Remove From My Forums

An unauthorized change error, after cleaning Virut infection

Question
0

Sign in to vote

Hello,

I've recently become infected by Win32.Virut.54, which I think I was able to successfully remove from my computer using Dr.Web CureIt under safemode+command prompt

Anyways, after rebooting normally, this "Unauthorized change" error pops up, I can't do Ctrl+Alt+Del, yet I can still run games and browse explorer EDIT: I stand corrected, proper 3D games wont run, I also get a "quota error" when trying to run some programs such as Antivirus

The Genuine Advantage won't recognize my copy of windows, I suspect Virut messed up things pretty good down here, yet the system looks and runs stable, and signs of infection have flown away

Do you have any tip to repair the damage done to system .exe files or pass the authentification?
I've tried Startup repair, my PC was built by Acer and the bundle didn't include a Vista DVD

The error code given when trying to verify Windows is 0x80070426

P.S. my Vista is in french, but feel free to use english if that is more convenient for you
Thanks

Diagnostic Report (1.9.0011.0):
-----------------------------------------
WGA Data-->
Validation Status: Invalid License
Validation Code: 50

Cached Validation Code: N/A, hr = 0x80070426
Windows Product Key: *****-*****-XY9X3-JDXYP-6CJ97
Windows Product Key Hash: xFQJU8srKsovk6p1Lk1yW93in4E=
Windows Product ID: 89578-OEM-7332157-00211
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.0.6001.2.00010300.1.0.003
ID: {001440C7-BD88-4983-A1F2-76835F10FF51}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: Windows Vista (TM) Home Premium
Architecture: 0x00000000
Build lab: 6001.vistasp1_gdr.090302-1506
TTS Error: M:20090830101743997-
Validation Diagnostic:
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: 6.0.6002.16398

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 102
Microsoft Office Home and Student 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_B4D0AA8B-920-80070057

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\Slsvc.exe[6.0.6001.18000]

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{001440C7-BD88-4983-A1F2-76835F10FF51}</UGUID><Version>1.9.0011.0</Version><OS>6.0.6001.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-6CJ97</PKey><PID>89578-OEM-7332157-00211</PID><PIDType>2</PIDType><SID>S-1-5-21-4147456315-2581910888-2434162610</SID><SYSTEM><Manufacturer>Acer                 </Manufacturer><Model>Aspire M1610</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>R01-A4</Version><SMBIOSVersion major="2" minor="4"/><Date>20070920000000.000000+000</Date></BIOS><HWID>49313507018400FA</HWID><UserLCID>040C</UserLCID><SystemLCID>040C</SystemLCID><TimeZone>Paris, Madrid(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>ACRSYS</OEMID><OEMTableID>ACRPRDCT</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>102</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><PidType>19</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: U1BMRwEAAAAAAQAABAAAACAFAAAAAAAAYWECAARgiIfHFNUbQSfKARhy9171jCizkdIEkQaJZ672i+F8Q9q5Wn/nMmWBCuL/F1gttGpfgaqNxRhempnf2+fDvX0zCybmDilyQLttVIzr1uVky5j/lF/PYyTpdbhYsEGnmR0ReJ9KlWCJouxq6PAIwHwHVMfvNauSbFvmaTBgAm18BkdJTE0EGACwl7dV9S/GUDYecePFRKM/leS97bxOVVm9fICZUkfHdDNbo72qUqYYmAlRJO05+WV1r70w2O6Pl99gqTnSYR4j0FashTOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAzQK0q/TCxAnOUfN3L2D3jMPuzW53B/cn+VqZZvCGh7IMhJdopY+cSGgo7SEXcOgA8c5WymlRwYw+khP+Aio3jrHe337kOo3Ov8bh7iCU+nxNuzii1kzd/8Rcp4Jg92n1kHeQVrrfrw9xajpB+asGN6Cszhe3l3akMznUJSQoGE3j/Sko7v7fb7vS11IJ3mTvCbkJz6Jhm/VbqQCWmaNuUiCcRjeYT5WF6tgBQ7IQZvOjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM0CtKv0wsQJzlHzdy9g94zK/CMjHJ6wX8LH5kNQRbPQhyyHq1BurhhD+snbvSzgaEHOVsppUcGMPpIT/gIqN46x3t9+5DqNzr/G4e4glPp8Tbs4otZM3f/EXKeCYPdp9ZB3kFa6368PcWo6QfmrBjegrM4Xt5d2pDM51CUkKBhN4/0pKO7+32+70tdSCd5k7wm5Cc+iYZv1W6kAlpmjblIgnEY3mE+VherYAUOyEGbzozkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDNArSr9MLECc5R83cvYPeMzgtO1WWnzgE8AYD8e6/OkKmjHWkxCL4V7NXOoWW4fgsRzlbKaVHBjD6SE/4CKjeOsd7ffuQ6jc6/xuHuIJT6fE27OKLWTN3/xFyngmD3afWQd5BWut+vD3FqOkH5qwY3oKzOF7eXdqQzOdQlJCgYTeP9KSju/t9vu9LXUgneZO8JuQnPomGb9VupAJaZo25SIJxGN5hPlYXq2AFDshBm86M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAzQK0q/TCxAnOUfN3L2D3jMWfGxQ5uDc9GTw9X8pZgCwByo6OOjfqR5KmphuBQPJjsc5WymlRwYw+khP+Aio3jrHe337kOo3Ov8bh7iCU+nxNuzii1kzd/8Rcp4Jg92n1kHeQVrrfrw9xajpB+asGN6Cszhe3l3akMznUJSQoGE3j/Sko7v7fb7vS11IJ3mTvCbkJz6Jhm/VbqQCWmaNuUiCcRjeYT5WF6tgBQ7IQZvOjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM0CtKv0wsQJzlHzdy9g94zEthA19D94csj0uNSn7vGXWScRV2HaotdL4ZRcnYzr5KHOVsppUcGMPpIT/gIqN46x3t9+5DqNzr/G4e4glPp8Tbs4otZM3f/EXKeCYPdp9ZB3kFa6368PcWo6QfmrBjegrM4Xt5d2pDM51CUkKBhN4/0pKO7+32+70tdSCd5k7wm5Cc+iYZv1W6kAlpmjblIgnEY3mE+VherYAUOyEGbzozkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDNArSr9MLECc5R83cvYPeMwEEe1O9RED3vJRj/PlEXVx5OM6cxMJQ7gWbIT9LGFLrhzlbKaVHBjD6SE/4CKjeOsd7ffuQ6jc6/xuHuIJT6fE27OKLWTN3/xFyngmD3afWQd5BWut+vD3FqOkH5qwY3oKzOF7eXdqQzOdQlJCgYTeP9KSju/t9vu9LXUgneZO8JuQnPomGb9VupAJaZo25SIJxGN5hPlYXq2AFDshBm86M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAzQK0q/TCxAnOUfN3L2D3jMGHDx5OLV0/5nPkwlnFMZp2Z3bAEQifIwU8UVaTnkQEQc5WymlRwYw+khP+Aio3jrHe337kOo3Ov8bh7iCU+nxNuzii1kzd/8Rcp4Jg92n1kHeQVrrfrw9xajpB+asGN6Cszhe3l3akMznUJSQoGE3j/Sko7v7fb7vS11IJ3mTvCbkJz6Jhm/VbqQCWmaNuUiCcRjeYT5WF6tgBQ7IQZvOjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM0CtKv0wsQJzlHzdy9g94zJHUmmcgUORD1ybRLvMhClr4TmiK9n/v6fCys4Tfnh8qHOVsppUcGMPpIT/gIqN46x3t9+5DqNzr/G4e4glPp8Tbs4otZM3f/EXKeCYPdp9ZB3kFa6368PcWo6QfmrBjegrM4Xt5d2pDM51CUkKBhN4/0pKO7+32+70tdSCd5k7wm5Cc+iYZv1W6kAlpmjblIgnEY3mE+VherYAUOyEGbzozkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDA==

Licensing Data-->
Software Licensing service is not running.

HWID Data-->
HWID Hash Current: QAAAAAQABAABAAEAAwABAAAAAwABAAEAeqhO3NpqFT87AWtLdB8anL7BAKKAY8JUje/y9Hf24DgiMaxWkpEqhQ==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20000
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name    OEMID Value    OEMTableID Value
APIC            ACRSYS        ACRPRDCT
FACP            ACRSYS        ACRPRDCT
HPET            ACRSYS        ACRPRDCT
MCFG            ACRSYS        ACRPRDCT
SLIC            ACRSYS        ACRPRDCT
_WDT            ACRSYS        ACRPRDCT
SSDT            PmRef        Cpu0Ist
SSDT            PmRef        Cpu0Ist

Sunday, August 30, 2009 8:45 AM

Answers

1

Sign in to vote
I just had the same problem but from a trojan.vundo.h which I stupidly unleashed after mistaking a exe for a pdf. After removing it the problem occurred.

1)
To fix, open the command prompt
type: %windir%\system32 in a browser
open cmd.exe
type: sfc /scannow

Once verification complete restart pc and it loaded.

2)
If that doesn't work, there is another method of copying the slsvc file from another vista computer using the same version of the file. In your case, Slsvc.exe[6.0.6001.18000].

My sister's computer has the exact near exact components and same configuration so I could use hers as kind of a backup.

3)
Reinstall vista.... don't do it. I'm sure you can fix it!
- Marked as answer by Darin Smith MS Monday, August 31, 2009 8:55 PM
Sunday, August 30, 2009 11:30 AM

All replies

1

Sign in to vote
I just had the same problem but from a trojan.vundo.h which I stupidly unleashed after mistaking a exe for a pdf. After removing it the problem occurred.

1)
To fix, open the command prompt
type: %windir%\system32 in a browser
open cmd.exe
type: sfc /scannow

Once verification complete restart pc and it loaded.

2)
If that doesn't work, there is another method of copying the slsvc file from another vista computer using the same version of the file. In your case, Slsvc.exe[6.0.6001.18000].

My sister's computer has the exact near exact components and same configuration so I could use hers as kind of a backup.

3)
Reinstall vista.... don't do it. I'm sure you can fix it!
- Marked as answer by Darin Smith MS Monday, August 31, 2009 8:55 PM
Sunday, August 30, 2009 11:30 AM
0

Sign in to vote

Today when I ran the computer, the system surprisingly launched somewhat normally

A spyware detection program notified me a registry entry "Bootcheck" was modified with value "autocheck"

I've ran sfc /scannow as you suggested, went through to 100%, but when done it told me it repaired some files but couldn't repair all of them.
Restarted.. Genuine advantage works, I got my computer verified :)

But I'm stumbling upon another major issue now, Windows Update won't work even if I clean the SoftwareDistribution folder as WindowsHelp tells me to.
I can't install updates even manually, I tried installing Vista SP2 and Windows Installer 4.5 Redistributable, it gives me an error 0x80070003

After that, I tried running sfc /scannow again, it gives me the following error message both in normal and safemode:
"Windows' resource protection didn't manage to launch the repair service." (may not be the exact wording, I'm translating from french to english)

Thanks for your help :)

Monday, August 31, 2009 9:37 AM
0

Sign in to vote

The virut virus probably hasn't been removed completely. I did some research and it seems to be one of the pesky, nearly impossible to remove, viruses. If you can't update it means it's still on your computer. It targets .exe and .scr files. Newer version are rumored to target .htm and .html files too. I would advise backing up your files prudently and avoid backing up .exe or .scr files completely. Reinstalling windows is about the only option left at this point... I'm sorry...

Monday, August 31, 2009 6:39 PM
0

Sign in to vote

I would've thought the same after doing some research, yet, by now I should've seen signs of the virus, as in files infected, irregular network traffic, microsoft and antivirus websites blocked, slow overall experience, and crashing programs that do a crc-check, but that's not the case

I've been as far as to guess the virus tampered with windows installer / updater or other services to make sure they are disabled, even if the virus code itself is removed

If my guess is right, is there a way to repair the damage done?

edit: By the way, I'm now able to run antivirus/3D games/ect perfectly fine

Monday, August 31, 2009 8:16 PM
0

Sign in to vote

Hello babouche.chip

Below is what I normally give for this type of issue. aesculapius7788 already gave you the steps to use the sfc /cannow, but you may also want to try the system restore.

The core of your issue centers on the line in your Diagnostic Report that reads:

File Scan Data-->
File Mismatch: C:\Windows\system32\Slsvc.exe[6.0.6001.18000]

This means the file has been Tampered, Modified or has become Corrupt. Vista see this as an attack to bypass it's Licensing security.

To resolve the issue, you need to either repair or replace the file with a known-good one (of the proper file version)

First try repairing Windows using System Restore:

1)    Reboot Vista into Safe Mode

2)    Go to Control Panel

3)    On the left hand side of the Control Panel window, Click on "Classic View"

4)    Double-click "Backup and Restore Center"

5)    On the left hand side of the window, click "Repair Windows using system restore"

6)    Select "Choose Different Restore Point", Put a check in the box that says "Show restore points older than 5 days", select the restore point that corresponds to the date Before you first noticed the issue.

7)    Click the "Next" button.

8)    Reboot back into Normal mode

9)    Vista should no longer be in Reduced Functionality mode

If that doesn't work, we'll try doing a System Scan. The scan will look for bad Vista files and will attempt to repair them, if possible.

1)    Login to Vista in Normal Mode (not safe mode)

2)    Launch an Internet Browser

3)    Type: %windir%\system32\ in the browser's address field

4)    Scroll down till you find the file cmd.exe

5)    Right-click the file and select 'Run as Administrator'

6)    In the CMD window, type: sfc /scannow

7)    Reboot twice and see if that resolves the issue.

If neither of these sets of steps resolves the issue, my only other suggestions would be either to contact Vista support at http://support.microsoft.com or reinstall Vista.

Thank you,
Darin MS

Monday, August 31, 2009 8:55 PM
0

Sign in to vote

I had disabled System Restore just before disinfecting my computer (several websites advised it, it also made sense to avoid reinfection), so these steps won't help my current issue

I can't reinstall Vista since I have no installation DVD (not sold with my Acer computer), but I think I'm no longer in a Reduced Functionality mode

I understand my issue is now greater than a "simple" authentification error and is possibly out of the bounds of this forum
Do you have any suggestion as to where I should seek help at? To avoid bouncing around in different boards :-P

Thanks a lot aesculapius and Darin for your help :)

Monday, August 31, 2009 10:13 PM
1

Sign in to vote

Maybe you can still boot the hidden partition to restore your computer. Most computers nowadays have a recovery partition on their harddrives. I'm not sure how to access them myself though. You can try browsing for some tech support sites and see if the experts have any opinions. As of right now I wiped my main partition and installed a new OS. I'm trying to find a program to access my hidden partition to recover the drivers on my laptop.

Monday, August 31, 2009 11:47 PM
0

Sign in to vote

I'll look into this then :)

Best of luck in your repairs!

Tuesday, September 1, 2009 2:17 PM
0

Sign in to vote

Hello babouche.chip,

The best place to learn how to do a full recovery of your computer using the manufacturer supplied recovery procedure is at the manufacturer's support pages for your make and model of computer.

Good luck!
For great advice on all topics XP, visit http://www.annoyances.org/exec/forum/winxp

Tuesday, September 1, 2009 4:29 PM

Answered by:

An unauthorized change error, after cleaning Virut infection

Question

Answers

All replies