none
Vista Error - Can't Boot - "An unauthorized change was made to Windows"

    Question

  • (Vista Error - Can't Boot )

    Receiving this error message 99% of the time until I shut down and luck out on reboot and somehow get through a full boot.. otherwise it just gives me the option to find out more info online or close, and logs me out.

    "An unauthorized change was made to Windows"

     

    *** I DO use Avast, it's been great until recently. Wondering if that's the problem, and if I get rid of it, what will protect my comp from attacks until I get a new AV installed? I am behind a router with at least a lightweight firewall. Nothing crazy tho, just the stock out of the package one ***

    Here's my diag report from MS Genuine Advantage Diag Tool:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-F4GJK-KG77H-B9HD2
    Windows Product Key Hash: iJAth4TbScMi8HdcPurlASXdEkw=
    Windows Product ID: 89578-OEM-7332157-00204
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6000.2.00010300.0.0.003
    ID: {125A8E34-946F-486C-8CC4-C372C4D9EFAE}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6000.vista_gdr.100218-0019
    TTS Error: M:20110716155341256-
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: 6.0.6002.16398

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: 2.0.48.0
    OGAExec.exe Signed By: Microsoft
    OGAAddin.dll Signed By: Microsoft

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Outlook 2007 - 100 Genuine
    Microsoft Office Home and Student 2007 - 100 Genuine
    OGA Version: Registered, 2.0.48.0
    Signed By: Microsoft
    Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{125A8E34-946F-486C-8CC4-C372C4D9EFAE}</UGUID><Version>1.9.0027.0</Version><OS>6.0.6000.2.00010300.0.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-B9HD2</PKey><PID>89578-OEM-7332157-00204</PID><PIDType>2</PIDType><SID>S-1-5-21-3407916031-4031306893-1405287962</SID><SYSTEM><Manufacturer>Dell Inc.                </Manufacturer><Model>Dell DXP061                  </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.                </Manufacturer><Version>2.4.2 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070330000000.000000+000</Date></BIOS><HWID>9B323507018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B8K    </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-001A-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Outlook 2007</Name><Ver>12</Ver><Val>306845761353712</Val><Hash>Z8+V/VHcG/WrYA+gPMtL6vD1/0E=</Hash><Pid>81610-905-5931334-62945</Pid><PidType>1</PidType></Product><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><Val>2BA3319E971CDB0</Val><Hash>/HJOR83lBDyRaRy2KQUHTnYqsUs=</Hash><Pid>81602-OEM-6872822-92234</Pid><PidType>4</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAAAwNAAAAAAAAYWECADAgAACHA3eXtzrMARhDs/4hWdo7Xkl9D+HKpnj4X46cFBBvUC19BSNNBnl5sMVZenHdpXVEICy5SwXBdVF0H9Oh+hJEw7XKSAShRbduYJijkA1HtAgUsinkn1Tg1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxUFe/CarAhO73oJwYTKgykpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYQ7P+IVnaO15JfQ/hyqZ45KyUFTCj3N6rsOxDb2M/XpXX+2f2gMD2yQ0hDkzB8IZRdB/TofoSRMO1ykgEoUW3R86evJMb0YoAzr8VwkssjNZo5I814XKveJuPHHiahjj7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cVBXvwmqwITu96CcGEyoMpKbGyYrHLwGFoM8hWdM+/ctDipudwcPOu4RzRON1r2alCNEX9TKgNw+bFnxMO1njX8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGEOz/iFZ2jteSX0P4cqmeOguvpDIuXCgB1hDu8xkm6t/aCIS3aUP/BLKBGuOMJWmUXQf06H6EkTDtcpIBKFFt7n7NL3XZHSEV7hUjqjCgcvWaOSPNeFyr3ibjxx4moY4+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFQV78JqsCE7vegnBhMqDKSmxsmKxy8BhaDPIVnTPv3LQ4qbncHDzruEc0Tjda9mpQjRF/UyoDcPmxZ8TDtZ41/M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhDs/4hWdo7Xkl9D+HKpnj2nag5mvstxk2rJpTZ7PxG2bC0kJvSW1Up3hK0SYwY5VF0H9Oh+hJEw7XKSAShRbcjhmJyJBkK9gFlFHllD8Mq1mjkjzXhcq94m48ceJqGOPu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxUFe/CarAhO73oJwYTKgykpsbJiscvAYWgzyFZ0z79y0OKm53Bw867hHNE43WvZqUI0Rf1MqA3D5sWfEw7WeNfzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw=

    Licensing Data-->
    Software licensing service version: 6.0.6000.16509
    Name: Windows(TM) Vista, HomePremium edition
    Description: Windows Operating System - Vista, OEM_SLP channel
    Activation ID: bffdc375-bbd5-499d-8ef1-4f37b61c895f
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 89578-00146-321-500204-02-1033-6000.0000-1642007
    Installation ID: 004876305162579252302545120111137471739964997893596793
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkId=57201
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkId=57203
    Use License URL: http://go.microsoft.com/fwlink/?LinkId=57205
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkId=57204
    Partial Product Key: B9HD2
    License Status: Licensed

    Windows Activation Technologies-->
    N/A

    HWID Data-->
    HWID Hash Current: MAAAAAEAAAABAAIAAgABAAAAAgABAAEAeqiy2Gy1knZ4jL58yo7y9FplnoOsViqF

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20000
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            DELL          B8K   
      FACP            DELL          B8K   
      HPET            DELL          B8K   
      BOOT            DELL          B8K   
      MCFG            DELL          B8K   
      SSDT            DELL        st_ex
      DUMY            DELL          B8K   
      SLIC            DELL          B8K   



    Saturday, July 16, 2011 9:12 PM

Answers

  • uninstalled Avast w/ Avast's uninstaller; it should be fully gone. Paid for full deal of MWBytes; installed updated most recent, running full scan now. When done, I'll see if there's any reports from that; and maybe I'll run a Hijack this too. Then I'll re-run the MS Diag Tool and re-post the results. Thanks.

     

    good news is, the system rebooted several times when I chose "restart" without barfing the error and blocking me from getting to my desktop. I dont know that this was due to the Avast uninstall as I've only rebooted once since that was gone, so idk. Really odd how it would block me the first 3 attempts at booting, then after a full shut down, I go to reboot, and it let's me straight to my desktop like none of that happened. It's almost as if MS has a safety deal where they block you for a few attempts just to block/annoy/discourage you, then after that they let you in. We'll see what the reports say.

     

    W/ Avast gone (hopefully fully I believe) and MWBytes running; and a hijack this log to come and a new MS Diag report, I should have something more to work with.

    Saturday, July 16, 2011 11:29 PM

All replies

  • (Vista Error - Can't Boot )

    Receiving this error message 99% of the time until I shut down and luck out on reboot and somehow get through a full boot.. otherwise it just gives me the option to find out more info online or close, and logs me out.

    "An unauthorized change was made to Windows"

     

    *** I DO use Avast, it's been great until recently. Wondering if that's the problem, and if I get rid of it, what will protect my comp from attacks until I get a new AV installed? I am behind a router with at least a lightweight firewall. Nothing crazy tho, just the stock out of the package one ***

    Here's my diag report from MS Genuine Advantage Diag Tool:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->
    Validation Status: Genuine
    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-F4GJK-KG77H-B9HD2
    Windows Product Key Hash: iJAth4TbScMi8HdcPurlASXdEkw=
    Windows Product ID: 89578-OEM-7332157-00204
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6000.2.00010300.0.0.003
    ID: {125A8E34-946F-486C-8CC4-C372C4D9EFAE}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6000.vista_gdr.100218-0019
    TTS Error: M:20110716155341256-



    (sounds like malware to me)
     
    You have what is known as a In Memory Mod-Auth Tamper - which means that something is modifying system files as they are put into memory.
    I would suggest a System Restore back to a time the system worked properly, followed by a scan with a good Anti-Virus with updated definitions, and a full system scan with updated definitions using Malwarebytes Anti-Malware (www.malwarebytes.org - do NOT enable the real-time protection mode, as it may conflict with your anti-virus.)
     
    Once the system is behaving itself you should update it to Service Pack 1 level, then Service Pack  2 - and then do the more recent updates as well. This should help prevent the situation occurring again.
     
    Once you've run the scans, post back with the results, and a new MGADiag report.
     
    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Saturday, July 16, 2011 9:54 PM
    Moderator
  • (sounds like malware to me)
     
    You have what is known as a In Memory Mod-Auth Tamper - which means that something is modifying system files as they are put into memory.
    I would suggest a System Restore back to a time the system worked properly, followed by a scan with a good Anti-Virus with updated definitions, and a full system scan with updated definitions using Malwarebytes Anti-Malware (www.malwarebytes.org - do NOT enable the real-time protection mode, as it may conflict with your anti-virus.)
     
    Once the system is behaving itself you should update it to Service Pack 1 level, then Service Pack  2 - and then do the more recent updates as well. This should help prevent the situation occurring again.
     
    Once you've run the scans, post back with the results, and a new MGADiag report.
     
    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

     

    Noel, thanks for your quick reply. So you dont think the Avast removal that everyone else is doing will handle this alone? (ie: is there a tip off in the diag report that it's something diff?). What I'm mostly concerned with is that I've moved to a Mac laptop for the last 4+ months and have barely used this PC. Before that it was every day for years, but other than a few intermittent sessions, I honestly dont know what a "good" restore point would be, and if it'd lose any of my data, etc. Most importantly my iPhone is synced to Outlook on here, and this is the core of my mult machines. Guess I'd follow the steps you laid out, just nervous that I dont have a solid backup first, and if I DO backup, will I bring in the dirty files to an external HD for backup? 

    thanks!

     

    Saturday, July 16, 2011 10:31 PM
  • uninstalled Avast w/ Avast's uninstaller; it should be fully gone. Paid for full deal of MWBytes; installed updated most recent, running full scan now. When done, I'll see if there's any reports from that; and maybe I'll run a Hijack this too. Then I'll re-run the MS Diag Tool and re-post the results. Thanks.

     

    good news is, the system rebooted several times when I chose "restart" without barfing the error and blocking me from getting to my desktop. I dont know that this was due to the Avast uninstall as I've only rebooted once since that was gone, so idk. Really odd how it would block me the first 3 attempts at booting, then after a full shut down, I go to reboot, and it let's me straight to my desktop like none of that happened. It's almost as if MS has a safety deal where they block you for a few attempts just to block/annoy/discourage you, then after that they let you in. We'll see what the reports say.

     

    W/ Avast gone (hopefully fully I believe) and MWBytes running; and a hijack this log to come and a new MS Diag report, I should have something more to work with.

    Saturday, July 16, 2011 11:29 PM
  • uninstalled Avast w/ Avast's uninstaller; it should be fully gone. Paid for full deal of MWBytes; installed updated most recent, running full scan now. When done, I'll see if there's any reports from that; and maybe I'll run a Hijack this too. Then I'll re-run the MS Diag Tool and re-post the results. Thanks.

     

    good news is, the system rebooted several times when I chose "restart" without barfing the error and blocking me from getting to my desktop. I dont know that this was due to the Avast uninstall as I've only rebooted once since that was gone, so idk. Really odd how it would block me the first 3 attempts at booting, then after a full shut down, I go to reboot, and it let's me straight to my desktop like none of that happened. It's almost as if MS has a safety deal where they block you for a few attempts just to block/annoy/discourage you, then after that they let you in. We'll see what the reports say.

     

    W/ Avast gone (hopefully fully I believe) and MWBytes running; and a hijack this log to come and a new MS Diag report, I should have something more to work with.


    The initial MGADiag report didn't show the Kernel Mode Tamper (which is on most, but not all, Avast-related reports). It also didn't show the 0xC004D401 error that is almost always (at least currently) in the report for an Avast-related error.
    It may be that this is a result of your having the most recent release of Avast, which they claim has solved the issue (which they never acknowledged anyhow).
     
    Did you also run their cleanup tool? (http://www.avast.com/uninstall-utility )
    What other Anti-Virus has ever been installed in that machine?

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, July 17, 2011 12:09 AM
    Moderator