An unauthorized change error, after cleaning Virut infection RRS feed

  • Question

  • Hello,

    I've recently become infected by Win32.Virut.54, which I think I was able to successfully remove from my computer using Dr.Web CureIt under safemode+command prompt

    Anyways, after rebooting normally, this "Unauthorized change" error pops up, I can't do Ctrl+Alt+Del, yet I can still run games and browse explorer EDIT: I stand corrected, proper 3D games wont run, I also get a "quota error" when trying to run some programs such as Antivirus

    The Genuine Advantage won't recognize my copy of windows, I suspect Virut messed up things pretty good down here, yet the system looks and runs stable, and signs of infection have flown away

    Do you have any tip to repair the damage done to system .exe files or pass the authentification?
    I've tried Startup repair, my PC was built by Acer and the bundle didn't include a Vista DVD

    The error code given when trying to verify Windows is 0x80070426

    P.S. my Vista is in french, but feel free to use english if that is more convenient for you

    Diagnostic Report (1.9.0011.0):
    WGA Data-->
    Validation Status: Invalid License
    Validation Code: 50

    Cached Validation Code: N/A, hr = 0x80070426
    Windows Product Key: *****-*****-XY9X3-JDXYP-6CJ97
    Windows Product Key Hash: xFQJU8srKsovk6p1Lk1yW93in4E=
    Windows Product ID: 89578-OEM-7332157-00211
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6001.2.00010300.1.0.003
    ID: {001440C7-BD88-4983-A1F2-76835F10FF51}(3)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered,
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6001.vistasp1_gdr.090302-1506
    TTS Error: M:20090830101743997-
    Validation Diagnostic:
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: 6.0.6002.16398

    WGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 102
    Microsoft Office Home and Student 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_B4D0AA8B-920-80070057

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\Slsvc.exe[6.0.6001.18000]

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{001440C7-BD88-4983-A1F2-76835F10FF51}</UGUID><Version>1.9.0011.0</Version><OS>6.0.6001.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-6CJ97</PKey><PID>89578-OEM-7332157-00211</PID><PIDType>2</PIDType><SID>S-1-5-21-4147456315-2581910888-2434162610</SID><SYSTEM><Manufacturer>Acer                 </Manufacturer><Model>Aspire M1610</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>R01-A4</Version><SMBIOSVersion major="2" minor="4"/><Date>20070920000000.000000+000</Date></BIOS><HWID>49313507018400FA</HWID><UserLCID>040C</UserLCID><SystemLCID>040C</SystemLCID><TimeZone>Paris, Madrid(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>ACRSYS</OEMID><OEMTableID>ACRPRDCT</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>102</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><PidType>19</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAACAFAAAAAAAAYWECAARgiIfHFNUbQSfKARhy9171jCizkdIEkQaJZ672i+F8Q9q5Wn/nMmWBCuL/F1gttGpfgaqNxRhempnf2+fDvX0zCybmDilyQLttVIzr1uVky5j/lF/PYyTpdbhYsEGnmR0ReJ9KlWCJouxq6PAIwHwHVMfvNauSbFvmaTBgAm18BkdJTE0EGACwl7dV9S/GUDYecePFRKM/leS97bxOVVm9fICZUkfHdDNbo72qUqYYmAlRJO05+WV1r70w2O6Pl99gqTnSYR4j0FashTOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAzQK0q/TCxAnOUfN3L2D3jMPuzW53B/cn+VqZZvCGh7IMhJdopY+cSGgo7SEXcOgA8c5WymlRwYw+khP+Aio3jrHe337kOo3Ov8bh7iCU+nxNuzii1kzd/8Rcp4Jg92n1kHeQVrrfrw9xajpB+asGN6Cszhe3l3akMznUJSQoGE3j/Sko7v7fb7vS11IJ3mTvCbkJz6Jhm/VbqQCWmaNuUiCcRjeYT5WF6tgBQ7IQZvOjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM0CtKv0wsQJzlHzdy9g94zK/CMjHJ6wX8LH5kNQRbPQhyyHq1BurhhD+snbvSzgaEHOVsppUcGMPpIT/gIqN46x3t9+5DqNzr/G4e4glPp8Tbs4otZM3f/EXKeCYPdp9ZB3kFa6368PcWo6QfmrBjegrM4Xt5d2pDM51CUkKBhN4/0pKO7+32+70tdSCd5k7wm5Cc+iYZv1W6kAlpmjblIgnEY3mE+VherYAUOyEGbzozkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDNArSr9MLECc5R83cvYPeMzgtO1WWnzgE8AYD8e6/OkKmjHWkxCL4V7NXOoWW4fgsRzlbKaVHBjD6SE/4CKjeOsd7ffuQ6jc6/xuHuIJT6fE27OKLWTN3/xFyngmD3afWQd5BWut+vD3FqOkH5qwY3oKzOF7eXdqQzOdQlJCgYTeP9KSju/t9vu9LXUgneZO8JuQnPomGb9VupAJaZo25SIJxGN5hPlYXq2AFDshBm86M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAzQK0q/TCxAnOUfN3L2D3jMWfGxQ5uDc9GTw9X8pZgCwByo6OOjfqR5KmphuBQPJjsc5WymlRwYw+khP+Aio3jrHe337kOo3Ov8bh7iCU+nxNuzii1kzd/8Rcp4Jg92n1kHeQVrrfrw9xajpB+asGN6Cszhe3l3akMznUJSQoGE3j/Sko7v7fb7vS11IJ3mTvCbkJz6Jhm/VbqQCWmaNuUiCcRjeYT5WF6tgBQ7IQZvOjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM0CtKv0wsQJzlHzdy9g94zEthA19D94csj0uNSn7vGXWScRV2HaotdL4ZRcnYzr5KHOVsppUcGMPpIT/gIqN46x3t9+5DqNzr/G4e4glPp8Tbs4otZM3f/EXKeCYPdp9ZB3kFa6368PcWo6QfmrBjegrM4Xt5d2pDM51CUkKBhN4/0pKO7+32+70tdSCd5k7wm5Cc+iYZv1W6kAlpmjblIgnEY3mE+VherYAUOyEGbzozkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDNArSr9MLECc5R83cvYPeMwEEe1O9RED3vJRj/PlEXVx5OM6cxMJQ7gWbIT9LGFLrhzlbKaVHBjD6SE/4CKjeOsd7ffuQ6jc6/xuHuIJT6fE27OKLWTN3/xFyngmD3afWQd5BWut+vD3FqOkH5qwY3oKzOF7eXdqQzOdQlJCgYTeP9KSju/t9vu9LXUgneZO8JuQnPomGb9VupAJaZo25SIJxGN5hPlYXq2AFDshBm86M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAzQK0q/TCxAnOUfN3L2D3jMGHDx5OLV0/5nPkwlnFMZp2Z3bAEQifIwU8UVaTnkQEQc5WymlRwYw+khP+Aio3jrHe337kOo3Ov8bh7iCU+nxNuzii1kzd/8Rcp4Jg92n1kHeQVrrfrw9xajpB+asGN6Cszhe3l3akMznUJSQoGE3j/Sko7v7fb7vS11IJ3mTvCbkJz6Jhm/VbqQCWmaNuUiCcRjeYT5WF6tgBQ7IQZvOjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM0CtKv0wsQJzlHzdy9g94zJHUmmcgUORD1ybRLvMhClr4TmiK9n/v6fCys4Tfnh8qHOVsppUcGMPpIT/gIqN46x3t9+5DqNzr/G4e4glPp8Tbs4otZM3f/EXKeCYPdp9ZB3kFa6368PcWo6QfmrBjegrM4Xt5d2pDM51CUkKBhN4/0pKO7+32+70tdSCd5k7wm5Cc+iYZv1W6kAlpmjblIgnEY3mE+VherYAUOyEGbzozkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDA==

    Licensing Data-->
    Software Licensing service is not running.

    HWID Data-->

    OEM Activation 1.0 Data-->

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20000
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            ACRSYS        ACRPRDCT
      FACP            ACRSYS        ACRPRDCT
      HPET            ACRSYS        ACRPRDCT
      MCFG            ACRSYS        ACRPRDCT
      SLIC            ACRSYS        ACRPRDCT
      _WDT            ACRSYS        ACRPRDCT
      SSDT            PmRef        Cpu0Ist
      SSDT            PmRef        Cpu0Ist

    Sunday, August 30, 2009 8:45 AM


  • I just had the same problem but from a trojan.vundo.h which I stupidly unleashed after mistaking a exe for a pdf. After removing it the problem occurred.

    To fix, open the command prompt
    type: %windir%\system32 in a browser
    open cmd.exe
    type: sfc /scannow

    Once verification complete restart pc and it loaded.

    If that doesn't work, there is another method of copying the slsvc file from another vista computer using the same version of the file. In your case, Slsvc.exe[6.0.6001.18000].

    My sister's computer has the exact near exact components and same configuration so I could use hers as kind of a backup.

    Reinstall vista.... don't do it. I'm sure you can fix it!
    Sunday, August 30, 2009 11:30 AM

All replies

  • I just had the same problem but from a trojan.vundo.h which I stupidly unleashed after mistaking a exe for a pdf. After removing it the problem occurred.

    To fix, open the command prompt
    type: %windir%\system32 in a browser
    open cmd.exe
    type: sfc /scannow

    Once verification complete restart pc and it loaded.

    If that doesn't work, there is another method of copying the slsvc file from another vista computer using the same version of the file. In your case, Slsvc.exe[6.0.6001.18000].

    My sister's computer has the exact near exact components and same configuration so I could use hers as kind of a backup.

    Reinstall vista.... don't do it. I'm sure you can fix it!
    Sunday, August 30, 2009 11:30 AM
  • Today when I ran the computer, the system surprisingly launched somewhat normally

    A spyware detection program notified me a registry entry "Bootcheck" was modified with value "autocheck"

    I've ran sfc /scannow as you suggested, went through to 100%, but when done it told me it repaired some files but couldn't repair all of them.
    Restarted.. Genuine advantage works, I got my computer verified :)

    But I'm stumbling upon another major issue now, Windows Update won't work even if I clean the SoftwareDistribution folder as WindowsHelp tells me to.
    I can't install updates even manually, I tried installing Vista SP2 and Windows Installer 4.5 Redistributable, it gives me an error 0x80070003

    After that, I tried running sfc /scannow again, it gives me the following error message both in normal and safemode:
    "Windows' resource protection didn't manage to launch the repair service." (may not be the exact wording, I'm translating from french to english)

    Thanks for your help :)
    Monday, August 31, 2009 9:37 AM
  • The virut virus probably hasn't been removed completely. I did some research and it seems to be one of the pesky, nearly impossible to remove, viruses. If you can't update it means it's still on your computer. It targets .exe and .scr files. Newer version are rumored to target .htm and .html files too. I would advise backing up your files prudently and avoid backing up .exe or .scr files completely. Reinstalling windows is about the only option left at this point... I'm sorry...
    Monday, August 31, 2009 6:39 PM
  • I would've thought the same after doing some research, yet, by now I should've seen signs of the virus, as in files infected, irregular network traffic, microsoft and antivirus websites blocked, slow overall experience, and crashing programs that do a crc-check, but that's not the case

    I've been as far as to guess the virus tampered with windows installer / updater or other services to make sure they are disabled, even if the virus code itself is removed

    If my guess is right, is there a way to repair the damage done?

    edit: By the way, I'm now able to run antivirus/3D games/ect perfectly fine
    Monday, August 31, 2009 8:16 PM
  • Hello babouche.chip

    Below is what I normally give for this type of issue. aesculapius7788 already gave you the steps to use the sfc /cannow, but you may also want to try the system restore. 

    The core of your issue centers on the line in your Diagnostic Report that reads:

    File Scan Data-->
    File Mismatch: C:\Windows\system32\Slsvc.exe[6.0.6001.18000] 


    This means the file has been Tampered, Modified or has become Corrupt. Vista see this as an attack to bypass it's Licensing security.

    To resolve the issue, you need to either repair or replace the file with a known-good one (of the proper file version)


    First try repairing Windows using System Restore:

    1)    Reboot Vista into Safe Mode

    2)    Go to Control Panel

    3)    On the left hand side of the Control Panel window, Click on "Classic View"

    4)    Double-click "Backup and Restore Center"

    5)    On the left hand side of the window, click "Repair Windows using system restore"

    6)    Select "Choose Different Restore Point", Put a check in the box that says "Show restore points older than 5 days", select the restore point that corresponds to the date Before you first noticed the issue.

    7)    Click the "Next" button.

    8)    Reboot back into Normal mode

    9)    Vista should no longer be in Reduced Functionality mode


    If that doesn't work, we'll try doing a System Scan. The scan will look for bad Vista files and will attempt to repair them, if possible.

    1)    Login to Vista in Normal Mode (not safe mode)

    2)    Launch an Internet Browser

    3)    Type: %windir%\system32\ in the browser's address field

    4)    Scroll down till you find the file cmd.exe

    5)    Right-click the file and select 'Run as Administrator'

    6)    In the CMD window, type: sfc /scannow

    7)    Reboot twice and see if that resolves the issue.

    If neither of these sets of steps resolves the issue, my only other suggestions would be either to contact Vista support at http://support.microsoft.com or reinstall Vista.

     Thank you,
    Darin MS

    Monday, August 31, 2009 8:55 PM
  • I had disabled System Restore just before disinfecting my computer (several websites advised it, it also made sense to avoid reinfection), so these steps won't help my current issue

    I can't reinstall Vista since I have no installation DVD (not sold with my Acer computer), but I think I'm no longer in a Reduced Functionality mode

    I understand my issue is now greater than a "simple" authentification error and is possibly out of the bounds of this forum
    Do you have any suggestion as to where I should seek help at? To avoid bouncing around in different boards :-P

    Thanks a lot aesculapius and Darin for your help :)
    Monday, August 31, 2009 10:13 PM
  • Maybe you can still boot the hidden partition to restore your computer. Most computers nowadays have a recovery partition on their harddrives. I'm not sure how to access them myself though. You can try browsing for some tech support sites and see if the experts have any opinions. As of right now I wiped my main partition and installed a new OS. I'm trying to find a program to access my hidden partition to recover the drivers on my laptop.
    Monday, August 31, 2009 11:47 PM
  • I'll look into this then :)

    Best of luck in your repairs!
    Tuesday, September 1, 2009 2:17 PM
  • Hello babouche.chip,

    The best place to learn how to do a full recovery of your computer using the manufacturer supplied recovery procedure is at the manufacturer's support pages for your make and model of computer.

    Good luck!
    For great advice on all topics XP, visit http://www.annoyances.org/exec/forum/winxp
    Tuesday, September 1, 2009 4:29 PM