locked
Error code 0xC0000022 when trying to validate Windows 7 Pro RRS feed

  • Question

  • Hi,

    Long story short, my machine was infected with 2 trojans, now I believe to all gone, but am getting the error "not a genuine copy of Windows..."
    There's no key insertion link so I've had to find SLUI 3 to add my product key but then I get the following message:

    I AM the Admin, so I can only assume that the trojans messed with the registry... What can I do to fix this issue??????

    Below is the Microsoft diagnostic tool report-

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: N/A, hr = 0xc0000022
    Windows Product Key: *****-*****-X6WHW-W8XRF-MQPKQ
    Windows Product Key Hash: zhf5qf/screI0jC3lcgkb0H8aTs=
    Windows Product ID: 00371-OEM-9044666-15488
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {8209C73F-2C08-43C0-825B-4124CD837CD5}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.111118-2330
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Home and Student 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Prompt
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Prompt
    Allow scripting of Internet Explorer Webbrowser control: Allowed
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{8209C73F-2C08-43C0-825B-4124CD837CD5}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-MQPKQ</PKey><PID>00371-OEM-9044666-15488</PID><PIDType>3</PIDType><SID>S-1-5-21-2373751006-3574648381-825812080</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>X58-USB3</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>F2</Version><SMBIOSVersion major="2" minor="4"/><Date>20100824000000.000000+000</Date></BIOS><HWID>9F603B07018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><Val>41358D4B7C51F30</Val><Hash>FxWWBZU9yfvATpQuP3WifzgAM6U=</Hash><Pid>81602-920-2504863-68886</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x80070426' to display the error text.
    Error: 0x80070426

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x0001000000000000
    Event Time Stamp: 3:25:2012 10:28
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered Service: sppsvc


    HWID Data-->
    HWID Hash Current: MgAAAAEABAABAAEAAAACAAAAAQABAAEAonY0TzR1hDQMNeS/Rrzsb7pLzp8QtzCQ6oI=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            GBT           GBTUACPI
      FACP            GBT           GBTUACPI
      HPET            GBT           GBTUACPI
      MCFG            GBT           GBTUACPI
      EUDS            GBT           
      MATS            GBT           
      TAMG            GBT           GBT   B0
      SSDT            INTEL        PPM RCM

    Many thanks in advance!

    Sunday, March 25, 2012 2:50 PM

Answers

  • "need_help2012" wrote in message news:281027f9-8f81-41fe-bc35-6a7b0f2fd19b...

    UGH!

    This all started 1 1/2 weeks ago when I downloaded a "fix" from a forum because my Quickbooks wasn't saving into .pdf format... During this attempted fix for Quickbooks, I saved my info on an external back up drive, then re-installed the data... The AV also found the trojans on my back up drive which is I'm now not using...

    I could choose option 1, but I'd loose SO much time and critical data that I'd still be tempted to pull from the back up drive...
    If I decided to attempt option 2, a repair install, would that delete any data? If not, how would I go about a "repair install?"
    Option 3, I have the genuine install disk, but honestly, would they be able to help me in this circumstance?
    Option 4, can you suggest any malware specialists?

    What are YOUR personal thoughts as to if the virus is gone and this is just the aftermath or not?

     
    Without having seen the system in its infected state, and being unable to see it now, I can have no opinion as to how clean it is - and malware is not longer a speciality of mine (I was away from the scene for too long at a critical time).
     
    As far as the options are concerned....
    1) If you back up your data to external storage and then isolate that, you should lose none in a flatten/rebuild - obviously, you should rebuild the system fully, complete with a couple of decent malware scanners and AV, before attaching your storage back - tehn throw everything at it before inporting the data you need back into the ssystem
     
    2) Instructions for a Repair Install
     
    3) I suspect that they would go straight for a repair install.
     
    4) www.bleepingcomputer.com or www.aumha.net are two that I have faith in. If you go that route, look for the forum instructions - they may well delete the thread if not followed.
     
     
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Proposed as answer by Darin Smith MS Monday, March 26, 2012 7:17 PM
    • Marked as answer by need_help2012 Tuesday, March 27, 2012 12:16 AM
    Sunday, March 25, 2012 11:25 PM
    Moderator

All replies

  • "need_help2012" wrote in message news:4761573f-21e3-44e1-99d4-e52cab7354fb...

    Hi,

    Long story short, my machine was infected with 2 trojans, now I believe to all gone, but am getting the error "not a genuine copy of Windows..."
    There's no key insertion link so I've had to find SLUI 3 to add my product key but then I get the following message:

    I AM the Admin, so I can only assume that the trojans messed with the registry... What can I do to fix this issue??????

    Below is the Microsoft diagnostic tool report-

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: N/A, hr = 0xc0000022
    Windows Product Key: *****-*****-X6WHW-W8XRF-MQPKQ
    Windows Product Key Hash: zhf5qf/screI0jC3lcgkb0H8aTs=
    Windows Product ID: 00371-OEM-9044666-15488
    Windows Product ID Type: 3
    Windows License Type: OEM System Builder
    Windows OS version: 6.1.7601.2.00010100.1.0.048

    File Scan Data-->

    Other data-->
    SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>X58-USB3</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>F2</Version><SMBIOSVersion major="2" minor="4"/><Date>20100824000000.000000+000</Date></BIOS



    Licensing Data-->
    On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x80070426' to display the error text.
    Error: 0x80070426

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x0001000000000000
    Event Time Stamp: 3:25:2012 10:28
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered Service: sppsvc



    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table

    Many thanks in advance!

    The c0000022 error often means that there is a problem with the hard drive - you also have a problem with a tampered services, but we'll deal with the drive problems first...
    running CHKDSK and SFC


    type in the Search box
    CMD.EXE
    right-click on the only file that is found
    Select Run as
    Administrator
    - the Elevated Command Prompt window should pop up
    At the
    Command prompt, type
    CHKDSK C: /R
    and hit the Enter key
    You will be
    told that the drive is locked, and the CHKDSK will run at he next boot - hit the
    Y key, and then reboot. The chkdsk will take a few hours depending on the size
    of the drive, so be patient!

    After the CHKDSK has run, Windows should
    boot normally (possibly after a second auto-reboot) - then run the
    SFC

    SFC -System File Checker - Instructions
    Click on the Start
    button
    type in the Search box
    CMD.EXE
    right-click on the only file that
    is found
    Select Run as Administrator
    - the Elevated Command Prompt window
    should pop up
    At the Command prompt, type

    SFC /SCANNOW

    and hit
    the Enter key
    Wait for the scan to finish - make a note of any error messages
    - and then reboot.

    run another MGADiag report, and post the
    results.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, March 25, 2012 3:05 PM
    Moderator
  • Ran both disk checker and sys filer checker last night with no error messages... The MGADiag tool results are from this morning...

    What  should I try next?

    Sunday, March 25, 2012 5:48 PM
  • "need_help2012" wrote in message news:4a1fc4f5-44de-448e-858f-05ce40eda962...

    Ran both disk checker and sys filer checker last night with no error messages... The MGADiag tool results are from this morning...

    What  should I try next?

    OK - let's check for the tamper, then.
     
    Click on Start
    in the Search box, type
    SERVICES.MSC
    and hit the Enter key - accept the UAC prompt if you get one.
    Look in the console for the Software Protection service, right-click on it and select Properties.
    make sure that the Startup Type is set to Automatic (Delayed Start), and click Apply.

    Try starting the service now - do you get an error message? Does it start? does it almost immediately stop again?
    Post back with your results, and a new MGADiag report.

    If it doesn't start, then please do the following...
    Please open an Elevated (Administrator) Command Prompt window and use the following commands....

    net start sppsvc
    sc qc sppsvc
    sc queryex sppsvc
    sc qprivs sppsvc
    sc qsidtype sppsvc
    sc sdshow sppsvc

    copy and paste the results into your response (to copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response), together with the EXACT error message you get when you attempt to start the service from the Services control panel..



    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, March 25, 2012 7:10 PM
    Moderator
  • Hmmm,the software protection property was already set for Automatic (delayed start) but I got screen shots of the other tabs which I find curious...
    The network service is password protected?? And it has dependencies?? Should that be?

    Also, I noticed that the SPP Notification Service property is is to manual... Is that correct?

    I tried the admin start up of the sppsvc but it wouldn't start- the error message was:
    "The Software Protection service is starting.
    The Software Protection service could not be started.
    A system error has occurred.
    System error 5 has occurred.
    Access is denied."

    What should I try now?

    Sunday, March 25, 2012 9:04 PM
  • "need_help2012" wrote in message news:bdb0e56a-2d57-492d-bcfa-c63ca4ebc54c...

    Hmmm,the software protection property was already set for Automatic (delayed start) but I got screen shots of the other tabs which I find curious...
    The network service is password protected?? And it has dependencies?? Should that be?

    Also, I noticed that the SPP Notification Service property is is to manual... Is that correct?

    I tried the admin start up of the sppsvc but it wouldn't start- the error message was:
    "The Software Protection service is starting.
    The Software Protection service could not be started.
    A system error has occurred.
    System error 5 has occurred.
    Access is denied."

    What should I try now?

     
    All of that is perfectly normal.
    please run the rest of the commands as requested - which will give detail that isn't shown in the Properties.
     
    Please also add in the following commands.
     
    REG QUERY HKU
    REG QUERY HKU\S-1-5-20
    REG QUERY HKU\S-1-5-20\Environment
    REG QUERY HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
     
    To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Windows, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
    To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, March 25, 2012 9:12 PM
    Moderator
  • Ok... What does this tell you?

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\Lori>net start sppsvc
    The Software Protection service is starting.
    The Software Protection service could not be started.

    A system error has occurred.

    System error 5 has occurred.

    Access is denied.


    C:\Users\Lori>sc qc sppsvc
    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: sppsvc
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START  (DELAYED)
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Windows\system32\sppsvc.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Software Protection
            DEPENDENCIES       : RpcSs
            SERVICE_START_NAME : NT AUTHORITY\NetworkService

    C:\Users\Lori>sc queryex sppsvc

    SERVICE_NAME: sppsvc
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 1  STOPPED
            WIN32_EXIT_CODE    : 5  (0x5)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 0
            FLAGS              :

    C:\Users\Lori>sc qprivs sppsvc
    [SC] QueryServiceConfig2 SUCCESS

    SERVICE_NAME: sppsvc
            PRIVILEGES       : SeAuditPrivilege
                             : SeChangeNotifyPrivilege
                             : SeCreateGlobalPrivilege
                             : SeImpersonatePrivilege

    C:\Users\Lori>sc qsidtype sppsvc
    [SC] QueryServiceConfig2 SUCCESS

    SERVICE_NAME: sppsvc
    SERVICE_SID_TYPE:  UNRESTRICTED

    C:\Users\Lori>sc sdshow sppsvc

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO
    CRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;LCRP;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW
    DWO;;;WD)

    C:\Users\Lori>REG QUERY HKU

    HKEY_USERS\.DEFAULT
    HKEY_USERS\S-1-5-19
    HKEY_USERS\S-1-5-20
    HKEY_USERS\S-1-5-21-2373751006-3574648381-825812080-1000
    HKEY_USERS\S-1-5-21-2373751006-3574648381-825812080-1000_Classes
    HKEY_USERS\S-1-5-18

    C:\Users\Lori>REG QUERY HKU\S-1-5-20

    HKEY_USERS\S-1-5-20\AppEvents
    HKEY_USERS\S-1-5-20\Console
    HKEY_USERS\S-1-5-20\Control Panel
    HKEY_USERS\S-1-5-20\Environment
    HKEY_USERS\S-1-5-20\EUDC
    HKEY_USERS\S-1-5-20\Keyboard Layout
    HKEY_USERS\S-1-5-20\Network
    HKEY_USERS\S-1-5-20\Printers
    HKEY_USERS\S-1-5-20\Software
    HKEY_USERS\S-1-5-20\System

    C:\Users\Lori>REG QUERY HKU\S-1-5-20\Environment

    HKEY_USERS\S-1-5-20\Environment
        TEMP    REG_EXPAND_SZ    %USERPROFILE%\AppData\Local\Temp
        TMP    REG_EXPAND_SZ    %USERPROFILE%\AppData\Local\Temp


    C:\Users\Lori>REG QUERY HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Profil
    eList\S-1-5-20

    Sunday, March 25, 2012 9:23 PM
  • ...not as much as I'd hoped :(

    All that output apart from the obvious Access Denied error, are perfectly normal - I was expecting to see that the Network Service user account was not valid, whereas it looks normal enough at first glance.

    Please run the following commands, and post the results.

    ICACLS C:\Windows\System32\sppsvc.* /T

    ICACLS C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT

    ICACLS C:\Windows\ServiceProfiles\NetworkService

    ICACLS C:\Windows\ServiceProfiles


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Sunday, March 25, 2012 9:57 PM
    Moderator
  • My recommendation would be to read: Help: I Got Hacked. Now What Do I Do? and follow the advice (the only way to clean a compromised system is to flatten and rebuild) in the article.  Repairing a virus-infected PC is time-consuming and may not eliminate any future threats of the virus.



    Carey Frisch

    Sunday, March 25, 2012 10:01 PM
    Moderator
  • Here goes...

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\Lori>ICACLS C:\Windows\System32\sppsvc.* /T
    C:\Windows\System32\sppsvc.exe NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Administrators:(RX)
                                   NT AUTHORITY\SYSTEM:(RX)
                                   BUILTIN\Users:(RX)

    C:\Windows\System32\en-US\sppsvc.exe.mui NT SERVICE\TrustedInstaller:(F)
                                             BUILTIN\Administrators:(RX)
                                             NT AUTHORITY\SYSTEM:(RX)
                                             BUILTIN\Users:(RX)

    C:\Windows\System32\LogFiles\WMI\RtBackup\sppsvc.*: Access is denied.
    Successfully processed 2 files; Failed processing 1 files

    C:\Users\Lori>
    C:\Users\Lori>ICACLS C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT NT AUTHORITY\SYSTEM:(I)(F)
                                                         BUILTIN\Administrators:(I)(
    F)
                                                         NT AUTHORITY\NETWORK SERVIC
    E:(I)(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Users\Lori>
    C:\Users\Lori>ICACLS C:\Windows\ServiceProfiles\NetworkService
    C:\Windows\ServiceProfiles\NetworkService NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                              BUILTIN\Administrators:(OI)(CI)(F)
                                              NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(
    F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Users\Lori>
    C:\Users\Lori>ICACLS C:\Windows\ServiceProfiles

    Sunday, March 25, 2012 10:06 PM
  • Hmmm, I can appreciate the article's stance... What can you tell me about my 2 infections, trojan: JS/Loop and trojan: Win32/Malgant?
    Sunday, March 25, 2012 10:13 PM
  • Well, they apparently modified/tampered/destroyed Windows 7 system files and/or permissions.  No one except the cretin that wrote the virus file knows exactly what harm it was intended to do.  I do know that security experts would never trust a computer that had been infected by a virus.

    Technical Information (Analysis)

    Trojan:Win32/Malagent is a detection for malware that exhibit explicit forms of malicious behavior.
    Malware detected as Trojan:Win32/Malagent may display a combination of the following behaviors:
    • Downloading and executing arbitrary files
    • Modifying protected system registry values
    • Hiding in protected operating system locations
    • Creating remote threads in external processes


    Carey Frisch


    Sunday, March 25, 2012 10:20 PM
    Moderator
  • "need_help2012" wrote in message news:d664ff10-acc3-4155-962f-bb520573aa85...

    Here goes...

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Users\Lori>ICACLS C:\Windows\System32\sppsvc.* /T

    That all looks normal as well.
    I'm about out of ideas.
    You have a number of options
     
    1) The 'nuclear option' - reformat and reinstall
    2) Attempt a repair install of Windows and hope that works
    3) Contact MS WGA support for assistance with this problem
    4) See if a specialist malware forum can help check your system status, and remove any remaining malware - then come back for another try.
     
    Malagent appears to be a fairly nasty beast - and not that easy to remove completely.
    I suspect that the simplest solution in the medium term is going to be a reformat/reinstall
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, March 25, 2012 10:37 PM
    Moderator
  • UGH!

    This all started 1 1/2 weeks ago when I downloaded a "fix" from a forum because my Quickbooks wasn't saving into .pdf format... During this attempted fix for Quickbooks, I saved my info on an external back up drive, then re-installed the data... The AV also found the trojans on my back up drive which is I'm now not using...

    I could choose option 1, but I'd loose SO much time and critical data that I'd still be tempted to pull from the back up drive...
    If I decided to attempt option 2, a repair install, would that delete any data? If not, how would I go about a "repair install?"
    Option 3, I have the genuine install disk, but honestly, would they be able to help me in this circumstance?
    Option 4, can you suggest any malware specialists?

    What are YOUR personal thoughts as to if the virus is gone and this is just the aftermath or not?

    Sunday, March 25, 2012 10:58 PM
  • "need_help2012" wrote in message news:281027f9-8f81-41fe-bc35-6a7b0f2fd19b...

    UGH!

    This all started 1 1/2 weeks ago when I downloaded a "fix" from a forum because my Quickbooks wasn't saving into .pdf format... During this attempted fix for Quickbooks, I saved my info on an external back up drive, then re-installed the data... The AV also found the trojans on my back up drive which is I'm now not using...

    I could choose option 1, but I'd loose SO much time and critical data that I'd still be tempted to pull from the back up drive...
    If I decided to attempt option 2, a repair install, would that delete any data? If not, how would I go about a "repair install?"
    Option 3, I have the genuine install disk, but honestly, would they be able to help me in this circumstance?
    Option 4, can you suggest any malware specialists?

    What are YOUR personal thoughts as to if the virus is gone and this is just the aftermath or not?

     
    Without having seen the system in its infected state, and being unable to see it now, I can have no opinion as to how clean it is - and malware is not longer a speciality of mine (I was away from the scene for too long at a critical time).
     
    As far as the options are concerned....
    1) If you back up your data to external storage and then isolate that, you should lose none in a flatten/rebuild - obviously, you should rebuild the system fully, complete with a couple of decent malware scanners and AV, before attaching your storage back - tehn throw everything at it before inporting the data you need back into the ssystem
     
    2) Instructions for a Repair Install
     
    3) I suspect that they would go straight for a repair install.
     
    4) www.bleepingcomputer.com or www.aumha.net are two that I have faith in. If you go that route, look for the forum instructions - they may well delete the thread if not followed.
     
     
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Proposed as answer by Darin Smith MS Monday, March 26, 2012 7:17 PM
    • Marked as answer by need_help2012 Tuesday, March 27, 2012 12:16 AM
    Sunday, March 25, 2012 11:25 PM
    Moderator
  • Noel, I truly appreciate all your time and help with this problem!

    I'll post back in a day or 2 with my decisions and results...

    Again, many thanks!

    Lori

    Sunday, March 25, 2012 11:40 PM
  • "need_help2012" wrote in message news:da086cfb-4101-4402-9a32-eec61f140491...

    Noel, I truly appreciate all your time and help with this problem!

    I'll post back in a day or 2 with my decisions and results...

    Again, many thanks!

    Lori

    You're welcome - good luck!

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, March 25, 2012 11:47 PM
    Moderator
  • Follow up... After my problem was passed around to various MS techs, ...I will have to do a re-install...

    Again, my thanks!

    Tuesday, March 27, 2012 12:15 AM
  • "need_help2012" wrote in message news:bd63e1d8-3fd0-4d53-ba6b-731aa8b0c79b...

    Follow up... After my problem was passed around to various MS techs, ....I will have to do a re-install...

    Again, my thanks!

    Ouch!
    At least I didn't miss anything obvious :) Thanks for coming back with the news.
     
    Good Luck with the reinstall.

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, March 27, 2012 7:35 AM
    Moderator