 PM
    Moderator

All replies

  • Please paste the complete report in your reply.  After you click the Continue button the report is sent to your clipboard.  Use Paste or Cntl-V to paste it here.

    Colin Barnhorst Windows 7 Ultimate x64 on DIY with 6GB ram.

    Saturday, February 25, 2012 10:07 PM
    Answerer
  • Colin, I get an error message in MGATool when I click COPY, saying it is unable to copy --screenshot:

    I can't copy/paste...are the screenshots not helpful? Thank you.


    AR Wenner

    Saturday, February 25, 2012 10:16 PM
  • Ignore the error message. it will still copy and paste.
    Saturday, February 25, 2012 10:19 PM
    Answerer
  • Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->


    Validation Code: 0x8004FE21
    Cached Online Validation Code: N/A, hr = 0xc0000022
    Windows Product Key: *****-*****-WV8DR-87MYY-CWV7G
    Windows Product Key Hash: loAXON0+e8rH9qnLkRgt2JjZAqU=
    Windows Product ID: 00371-152-2848884-85868
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {F629E116-B95E-4DAB-9EE7-1E20A900B6CF}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000000
    Build lab: 7601.win7sp1_gdr.111025-1505
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A


    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002


    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002


    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002


    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: FCEE394C-458-80070005_025D1FF3-344-80070005_025D1FF3-229-80070005_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3


    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Users\Wenner\AppData\Local\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed


    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100


    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{F629E116-B95E-4DAB-9EE7-1E20A900B6CF}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-CWV7G</PKey><PID>00371-152-2848884-85868</PID><PIDType>5</PIDType><SID>S-1-5-21-3342408027-1123624117-3452179437</SID><SYSTEM/><BIOS/><HWID>6E183507018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  


    Spsys.log Content: 0x80070002


    Licensing Data-->
    On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x1A8' to display the error text.
    Error: 0x1A8 


    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: N/A
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys




    HWID Data-->
    HWID Hash Current: PAAAAAMAAgABAAEAAgACAAAABAABAAEAeqhiKPwZtkdONEjRkgBUPsLCTH/eiJCXXUYOsRrDcoq+QdbH


    OEM Activation 1.0 Data-->
    N/A


    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC Nvidia NVDAACPI
      FACP Nvidia NVDAACPI
      HPET Nvidia NVDAACPI
      MCFG Nvidia NVDAACPI
      SSDT PTLTD POWERNOW




    AR Wenner

    Saturday, February 25, 2012 10:30 PM
  • This pattern of file mismatches indicates that a recent update has caused an issue with the Intel Rapid Storage Drivers.  Reinstall the drivers.  Prodedure compliments of Noel Paton.

    Installing the Intel Rapid Storage Drivers 
    try downloading and installing them from here - 
    http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20624&ProdId=2101&lang=eng&OSVersion=%0A&DownloadType=Drivers&OSVersion=%0A&DownloadType=Drivers

    you’ll need the set for the x64 (64-bit) platform on Win7 
    Once complete, please reboot twice, then post another MGADiag report.
     
    Good Luck!


    Colin Barnhorst Windows 7 Ultimate x64 on DIY with 6GB ram.



    Saturday, February 25, 2012 10:43 PM
    Answerer
  • Colin, the IBM drivers wouldn't install, saying system doesn't meet specs. As far as I know, I don't have IBM architecture in the system, and no RAIDs. Could it be a different driver?

    AR Wenner

    Saturday, February 25, 2012 10:53 PM
  • The Intel drivers are used by many manufacturers for their own equipment.  They have been a cause of this kind of problem of late.  Look on the HP support site.  Some users who had problems with the Intel download have succeeded with the HP download.  Use the download at the bottom of this page.

    http://h10025.www1.hp.com/ewfrf/wc/document?docname=c02219204&cc=nl&lc=en&dlc=en&product


    Colin Barnhorst Windows 7 Ultimate x64 on DIY with 6GB ram.

    Saturday, February 25, 2012 11:24 PM
    Answerer
  • Well, I got the same message about my system not meeting requirements. When I tried to run the Intel driver update utility, it gave me the BSOD -- twice. I rolled back an NVidia driver update I recall from a few days ago, but couldn't find any mention of IBM in Device Manager hardware for what that's worth.)

    Anything else I can try? Thanks!


    AR Wenner

    Sunday, February 26, 2012 12:04 AM
  • No one is saying you have Intel hardware.  The drivers are used by most manufacturers.  Noel Paton may have a lead on this but he is in the UK so he has likely gone to bed already.

    Colin Barnhorst Windows 7 Ultimate x64 on DIY with 6GB ram.

    Sunday, February 26, 2012 12:11 AM
    Answerer
  • "Cbarnhorst" wrote in message news:799bd87d-49d8-44c7-a872-8511e450bd7b...
    No one is saying you have Intel hardware.  The drivers are used by most manufacturers.  Noel Paton may have a lead on this but he is in the UK so he has likely gone to bed already.

    Colin Barnhorst Windows 7 Ultimate x64 on DIY with 6GB ram.

    OK _ I’m up now :)
    This is very similar to another thread I’m working on. – with Daemon Gibson.
    None of the ‘usual’ methods seem able to identify the cause – and Daemon has just reported back that a repair install failed, and he’s had to do a clean install. :(
     
    At the present time, my only advice is that unless the standard chkdsk and SFC yield a change, it’s likely that a clean install will be necessary.
     
    There is an error present with often indicates a problem with the file-system
    ...and the last error there is one I don’t recall seeing before, and is apparently undefined:(
    Let’s start with the file system.
    run the standard file-system checks....
    Click on the Start button
    type in the Search box
    CMD.EXE
    right-click on the only file that is found
    Select Run as Administrator
    - the Elevated Command Prompt window should pop up
    At the Command prompt, type
    CHKDSK C: /R
    and hit the Enter key
    You will be told that the drive is locked, and the CHKDSK will run at he next boot - hit the Y key, and then reboot. The chkdsk will take a few hours depending on the size of the drive, so be patient!

    After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) - then run the SFC

    SFC -System File Checker - Instructions
    Click on the Start button
    type in the Search box
    CMD.EXE
    right-click on the only file that is found
    Select Run as Administrator
    - the Elevated Command Prompt window should pop up
    At the Command prompt, type

    SFC /SCANNOW

    and hit the Enter key
    Wait for the scan to finish - make a note of any error messages - and then reboot.

    run another MGADiag report, and post the results.
    If the SFC scan reports that it couldn’t fix problems, please upload the CBS.log file to your public SkyDrive, and post a link here.
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, February 26, 2012 10:36 AM
    Moderator
  • Thank you, Noel.

    Same results with chkdsk and scannow. I am entering the MGATool results below. I had permission restrictions with the CBS.log file. After exporting the cbs.log to a txt file that I could open/upload, I've copied it to public Skydrive and embedded in this post. (https://skydrive.live.com/redir.aspx?cid=df5117f5655fd544&resid=DF5117F5655FD544!1826&parid=DF5117F5655FD544!115 )

    Thank you!

    <iframe frameborder="0" height="120px" marginheight="0" marginwidth="0" scrolling="no" src="https://skydrive.live.com/embed?cid=DF5117F5655FD544&resid=DF5117F5655FD544%211826&authkey=AKLm8X-yM8hKDK0" style="padding:0;background-color:#fcfcfc;" title="Preview" width="98px"></iframe>

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->


    Validation Code: 0x8004FE21
    Cached Online Validation Code: N/A, hr = 0xc0000022
    Windows Product Key: *****-*****-WV8DR-87MYY-CWV7G
    Windows Product Key Hash: loAXON0+e8rH9qnLkRgt2JjZAqU=
    Windows Product ID: 00371-152-2848884-85868
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {F629E116-B95E-4DAB-9EE7-1E20A900B6CF}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000000
    Build lab: 7601.win7sp1_gdr.111025-1505
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A


    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002


    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002


    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002


    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: FCEE394C-458-80070005_025D1FF3-344-80070005_025D1FF3-229-80070005_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3


    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Users\Wenner\AppData\Local\Google\Chrome\Application\chrome.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed


    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100


    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{F629E116-B95E-4DAB-9EE7-1E20A900B6CF}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-CWV7G</PKey><PID>00371-152-2848884-85868</PID><PIDType>5</PIDType><SID>S-1-5-21-3342408027-1123624117-3452179437</SID><SYSTEM/><BIOS/><HWID>6E183507018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  


    Spsys.log Content: 0x80070002


    Licensing Data-->
    On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x1A8' to display the error text.
    Error: 0x1A8 


    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: N/A
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys




    HWID Data-->
    HWID Hash Current: PAAAAAMAAgABAAEAAgACAAAABAABAAEAeqhiKPwZtkdONEjRkgBUPsLCTH/eiJCXXUYOsRrDcoq+QdbH


    OEM Activation 1.0 Data-->
    N/A


    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC Nvidia NVDAACPI
      FACP Nvidia NVDAACPI
      HPET Nvidia NVDAACPI
      MCFG Nvidia NVDAACPI
      SSDT PTLTD POWERNOW



    AR Wenner

    Sunday, February 26, 2012 1:43 PM
  • "arwenner" wrote in message news:dc010081-d5f7-4973-9128-7630bd156734...

    Thank you, Noel.

    Same results with chkdsk and scannow. I am entering the MGATool results below. I had permission restrictions with the CBS.log file. After exporting the cbs.log to a txt file that I could open/upload, I've copied it to public Skydrive and embedded in this post. (https://skydrive.live.com/redir.aspx?cid=df5117f5655fd544&resid=DF5117F5655FD544!1826&parid=DF5117F5655FD544!115 )

    Thank you!

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->


    Validation Code: 0x8004FE21
    Cached Online Validation Code: N/A, hr = 0xc0000022
    Windows Product Key: *****-*****-WV8DR-87MYY-CWV7G
    Windows Product Key Hash: loAXON0+e8rH9qnLkRgt2JjZAqU=
    Windows Product ID: 00371-152-2848884-85868
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010100.1.0.048

     


    AR Wenner

    There’s no apparent problem with SFC in your log – both passes completed without finding any problem.
    I see that you stripped it to the [SR] responses, per the KB article??
     
    It’s work checking a couple of things – but I frankly don’t hold out too much hope....
     
    Please run the following command from an Elevated Command Prompt window(1)
    Copy and paste set of commands below into the window – once completed, hit the Enter Key to ensure that the last command has run (2)
     
    SC QUERYEX CRYPTSVC
    SC QUERYEX CRYPTSVC
    SC SDSHOW CRYPTSVC
    ICACLS C:\Windows\System32\sppc.dll
    ICACLS C:\Windows\System32\slc.dll
    ICACLS C:\Windows\System32\slcext.dll
    ICACLS C:\Windows\System32\sppcomapi.dll
    ICACLS C:\Windows\System32\sppsvc.exe
    ICACLS C:\Windows\System32\SPPWMI.DLL
    ICACLS C:\Windows\System32\SPP.DLL
    ICACLS C:\Windows\System32\SLWGA.DLL
    REG QUERY HKU
    REG QUERY HKU\S-1-5-20
    REG QUERY HKU\S-1-5-20\Environment
    REG QUERY HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
     
     
    Copy the whole output to your response(3) ;)

     
    1) To open an Elevated Command Prompt Window (the CP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.
    2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Windows, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
    3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, February 26, 2012 2:08 PM
    Moderator
  • Thank you very much. Yes, since I couldn't open or upload the log file, I followed the KB message on how to obtain the contents. Here is the list of results -- did I get everything?

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


    C:\Windows\system32>findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >sfcdetails.txt


    C:\Windows\system32>SC QUERYEX CRYPTSVC


    SERVICE_NAME: CRYPTSVC
            TYPE               : 20  WIN32_SHARE_PROCESS
            STATE              : 4  RUNNING
                                    (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 1964
            FLAGS              :


    C:\Windows\system32>SC QUERYEX CRYPTSVC


    SERVICE_NAME: CRYPTSVC
            TYPE               : 20  WIN32_SHARE_PROCESS
            STATE              : 4  RUNNING
                                    (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 1964
            FLAGS              :


    C:\Windows\system32>SC SDSHOW CRYPTSVC


    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
    RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)


    C:\Windows\system32>ICACLS C:\Windows\System32\sppc.dll
    C:\Windows\System32\sppc.dll NT SERVICE\TrustedInstaller:(F)
                                 BUILTIN\Administrators:(RX)
                                 NT AUTHORITY\SYSTEM:(RX)
                                 BUILTIN\Users:(RX)


    Successfully processed 1 files; Failed processing 0 files


    C:\Windows\system32>ICACLS C:\Windows\System32\slc.dll
    C:\Windows\System32\slc.dll NT SERVICE\TrustedInstaller:(F)
                                BUILTIN\Administrators:(RX)
                                NT AUTHORITY\SYSTEM:(RX)
                                BUILTIN\Users:(RX)


    Successfully processed 1 files; Failed processing 0 files


    C:\Windows\system32>ICACLS C:\Windows\System32\slcext.dll
    C:\Windows\System32\slcext.dll NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Administrators:(RX)
                                   NT AUTHORITY\SYSTEM:(RX)
                                   BUILTIN\Users:(RX)


    Successfully processed 1 files; Failed processing 0 files


    C:\Windows\system32>ICACLS C:\Windows\System32\sppcomapi.dll
    C:\Windows\System32\sppcomapi.dll Everyone:(F)
                                      NT SERVICE\TrustedInstaller:(F)
                                      BUILTIN\Administrators:(RX)
                                      NT AUTHORITY\SYSTEM:(RX)
                                      BUILTIN\Users:(RX)


    Successfully processed 1 files; Failed processing 0 files


    C:\Windows\system32>ICACLS C:\Windows\System32\sppsvc.exe
    C:\Windows\System32\sppsvc.exe NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Administrators:(RX)
                                   NT AUTHORITY\SYSTEM:(RX)
                                   BUILTIN\Users:(RX)


    Successfully processed 1 files; Failed processing 0 files


    C:\Windows\system32>ICACLS C:\Windows\System32\SPPWMI.DLL
    C:\Windows\System32\SPPWMI.DLL Everyone:(F)
                                   NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Administrators:(RX)
                                   NT AUTHORITY\SYSTEM:(RX)
                                   BUILTIN\Users:(RX)


    Successfully processed 1 files; Failed processing 0 files


    C:\Windows\system32>ICACLS C:\Windows\System32\SPP.DLL
    C:\Windows\System32\SPP.DLL NT SERVICE\TrustedInstaller:(F)
                                BUILTIN\Administrators:(RX)
                                NT AUTHORITY\SYSTEM:(RX)
                                BUILTIN\Users:(RX)


    Successfully processed 1 files; Failed processing 0 files


    C:\Windows\system32>ICACLS C:\Windows\System32\SLWGA.DLL
    C:\Windows\System32\SLWGA.DLL Everyone:(F)
                                  NT SERVICE\TrustedInstaller:(F)
                                  BUILTIN\Administrators:(RX)
                                  NT AUTHORITY\SYSTEM:(RX)
                                  BUILTIN\Users:(RX)


    Successfully processed 1 files; Failed processing 0 files


    C:\Windows\system32>REG QUERY HKU


    HKEY_USERS\.DEFAULT
    HKEY_USERS\S-1-5-19
    HKEY_USERS\S-1-5-20
    HKEY_USERS\S-1-5-21-3342408027-1123624117-3452179437-1000
    HKEY_USERS\S-1-5-21-3342408027-1123624117-3452179437-1000_Classes
    HKEY_USERS\S-1-5-21-3342408027-1123624117-3452179437-1013
    HKEY_USERS\S-1-5-21-3342408027-1123624117-3452179437-1013_Classes
    HKEY_USERS\S-1-5-18


    C:\Windows\system32>REG QUERY HKU\S-1-5-20


    HKEY_USERS\S-1-5-20\AppEvents
    HKEY_USERS\S-1-5-20\Console
    HKEY_USERS\S-1-5-20\Control Panel
    HKEY_USERS\S-1-5-20\Environment
    HKEY_USERS\S-1-5-20\EUDC
    HKEY_USERS\S-1-5-20\Keyboard Layout
    HKEY_USERS\S-1-5-20\Network
    HKEY_USERS\S-1-5-20\Printers
    HKEY_USERS\S-1-5-20\Software
    HKEY_USERS\S-1-5-20\System


    C:\Windows\system32>REG QUERY HKU\S-1-5-20\Environment


    HKEY_USERS\S-1-5-20\Environment
        TEMP    REG_EXPAND_SZ    %USERPROFILE%\AppData\Local\Temp
        TMP    REG_EXPAND_SZ    %USERPROFILE%\AppData\Local\Temp




    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    ProfileList\S-1-5-20
    ERROR: Invalid syntax.
    Type "REG QUERY /?" for usage.


    C:\Windows\system32>


    AR Wenner

    Sunday, February 26, 2012 2:22 PM
  • Noel, I ran scannow again, and received a message that there were files it couldn't fix (image attached.)

    I uploaded the latest cbs.log as sfcdetails.txt on Skydrive (https://skydrive.live.com/redir.aspx?cid=df5117f5655fd544&resid=DF5117F5655FD544!1827&parid=DF5117F5655FD544!115 )

    Does this shed anymore light?

    Thank you!


    AR Wenner

    Sunday, February 26, 2012 3:00 PM
  • "arwenner" wrote in message news:98bd197d-71a4-484e-9822-f6a235cd96b9...

    Thank you very much. Yes, since I couldn't open or upload the log file, I followed the KB message on how to obtain the contents. Here is the list of results -- did I get everything?

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.




    C:\Windows\system32>ICACLS C:\Windows\System32\sppcomapi.dll
    C:\Windows\System32\sppcomapi.dll Everyone:(F)
                                      NT SERVICE\TrustedInstaller:(F)
                                      BUILTIN\Administrators:(RX)
                                      NT AUTHORITY\SYSTEM:(RX)
                                      BUILTIN\Users:(RX)


    C:\Windows\system32>ICACLS C:\Windows\System32\SPPWMI.DLL
    C:\Windows\System32\SPPWMI.DLL Everyone:(F)
                                   NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Administrators:(RX)
                                   NT AUTHORITY\SYSTEM:(RX)
                                   BUILTIN\Users:(RX)


    C:\Windows\system32>ICACLS C:\Windows\System32\SLWGA.DLL
    C:\Windows\System32\SLWGA.DLL Everyone:(F)
                                  NT SERVICE\TrustedInstaller:(F)
                                  BUILTIN\Administrators:(RX)
                                  NT AUTHORITY\SYSTEM:(RX)
                                  BUILTIN\Users:(RX)


    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    ProfileList\S-1-5-20
    ERROR: Invalid syntax.
    Type "REG QUERY /?" for usage.


    C:\Windows\system32>

    AR Wenner

    Bother – I thought I’d included the correct quoting for that last command! – never mind....
     
    I’ve highlighted the ‘errors’  - they are not errors as such, but they are security holes which something has obviously jumped through.
     
    My immediate reaction is that this install is unrecoverable – probably as the result of a malware infestation.
     
    I really do recommend a clean install now :(
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by Darin Smith MS Tuesday, February 28, 2012 12:27 AM
    Sunday, February 26, 2012 3:47 PM
    Moderator
  • Thank you for all of your efforts! One last question before I reinstall - would it help to try to copy just certain system files in first? If so, which one(s) should I try to copy?

    Thank you!!


    AR Wenner

    Sunday, February 26, 2012 4:07 PM
  • "arwenner" wrote in message news:f48abee1-dcd0-4f39-86a3-2336dde6477d...

    Thank you for all of your efforts! One last question before I reinstall - would it help to try to copy just certain system files in first? If so, which one(s) should I try to copy?

    Thank you!!


    AR Wenner

    No – a clean reinstall means just that – it will wipe ALL data and programs from your drive, and leave you with a completely fresh copy of Windows.
    You MUST back up your data to external storage first, and make note of any critical Keys (Office, Windows, etc.) that may be hard to recover.
    Then once the reinstall is complete, you need first install an AV, then do all the Windows Updates – and then you can begin to reinstall your applications and put your data back. DO NOT attempt to put your data back until you have a fully-functional and up-to-date AV installed, as the data may infected with whatever caused the problem this time.
     
     
    HTH?

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, February 26, 2012 4:15 PM
    Moderator
  • OK. Thank you for all the time you spent. Am backing up now before a reinstall. Just out of curiosity -- my current version of Win 7 is 32-bit, but my hardware supports 64-bit. I intend to install 64-bit Windows 7 -- is it possible to upgrade to 64-bit and install over the 32-bit?

    Thank you.


    AR Wenner

    Sunday, February 26, 2012 8:28 PM
  • You have to clean install in order to change from 32bit to 64bit.  No form of upgrade is supported.  You have to start the computer with the 64bit disk to do it.  It is the same procedure that Noel is recommending anyway.  I would use 64bit in your situation also.

    Colin Barnhorst Windows 7 Ultimate x64 on DIY with 6GB ram.

    Sunday, February 26, 2012 8:48 PM
    Answerer
  • "Cbarnhorst" wrote in message news:b615aa6d-e23f-4297-a1cb-a0baf9f99b62...
    You have to clean install in order to change from 32bit to 64bit.  No form of upgrade is supported.  You have to start the computer with the 64bit disk to do it.  It is the same procedure that Noel is recommending anyway.  I would use 64bit in your situation also.

    Colin Barnhorst Windows 7 Ultimate x64 on DIY with 6GB ram.

    (agreed)

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, February 26, 2012 9:03 PM
    Moderator