locked
Not Running Genuine Windows Error 0x8004fe21 RRS feed

  • Question

  • I'm running an activated Windows 7 Professional 64 Bit. Since today I get error 0x8004fe21 after each reboot.

    Below is the MCADiag output.

    Any help will be appreciated.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-7PJFF
    Windows Product Key Hash: 9KppSy2RUX/a2DCWY1zpDBdVk0M=
    Windows Product ID: 55041-091-3046796-86542
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {27B8EE88-82A2-4277-B355-835A60BB5F4C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.111118-2330
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{27B8EE88-82A2-4277-B355-835A60BB5F4C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-091-3046796-86542</PID><PIDType>6</PIDType><SID>S-1-5-21-2099548595-4161321057-3812494868</SID><SYSTEM><Manufacturer>To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P1.70</Version><SMBIOSVersion major="2" minor="6"/><Date>20110117000000.000000+000</Date></BIOS><HWID>BAE43007018400FE</HWID><UserLCID>046E</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Europe Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>B84B64A2945BD00</Val><Hash>AkEyx1BqRAP9Ee8F3oqDlSkMieU=</Hash><Pid>73931-640-1556515-57763</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Input Error: There is no script engine for file extension ".vbs".

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 5:6:2012 09:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: MgAAAAEAAQABAAEAAAADAAAAAwABAAEAln0mUbMv1LWMAAx0Yj2u4GMSmpAW/mL+LnM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            ALASKA        A M I
      FACP            ALASKA        A M I
      HPET            ALASKA        A M I
      MCFG            ALASKA        A M I
      SSDT            AMICPU        PROC
      AAFT            ALASKA        OEMAAFT

    Sunday, May 6, 2012 8:26 PM

Answers

  • Unfortunately, your Windows 7 Professional installation is hopelessly corrupt.  Please back-up your personal files and proceed with a "clean install" of the Windows 7 Professional operating system.

    Carey Frisch

    • Marked as answer by geverl Tuesday, May 29, 2012 8:09 PM
    Monday, May 14, 2012 2:33 AM
    Moderator
  • "geverl" wrote in message news:d2361463-056e-4529-aef4-485595aad382...

    I've switched the defaults back without copying, which seems to have worked fine.

    But when I try to do a repair install, it spends a long time to "check compatibility" and then fails with the following error:

    The following issues are preventing Windows from upgrading. Cancel the upgrade, complete each task, and then restart the upgrade to continue.
    An error prevented a required compliance check from completing. Cancel the installation and try upgrading again.

    Now how funny and useful is that message?

    I cannot even do a repair install!

    I have to admit I have no idea what causes that message.
     
    I would suggest posting for assistance in a more appropriate forum - either
     
    or
    2) SevenForums - (I think this is the e right one to pick...) http://www.sevenforums.com/installation-setup/
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by geverl Tuesday, May 29, 2012 8:13 PM
    Saturday, May 26, 2012 10:19 AM
    Moderator

All replies

  • "geverl" wrote in message news:df9ec9ce-88b0-4c86-b933-60147560a24d...

    I'm running an activated Windows 7 Professional 64 Bit. Since today I get error 0x8004fe21 after each reboot.

    Below is the MCADiag output.

    Any help will be appreciated.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-7PJFF
    Windows Product Key Hash: 9KppSy2RUX/a2DCWY1zpDBdVk0M=
    Windows Product ID: 55041-091-3046796-86542
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048


    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100


    Other data-->
    SYSTEM><Manufacturer>To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P1.70</Version><SMBIOSVersion major="2" minor="6"/><Date>20110117000000.000000+000</Date></BIOS



    Licensing Data-->
    Input Error: There is no script engine for file extension ".vbs".



    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table


    You  have multiple problems.
    Let's start with the easy one ;)
    The problem lies with the file integrity.
    This may simply be caused by a bad set of Intel Rapid Storage Technology drivers -
    Installing the Intel Rapid Storage Drivers
    try downloading and installing them from here -
    Once complete, please reboot twice, then post another MGADiag report.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, May 6, 2012 8:54 PM
    Moderator
  • I've installed the latest Intel Rapid Storage Drivers.

    Here's the new report:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-7PJFF
    Windows Product Key Hash: 9KppSy2RUX/a2DCWY1zpDBdVk0M=
    Windows Product ID: 55041-091-3046796-86542
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {27B8EE88-82A2-4277-B355-835A60BB5F4C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.111118-2330
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office
    Diagnostics:
    025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office
    Details:
    <GenuineResults><MachineData><UGUID>{27B8EE88-82A2-4277-B355-835A60BB5F4C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-091-3046796-86542</PID><PIDType>6</PIDType><SID>S-1-5-21-2099548595-4161321057-3812494868</SID><SYSTEM><Manufacturer>To
    Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By
    O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American
    Megatrends
    Inc.</Manufacturer><Version>P1.70</Version><SMBIOSVersion
    major="2"
    minor="6"/><Date>20110117000000.000000+000</Date></BIOS><HWID>BAE43007018400FE</HWID><UserLCID>046E</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W.
    Europe Standard
    Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product

    GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft
    Office Professional Edition
    2003</Name><Ver>11</Ver><Val>B84B64A2945BD00</Val><Hash>AkEyx1BqRAP9Ee8F3oqDlSkMieU=</Hash><Pid>73931-640-1556515-57763</Pid><PidType>14</PidType></Product></Products><Applications><App
    Id="15" Version="11" Result="100"/><App Id="16" Version="11"
    Result="100"/><App Id="18" Version="11" Result="100"/><App
    Id="19" Version="11" Result="100"/><App Id="1A" Version="11"
    Result="100"/><App Id="1B" Version="11" Result="100"/><App
    Id="44" Version="11"
    Result="100"/></Applications></Office></Software></GenuineResults>
     

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Input Error: There is no script engine for file extension ".vbs".

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 5:6:2012 09:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: MgAAAAEAAQABAAEAAAADAAAAAwABAAEAln0mUbMv1LWMAAx0Yj2u4GMSmpAW/mL+LnM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            ALASKA        A M I
      FACP            ALASKA        A M I
      HPET            ALASKA        A M I
      MCFG            ALASKA        A M I
      SSDT            AMICPU        PROC
      AAFT            ALASKA        OEMAAFT

    Sunday, May 6, 2012 9:12 PM
  • "geverl" wrote in message news:77bcc919-c2d9-42d8-be36-82717a4b21c9...

    I've installed the latest Intel Rapid Storage Drivers.

    Here's the new report:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-7PJFF
    Windows Product Key Hash: 9KppSy2RUX/a2DCWY1zpDBdVk0M=
    Windows Product ID: 55041-091-3046796-86542
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048




    Licensing Data-->
    Input Error: There is no script engine for file extension ".vbs".

     
    OK -  that seems to have failed for some reason - but that may be because of the other problem, so we'll work on that.
     

    Open an elevated Command Prompt window. To do so, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. Type the following command in the Command Prompt window, and press {ENTER}:

    regsvr32 %systemroot%\system32\vbscript.dll

    You should see the following message:

    DllRegisterServer in vbscript.dll succeeded.

    Now see if the problem persists.

    Also, see the following article (slightly different error message, but still relevant)

    CScript Error- Can't find script engine VBScript -alternate solution


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, May 6, 2012 9:40 PM
    Moderator
  • regsvr32 %systemroot%\system32\vbscript.dll reported success, but the MGADiag report was still the same.

    The alternative approach from the article fails with the following error message: "Cannot import ... regfix.reg: Not all data was successfully written to the registry. Some keys are open by the system or other process."

    I have rebooted and tried the regfix again, with the same result.

    Here is the latest MGADiag report:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-7PJFF
    Windows Product Key Hash: 9KppSy2RUX/a2DCWY1zpDBdVk0M=
    Windows Product ID: 55041-091-3046796-86542
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {27B8EE88-82A2-4277-B355-835A60BB5F4C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.111118-2330
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{27B8EE88-82A2-4277-B355-835A60BB5F4C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-091-3046796-86542</PID><PIDType>6</PIDType><SID>S-1-5-21-2099548595-4161321057-3812494868</SID><SYSTEM><Manufacturer>To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P1.70</Version><SMBIOSVersion major="2" minor="6"/><Date>20110117000000.000000+000</Date></BIOS><HWID>BAE43007018400FE</HWID><UserLCID>046E</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Europe Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>B84B64A2945BD00</Val><Hash>AkEyx1BqRAP9Ee8F3oqDlSkMieU=</Hash><Pid>73931-640-1556515-57763</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Input Error: There is no script engine for file extension ".vbs".

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 5:6:2012 09:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: MgAAAAEAAQABAAEAAAADAAAAAwABAAEAln0mUbMv1LWMAAx0Yj2u4GMSmpAW/mL+LnM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   ALASKA  A M I
      FACP   ALASKA  A M I
      HPET   ALASKA  A M I
      MCFG   ALASKA  A M I
      SSDT   AMICPU  PROC
      AAFT   ALASKA  OEMAAFT

    Monday, May 7, 2012 4:36 AM
  • "geverl" wrote in message news:bfc67cc9-e44a-4284-a46a-6069a45e801e...

    regsvr32 %systemroot%\system32\vbscript.dll reported success, but the MGADiag report was still the same.

    The alternative approach from the article fails with the following error message: "Cannot import ... regfix.reg: Not all data was successfully written to the registry. Some keys are open by the system or other process."

    I have rebooted and tried the regfix again, with the same result.

    Here is the latest MGADiag report:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-7PJFF
    Windows Product Key Hash: 9KppSy2RUX/a2DCWY1zpDBdVk0M=
    Windows Product ID: 55041-091-3046796-86542
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {27B8EE88-82A2-4277-B355-835A60BB5F4C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.111118-2330
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{27B8EE88-82A2-4277-B355-835A60BB5F4C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-091-3046796-86542</PID><PIDType>6</PIDType><SID>S-1-5-21-2099548595-4161321057-3812494868</SID><SYSTEM><Manufacturer>To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P1.70</Version><SMBIOSVersion major="2" minor="6"/><Date>20110117000000.000000+000</Date></BIOS><HWID>BAE43007018400FE</HWID><UserLCID>046E</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Europe Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>B84B64A2945BD00</Val><Hash>AkEyx1BqRAP9Ee8F3oqDlSkMieU=</Hash><Pid>73931-640-1556515-57763</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Input Error: There is no script engine for file extension ".vbs".

     
     
    This sounds as if your anti-virus or other security software is blocking access, rather than anything else.
    Please list ALL current security/anti-malware software installed - and ALL previous Anti-viruses installed and removed since the time the machine was last formatted.
     
    Please also run the following command and post the results.
    REG QUERY HKEY_CLASSES_ROOT\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 8:12 AM
    Moderator
  • I have used Microsoft Security Essentials since installation in Feb 2011.

    I briefly installed (and completely removed) Avira Free Antivirus (https://www.avira.com/en/downloads) about a year ago.

    The only AV installed/running is MSE and I have not installed any other security software apart from the standard Windows 7 firewall.

    Here's the result from the command:

    HKEY_CLASSES_ROOT\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
        (Default)    REG_SZ    C:\Windows\system32\vbscript.dll
        ThreadingModel    REG_SZ    Both

    Monday, May 7, 2012 10:22 AM
  • Did you run the Avira removal tool when you uninstalled it?

    https://www.avira.com/en/download/product/avira-registrycleaner 

    Not doing so can leave stuff behind which can cause unforeseen problems later.

    The query response looks normal.

    please run the following commands and post the results...

    REG QUERY HKLM\SOFTWARE\Classes\VBScript /S

    REG QUERY HKLM\SOFTWARE\Classes\.vbs /S

    REG QUERY HKLM\SOFTWARE\Classes\VBSFile /S

    Here are some instructions to maike life easier
    :)
    1) To open an Elevated Command Prompt Window
    (the CP window), click on Start, All Programs, Accessories – then right-click on
    Command Prompt, and select Run as Administrator. Accept the UAC
    prompt.
    2) To run the commands easier, highlight the
    block of commands, and right-click on the highlight – select Copy. In the CP
    Windows, click on the black/white icon at top left – select Paste. The commands
    will run but may not complete the last command, so hit the Enter Key
    once.
    3) To copy the results... click on the
    Black/White icon in the top left, and select Edit... 'Select All', and hit the
    Enter key - then use Ctrl+V or r-click+Paste to paste it into your
    response.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, May 7, 2012 10:51 AM
    Moderator
  • I've now run the avira-registrycleaner and removed 3 keys

    Results of

    command1:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript
        (Default)    REG_SZ    VB Script Language

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript\CLSID
        (Default)    REG_SZ    {B54F3741-5B07-11cf-A4B0-00AA004A55E8}

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBScript\OLEScript
        (Default)    REG_NONE

    command2:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs
        (Default)    REG_SZ    bfvbsfile
        Content Type    REG_SZ    application/x-vbscript

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler
        (Default)    REG_SZ    {5e941d80-bf96-11cd-b579-08002b30bfeb}

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs\ScriptEngine
        (Default)    REG_SZ    VBScript

    command3:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile
        FriendlyTypeName    REG_EXPAND_SZ    @%SystemRoot%\System32\wshext.dll,-4802

        (Default)    REG_SZ    VBScript Script File

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\DefaultIcon
        (Default)    REG_EXPAND_SZ    %SystemRoot%\System32\WScript.exe,2

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\ScriptEngine
        (Default)    REG_SZ    VBScript

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode
        (Default)    REG_SZ    {85131631-480C-11D2-B1F9-00C04F86C324}

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell
        (Default)    REG_SZ    Open

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command
        (Default)    REG_EXPAND_SZ    "%SystemRoot%\System32\Notepad.exe" %1

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command
        (Default)    REG_EXPAND_SZ    "%SystemRoot%\System32\WScript.exe" "%1" %*

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2
        (Default)    REG_EXPAND_SZ    Open &with Command Prompt
        MUIVerb    REG_EXPAND_SZ    @%SystemRoot%\System32\wshext.dll,-4511

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command
        (Default)    REG_EXPAND_SZ    "%SystemRoot%\System32\CScript.exe" "%1" %*

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print\Command
        (Default)    REG_EXPAND_SZ    "%SystemRoot%\System32\Notepad.exe" /p %1

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\ShellEx

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\ShellEx\DropHandler
        (Default)    REG_SZ    {60254CA5-953B-11CF-8C96-00AA00B8708C}

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\ShellEx\PropertySheetHandlers

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\ShellEx\PropertySheetHandlers\WSHProps
        (Default)    REG_SZ    {60254CA5-953B-11CF-8C96-00AA00B8708C}

    Monday, May 7, 2012 11:08 AM
  • "geverl" wrote in message news:b3f0f5b8-4c90-42d8-951a-cdb7a7ce811f...

    I've now run the avira-registrycleaner and removed 3 keys

    command2:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs
        (Default)    REG_SZ    bfvbsfile
        Content Type    REG_SZ    application/x-vbscript

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler
        (Default)    REG_SZ    {5e941d80-bf96-11cd-b579-08002b30bfeb}

     
     
    Gotcha!
    Please run the following commands ( you MUST be in an Elevated Command prompt Windows for this)
     
    REG DELETE HKLM\SOFTWARE\Classes\.vbs /va /f
    REG ADD HKLM\SOFTWARE\Classes\.vbs /ve /t REG_SZ  /d VBSfile
    REG ADD HKLM\SOFTWARE\Classes\.vbs\PersistentHandler /t REG_SZ /d {5e941d80-bf96-11cd-b579-08002b30bfeb}
     
     
    then reboot and run another MGADiag report.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 11:50 AM
    Moderator
  • Here's the new report:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-7PJFF
    Windows Product Key Hash: 9KppSy2RUX/a2DCWY1zpDBdVk0M=
    Windows Product ID: 55041-091-3046796-86542
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {27B8EE88-82A2-4277-B355-835A60BB5F4C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.111118-2330
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{27B8EE88-82A2-4277-B355-835A60BB5F4C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-091-3046796-86542</PID><PIDType>6</PIDType><SID>S-1-5-21-2099548595-4161321057-3812494868</SID><SYSTEM><Manufacturer>To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P1.70</Version><SMBIOSVersion major="2" minor="6"/><Date>20110117000000.000000+000</Date></BIOS><HWID>BAE43007018400FE</HWID><UserLCID>046E</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Europe Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>B84B64A2945BD00</Val><Hash>AkEyx1BqRAP9Ee8F3oqDlSkMieU=</Hash><Pid>73931-640-1556515-57763</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
    Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 55041-00172-091-304679-03-1134-7600.0000-0292011
    Installation ID: 016803140126104100153456950972883076959551791614483724
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 7PJFF
    License Status: Licensed
    Remaining Windows rearm count: 4
    Trusted time: 07/05/2012 13:55:34

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 5:6:2012 09:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: MgAAAAEAAQABAAEAAAADAAAAAwABAAEAln0mUbMv1LWMAAx0Yj2u4GMSmpAW/mL+LnM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   ALASKA  A M I
      FACP   ALASKA  A M I
      HPET   ALASKA  A M I
      MCFG   ALASKA  A M I
      SSDT   AMICPU  PROC
      AAFT   ALASKA  OEMAAFT

    Monday, May 7, 2012 11:58 AM
  • At least we seem to have fixed that problem! :)

    there still remains the problem of the file mismatches - wecan try and solve them here if you like, but it is likely to take some considerable time and effort on both our parts. I'm happy to continue if you are.

    If you'd rather try elswhere, I recommend that you contact WGA Support for assistance - I know that no-one else in these forums is likely to be able to solve the problem, and I've not seen a solution elsewhere.

    WGA Support can be found here-
    North America: http://support.microsoft.com/contactus/cu_sc_genadv_master?ws=support&ws=support#tab4

    Outside North America:
    http://support.microsoft.com/contactus/?ws=support#tab0

    Please let us know if (and how) MS manage to repair the
    problem without a repair install of the OS - it would be useful for future
    reference!


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, May 7, 2012 12:08 PM
    Moderator
  • I'd prefer to solve the remaining problems here if that's OK with you.
    Monday, May 7, 2012 12:10 PM
  • "geverl" wrote in message news:e779fda7-57f1-4997-9efc-09a8ad190b34...
    I'd prefer to solve the remaining problems here if that's OK with you.
     
    Good, goody ! :) - I've been hoping for a chance to have a really good look at this.
     
    Let's take a closer look at a few things, and try some of the more standard fixes first, just in case I've missed a clue along the way.
     
    please run the following commands and post the results
     
    NET START CRYTPSVC
    SC QC CRYPTSVC
    ICACLS C:\Windows\slcext.* /T
    DIR C:\Windows\slcext.* /s
     
    (see my earlier post for details of the easy way to post the results!)
     
    Once that's done please run the standard disk checks - CHKDSK C: /R and SFC /SCANNOW in that order - from an elevated command prompt. Please upload (a copy of) the CBS.log file to your public SkyDrive and post the link in another response.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 1:03 PM
    Moderator
  • Results for

    command1:

    The requested service has already been started

    command2:

    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: CRYPTSVC
            TYPE               : 20  WIN32_SHARE_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k NetworkService
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Cryptographic Services
            DEPENDENCIES       : RpcSs
            SERVICE_START_NAME : NT Authority\NetworkService

    command 3:

    C:\Windows\System32\slcext.dll NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Users:(RX)
                                   BUILTIN\Administrators:(F)
                                   NT AUTHORITY\SYSTEM:(F)

    C:\Windows\System32\en-US\slcext.dll.mui NT SERVICE\TrustedInstaller:(F)
                                             BUILTIN\Users:(RX)
                                             BUILTIN\Administrators:(F)
                                             NT AUTHORITY\SYSTEM:(F)

    C:\Windows\SysWOW64\slcext.dll NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Users:(RX)
                                   BUILTIN\Administrators:(F)
                                   NT AUTHORITY\SYSTEM:(F)

    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Application Data\slcext.*
    : Access is denied.
    Successfully processed 3 files; Failed processing 1 files

    command 4:

     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\System32

    14/07/2009  03:41            18 432 slcext.dll
                   1 File(s)         18 432 bytes

     Directory of C:\Windows\System32\en-US

    14/07/2009  04:25            17 408 slcext.dll.mui
                   1 File(s)         17 408 bytes

     Directory of C:\Windows\SysWOW64

    14/07/2009  03:16            16 384 slcext.dll
                   1 File(s)         16 384 bytes

     Directory of C:\Windows\SysWOW64\en-US

    14/07/2009  04:03            17 408 slcext.dll.mui
                   1 File(s)         17 408 bytes

     Directory of C:\Windows\winsxs\amd64_microsoft-windows-s..clientext.resources_3
    1bf3856ad364e35_6.1.7600.16385_en-us_c2382769078e1059

    14/07/2009  04:25            17 408 slcext.dll.mui
                   1 File(s)         17 408 bytes

     Directory of C:\Windows\winsxs\amd64_microsoft-windows-security-spp-clientext_3
    1bf3856ad364e35_6.1.7600.16385_none_28bbe77bcacffbe4

    14/07/2009  03:41            18 432 slcext.dll
                   1 File(s)         18 432 bytes

     Directory of C:\Windows\winsxs\x86_microsoft-windows-s..clientext.resources_31b
    f3856ad364e35_6.1.7600.16385_en-us_66198be54f309f23

    14/07/2009  04:03            17 408 slcext.dll.mui
                   1 File(s)         17 408 bytes

     Directory of C:\Windows\winsxs\x86_microsoft-windows-security-spp-clientext_31b
    f3856ad364e35_6.1.7600.16385_none_cc9d4bf812728aae

    14/07/2009  03:16            16 384 slcext.dll
                   1 File(s)         16 384 bytes

         Total Files Listed:
                   8 File(s)        139 264 bytes
                   0 Dir(s)  109 333 803 008 bytes free

    Monday, May 7, 2012 1:11 PM
  • "geverl" wrote in message news:e5dc047b-ecd4-4f22-8a47-b79bce40d3c3...

    Results for

     

    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Application Data\slcext.*
    : Access is denied.
    Successfully processed 3 files; Failed processing 1 files

     

     
     
    All those results look normal, except for the one above - and that may simply be because you're in a Domain??
    The systemprofile folder doesn't normally have any 'Application Data' subfolder anywhere, in a workgroup system; and it doesn't contain a mirror of the slcext file anyhow (that I can see, at least)
     
    Please run the following commands - post the results
    DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local /S
    REG QUERY HKU
    REG QUERY HKU\S-1-5-20
    REG QUERY HKU\S-1-5-20\Environment
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20"
    ICACLS C:\Windows\ServiceProfiles\NetworkService
    ICACLS C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
     
    Are you on a Domain-base installation or a normal independent Workgroup one?
     
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 1:44 PM
    Moderator
  • The chkdsk took ages ...

    Here's the output from SFC: https://skydrive.live.com/redir.aspx?cid=6c118079344ae475&resid=6C118079344AE475!122&parid=6C118079344AE475!116

    I'm on a normal independent workgroup PC.

    Outputs from

    command 1:

     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local

    11/07/2011  01:16    <DIR>          .
    11/07/2011  01:16    <DIR>          ..
    21/04/2012  12:43    <DIR>          Google
    03/05/2011  06:57    <DIR>          Microsoft
    03/05/2011  06:57    <DIR>          Programs
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Google

    21/04/2012  12:43    <DIR>          .
    21/04/2012  12:43    <DIR>          ..
    02/02/2012  07:32    <DIR>          CrashReports
    21/04/2012  12:43    <DIR>          Custom Buttons
    11/07/2011  01:16    <DIR>          GBScreensaver
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Google\CrashReports

    02/02/2012  07:32    <DIR>          .
    02/02/2012  07:32    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Google\Custom Buttons

    21/04/2012  12:43    <DIR>          .
    21/04/2012  12:43    <DIR>          ..
    10/01/2012  03:43             1 946 toolbar.google.com_MXE8GT6B9RBHXCGLZ06L.xml
                   1 File(s)          1 946 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Google\GBScreensaver

    11/07/2011  01:16    <DIR>          .
    11/07/2011  01:16    <DIR>          ..
    11/07/2011  01:16                 0 network.log
                   1 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft

    03/05/2011  06:57    <DIR>          .
    03/05/2011  06:57    <DIR>          ..
    01/02/2011  14:52    <DIR>          OFFICE
    03/05/2011  06:57    <DIR>          Windows
    03/05/2011  06:57    <DIR>          Windows Photo Gallery
    03/05/2011  06:57    <DIR>          Windows Sidebar
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\OFFICE

    01/02/2011  14:52    <DIR>          .
    01/02/2011  14:52    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows

    03/05/2011  06:57    <DIR>          .
    03/05/2011  06:57    <DIR>          ..
    03/05/2011  06:57    <DIR>          Burn
    14/07/2009  06:54    <DIR>          Caches
    03/05/2011  06:57    <DIR>          GameExplorer
    03/05/2011  06:57    <DIR>          Ringtones
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Burn

    03/05/2011  06:57    <DIR>          .
    03/05/2011  06:57    <DIR>          ..
    03/05/2011  14:30    <DIR>          Burn
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Burn\Burn

    03/05/2011  14:30    <DIR>          .
    03/05/2011  14:30    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches

    14/07/2009  06:54    <DIR>          .
    14/07/2009  06:54    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\GameExplorer

    03/05/2011  06:57    <DIR>          .
    03/05/2011  06:57    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Ringtones

    03/05/2011  06:57    <DIR>          .
    03/05/2011  06:57    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows Photo Gallery

    03/05/2011  06:57    <DIR>          .
    03/05/2011  06:57    <DIR>          ..
    03/05/2011  06:57    <DIR>          Original Images
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows Photo Gallery\Original Images

    03/05/2011  06:57    <DIR>          .
    03/05/2011  06:57    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows Sidebar

    03/05/2011  06:57    <DIR>          .
    03/05/2011  06:57    <DIR>          ..
    03/05/2011  14:30    <DIR>          Gadgets
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows Sidebar\Gadgets

    03/05/2011  14:30    <DIR>          .
    03/05/2011  14:30    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Programs

    03/05/2011  06:57    <DIR>          .
    03/05/2011  06:57    <DIR>          ..
    03/05/2011  06:57    <DIR>          Common
                   0 File(s)              0 bytes

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Programs\Common

    03/05/2011  06:57    <DIR>          .
    03/05/2011  06:57    <DIR>          ..
                   0 File(s)              0 bytes

         Total Files Listed:
                   2 File(s)          1 946 bytes
                  56 Dir(s)  109 284 474 880 bytes free

    command 2:

    HKEY_USERS\.DEFAULT
    HKEY_USERS\S-1-5-19
    HKEY_USERS\S-1-5-20
    HKEY_USERS\S-1-5-21-2099548595-4161321057-3812494868-1000
    HKEY_USERS\S-1-5-21-2099548595-4161321057-3812494868-1000_Classes
    HKEY_USERS\S-1-5-18

    command 3:

    HKEY_USERS\S-1-5-20\AppEvents
    HKEY_USERS\S-1-5-20\Console
    HKEY_USERS\S-1-5-20\Control Panel
    HKEY_USERS\S-1-5-20\Environment
    HKEY_USERS\S-1-5-20\EUDC
    HKEY_USERS\S-1-5-20\Keyboard Layout
    HKEY_USERS\S-1-5-20\Network
    HKEY_USERS\S-1-5-20\Printers
    HKEY_USERS\S-1-5-20\Software
    HKEY_USERS\S-1-5-20\System

    command 4:

    HKEY_USERS\S-1-5-20\Environment
        TEMP    REG_EXPAND_SZ    %USERPROFILE%\AppData\Local\Temp
        TMP    REG_EXPAND_SZ    %USERPROFILE%\AppData\Local\Temp

    command 5:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
    5-20
        ProfileImagePath    REG_EXPAND_SZ    C:\Windows\ServiceProfiles\NetworkServi
    ce
        Flags    REG_DWORD    0x0
        State    REG_DWORD    0x0

    command 6:

    C:\Windows\ServiceProfiles\NetworkService NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(
    F)
                                              BUILTIN\Administrators:(OI)(IO)(F)
                                              BUILTIN\Administrators:(CI)(F)
                                              NT AUTHORITY\SYSTEM:(OI)(IO)(F)
                                              NT AUTHORITY\SYSTEM:(CI)(F)

    Successfully processed 1 files; Failed processing 0 files

    command 7:

    C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT BUILTIN\Administrators:(F)
                                                         NT AUTHORITY\SYSTEM:(F)
                                                         NT AUTHORITY\NETWORK SERVIC
    E:(I)(F)

    Successfully processed 1 files; Failed processing 0 files

    Monday, May 7, 2012 2:46 PM
  • "geverl" wrote in message news:6e48d3af-400a-4dd9-95e4-3bd52b3f9a2e...

    The chkdsk took ages ...

    Here's the output from SFC: https://skydrive.live.com/redir.aspx?cid=6c118079344ae475&resid=6C118079344AE475!122&parid=6C118079344AE475!116

    I'm on a normal independent workgroup PC.

    Outputs from

     

     
     
    All the command-line output looks OK, as far as it goes - there were a couple of errors relating to Oracle .NET files which SFC managed to fix.
     
    We need one more piece of data from that area - the hidden/system files and folders - and a couple of bits from elsewhere
     
    DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local /S /as
    DIR "C:\Application Data" /s as
    DIR C:\ /AL /S
     
    It may be a good idea to export to a text file and upload it, rather than post it here.
     
    There has to be (have been) something - probably in the registry - that's forced that Application Data folder.
    The trick is to find it.
    Please download RegScanner for x64 from http://www.nirsoft.net/utils/regscanner.html
    install it, and configure it to search only the HKLM hive.
    Do a search for 'Application Data' matching 'Registry item contains the specified string' (with all 'Look at' options ticked)
    Create an HTML report of all items found, and save it as an .mht file
    Upload the mht file to your SkyDrive.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 3:34 PM
    Moderator
  • The files are uploaded.
    Monday, May 7, 2012 3:50 PM
  • "geverl" wrote in message news:5c9c1793-262d-440e-8e24-bc9f071d444d...
    The files are uploaded.
     
    Ah - the Application Data folder is actually a Junction on your machine.
    03/05/2011  06:57    <JUNCTION>     Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
     
    This junction does not exist on my machines
     
    A number of other junctions were also created at the same time - which looks as if it was the time at which the OS was installed? and so is possibly an intended part of the installation (but I have no idea why!)
     
    This does seem very strange.
     
    The Registry report contains even less than I was expecting (you obviously don't have Office 2010 installed), and is clear of obvious errors.
     
     
    I need to do some research (and cook my dinner!) - back in a while.
     
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 4:18 PM
    Moderator
  • "Noel D Paton" wrote in message news:752358aa-dadb-483a-85cf-d36578d3906c...
     
     
    I need to do some research (and cook my dinner!) - back in a while.
     
     
     
    Thinking about the problem brings me back to the IRST drivers again. It may be that the driver installer was affected by the lack of vbs ability. I would suggest trying the installation again.
    Once installed, reboot, and run another MGADiag report - post the results.
    Please also look in the Event Viewer and see if there are any related errors either for the installation, or over the past 24 hours while we've been attempting to solve the problem.
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 7:03 PM
    Moderator
  • I've uploaded the system event error log for the past 24 hrs.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-7PJFF
    Windows Product Key Hash: 9KppSy2RUX/a2DCWY1zpDBdVk0M=
    Windows Product ID: 55041-091-3046796-86542
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {27B8EE88-82A2-4277-B355-835A60BB5F4C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.111118-2330
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{27B8EE88-82A2-4277-B355-835A60BB5F4C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-091-3046796-86542</PID><PIDType>6</PIDType><SID>S-1-5-21-2099548595-4161321057-3812494868</SID><SYSTEM><Manufacturer>To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P1.70</Version><SMBIOSVersion major="2" minor="6"/><Date>20110117000000.000000+000</Date></BIOS><HWID>BAE43007018400FE</HWID><UserLCID>046E</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Europe Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>B84B64A2945BD00</Val><Hash>AkEyx1BqRAP9Ee8F3oqDlSkMieU=</Hash><Pid>73931-640-1556515-57763</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
    Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 55041-00172-091-304679-03-1134-7600.0000-0292011
    Installation ID: 016803140126104100153456950972883076959551791614483724
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 7PJFF
    License Status: Licensed
    Remaining Windows rearm count: 4
    Trusted time: 07/05/2012 21:29:17

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 5:6:2012 09:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: MgAAAAEAAQABAAEAAAADAAAAAwABAAEAln0mUbMv1LWMAAx0Yj2u4GMSmpAW/mL+LnM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   ALASKA  A M I
      FACP   ALASKA  A M I
      HPET   ALASKA  A M I
      MCFG   ALASKA  A M I
      SSDT   AMICPU  PROC
      AAFT   ALASKA  OEMAAFT

    Monday, May 7, 2012 7:34 PM
  • I've also uploaded a 24h log of all errors (Windows, applications and services)
    Monday, May 7, 2012 7:48 PM
  • "geverl" wrote in message news:d8e8ac03-ce23-4d54-ad0a-e628789e03b3...
    I've also uploaded a 24h log of all errors (Windows, applications and services)
     
     
    Interesting list - teh one most relevant is probably the one referring to the Cryptographics database
    Please read the following article and see if you can apply it.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 7:51 PM
    Moderator
  • When I try  esentutl /p <%systemroot%>\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

    I get "access denied" despite running it from an elevated command prompt.

    Monday, May 7, 2012 7:55 PM
  • "geverl" wrote in message news:69e38323-8fd6-46a9-ae33-ae8e53e1b453...

    When I try  esentutl /p <%systemroot%>\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

    I get "access denied" despite running it from an elevated command prompt.

    That usually means that you've not properly stopped the service.
    try again - this time, once you've got the 'service stopped' message, type
    SC QUERYEX CRYPTSVC
    and check that the response  says 'stopped' for the State.
     
    If not, please post the result.
    otherwise, try the esentutl command again

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 8:00 PM
    Moderator
  • C:\Windows\system32>net stop cryptsvc
    The Cryptographic Services service is stopping..
    The Cryptographic Services service was stopped successfully.


    C:\Windows\system32>esentutl /p <%systemroot%>\System32\catroot2\{F750E6C3-38EE-
    11D1-85E5-00C04FC295EE}\catdb
    Access is denied.

    C:\Windows\system32>SC QUERYEX CRYPTSVC

    SERVICE_NAME: CRYPTSVC
            TYPE               : 20  WIN32_SHARE_PROCESS
            STATE              : 1  STOPPED
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 0
            FLAGS              :

    C:\Windows\system32>esentutl /p <%systemroot%>\System32\catroot2\{F750E6C3-38EE-
    11D1-85E5-00C04FC295EE}\catdb
    Access is denied.

    Monday, May 7, 2012 8:02 PM
  • "geverl" wrote in message news:4d7fce2f-33b5-4424-8e22-6e5785841230...

    C:\Windows\system32>net stop cryptsvc
    The Cryptographic Services service is stopping..
    The Cryptographic Services service was stopped successfully.


    C:\Windows\system32>esentutl /p <%systemroot%>\System32\catroot2\{F750E6C3-38EE-
    11D1-85E5-00C04FC295EE}\catdb
    Access is denied.

    C:\Windows\system32>SC QUERYEX CRYPTSVC

    SERVICE_NAME: CRYPTSVC
            TYPE               : 20  WIN32_SHARE_PROCESS
            STATE              : 1  STOPPED
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 0
            FLAGS              :

    C:\Windows\system32>esentutl /p <%systemroot%>\System32\catroot2\{F750E6C3-38EE-
    11D1-85E5-00C04FC295EE}\catdb
    Access is denied.

     
    Ah - I get the same response in my VM, despite Administrators having Full permissions
    I see what the problem is.....
    the command should be
    esentutl /p %systemroot%\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 8:13 PM
    Moderator
  • Unfortunately, Windows does not create a new catroot2 folder.


    C:\Windows\system32>net stop cryptsvc
    The Cryptographic Services service is stopping..
    The Cryptographic Services service was stopped successfully.


    C:\Windows\system32>esentutl /g %systemroot%\System32\catroot2\{F750E6C3-38EE-11
    D1-85E5-00C04FC295EE}\catdb

    Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
    Version 6.1
    Copyright (C) Microsoft Corporation. All Rights Reserved.

    Error: Access to source database 'C:\Windows\System32\catroot2\{F750E6C3-38EE-11
    D1-85E5-00C04FC295EE}\catdb' failed with Jet error -1811.

    Operation terminated with error -1811 (JET_errFileNotFound, File not found) afte
    r 0.0 seconds.


    • Edited by geverl Monday, May 7, 2012 8:27 PM
    Monday, May 7, 2012 8:26 PM
  • "geverl" wrote in message news:a36754f6-da7c-431b-a7a6-a1f82d622f81...

    Unfortunately, Windows does not create a new catroot2 folder.


    C:\Windows\system32>net stop cryptsvc
    The Cryptographic Services service is stopping..
    The Cryptographic Services service was stopped successfully.


    C:\Windows\system32>esentutl /g %systemroot%\System32\catroot2\{F750E6C3-38EE-11
    D1-85E5-00C04FC295EE}\catdb

    Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
    Version 6.1
    Copyright (C) Microsoft Corporation. All Rights Reserved.

    Error: Access to source database 'C:\Windows\System32\catroot2\{F750E6C3-38EE-11
    D1-85E5-00C04FC295EE}\catdb' failed with Jet error -1811.

    Operation terminated with error -1811 (JET_errFileNotFound, File not found) afte
    r 0.0 seconds.


     
     
    please run the following command
    ICACLS C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
     
    post the results
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 8:33 PM
    Moderator

  • C:\Windows\system32>ICACLS C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5
    -00C04FC295EE}\catdb
    C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb: The s
    ystem cannot find the file specified.
    Successfully processed 0 files; Failed processing 1 files
    Monday, May 7, 2012 8:35 PM
  • "geverl" wrote in message news:dd63772d-6597-4b0a-a9e4-f07fdcba9de4...

    C:\Windows\system32>ICACLS C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5
    -00C04FC295EE}\catdb
    C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb: The s
    ystem cannot find the file specified.
    Successfully processed 0 files; Failed processing 1 files
     
     
    It may be simplest to just rename the entire catroot2 folder.
    To do that you will need to switch off the Windows Update client service as well, then rename the folder (do not delete it yet!) to catroot2.old (you can do that in Explorer)
    reboot
     
    - or does your first comment mean that you already tried that and the folder is not recreated on the reboot?
     

     
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 8:59 PM
    Moderator
  • Yes, I tried that, but without a reboot, as that was not requested in the article.

    I've now stopped Windows Update, renamed the folder again to catroot2.old and rebooted, with the same result: Windows does not create a new catroot2 folder.


    • Edited by geverl Monday, May 7, 2012 9:06 PM
    Monday, May 7, 2012 9:06 PM
  • I can also not install the latest version of Windows Security Essentials, as it fails with error code 0x80070643.

    I'll get some sleep now, maybe we'll be luckier tomorrow.


    • Edited by geverl Monday, May 7, 2012 9:16 PM
    Monday, May 7, 2012 9:13 PM
  • "geverl" wrote in message news:76c5d821-2182-4bfc-8004-702d43933223...

    I can also not install the latest version of Windows Security Essentials, as it fails with error code 0x80070643.

    I'll get some sleep now, maybe we'll be luckier tomorrow.


     
     
    Try method 8 from the following article - I suspect that's the one most likely to work.
     
    (I agree - my eyes are turning square!)

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 9:22 PM
    Moderator
  • According to method 8, my certificates should be fine.

    Some validation dates are slightly different, but that should not matter I guess.

    Monday, May 7, 2012 9:30 PM
  • "geverl" wrote in message news:9e7e1063-0cd9-428a-8b2d-79c7697fcde8...

    According to method 8, my certificates should be fine.

    Some validation dates are slightly different, but that should not matter I guess.

    Hmm - I just did the renaming operation on my VM, and it took a couple of minutes before the catroot2 folder re-appeared, and then a couple more minutes before it had finished rebuilding the database.
     
    please run the following commands -
     
    ICACLS C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
    ICACLS C:\Windows\System32\catroot2
    ICACLS C:\Windows\System32
     
    post the results.

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 9:54 PM
    Moderator
  • please run the following commands -
     
    ICACLS C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
    ICACLS C:\Windows\System32\catroot2
    ICACLS C:\Windows\System32
     
    post the results.

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
     
    Please also run RegScanner again, and set the search for
    Find String: bf    (tick case sensitive)
    Look at :  Data  (untick all other options)
    tick 'Scan the following base Keys'
    Highlight only 'HKEY_LOCAL_MACHINE'
     
    run the search, then order by the 'Data' column
    Highlight ALL entries where the Data entry starts with
    'bf'   (without the quotes!)
    and  do an HTML export of Selected items - save as mht, and upload to your SkyDrive.
     
    This may be residues of a virus/malware infestation - I'm hoping that if it is, it follows the same format as your other problem with the vbs association.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 7, 2012 10:29 PM
    Moderator
  • You are right, catroot2 has indeed been created:


    C:\Windows\system32>ICACLS C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5
    -00C04FC295EE}
    C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} NT SERVICE\C
    ryptSvc:(OI)(CI)(F)
                                                                        NT SERVICE\T
    rustedInstaller:(F)
                                                                        NT SERVICE\T
    rustedInstaller:(I)(CI)(IO)(F)
                                                                        NT AUTHORITY
    \SYSTEM:(F)
                                                                        NT AUTHORITY
    \SYSTEM:(I)(OI)(CI)(IO)(F)
                                                                        BUILTIN\Admi
    nistrators:(F)
                                                                        BUILTIN\Admi
    nistrators:(I)(OI)(CI)(IO)(F)
                                                                        BUILTIN\User
    s:(RX)
                                                                        BUILTIN\User
    s:(I)(OI)(CI)(IO)(GR,GE)
                                                                        NT AUTHORITY
    \NETWORK SERVICE:(F)
                                                                        CREATOR OWNE
    R:(I)(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\System32\catroot2
    C:\Windows\System32\catroot2 NT SERVICE\CryptSvc:(OI)(CI)(F)
                                 NT SERVICE\TrustedInstaller:(I)(F)
                                 NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                 NT AUTHORITY\SYSTEM:(I)(F)
                                 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                 BUILTIN\Administrators:(I)(F)
                                 BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                 BUILTIN\Users:(I)(RX)
                                 BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                 CREATOR OWNER:(I)(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\System32
    C:\Windows\System32 NT SERVICE\TrustedInstaller:(F)
                        NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                        NT AUTHORITY\SYSTEM:(M)
                        NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                        BUILTIN\Administrators:(M)
                        BUILTIN\Administrators:(OI)(CI)(IO)(F)
                        BUILTIN\Users:(RX)
                        BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
                        CREATOR OWNER:(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files

    The registry scan results are uploaded.

    Tuesday, May 8, 2012 4:27 AM
  • "geverl" wrote in message news:29c61a2e-a60e-4e63-bcf2-6d39f4c2de2f...

    You are right, catroot2 has indeed been created:

     

    The registry scan results are uploaded.

    The registry results are interesting!
    affected filetypes are
    .asp ASP
    .css
    .js
     
    These problems seem to be related to a piece of software that uses 'bflang2' and 'bfproject' extenstions (BlueFish??), which may have been installed on 17 March - although the affected filetypes were only modified on 2nd May.
    The fact that all these filetypes are internet-related immediately makes me very suspicious of malware brought in from a website somewhere (although it's also possible that they are there as part of a piece of security software)
    Please download and install Malwarebytes Anti-malware www.malwarebytes.org and update it, and run a full scan (DO NOT enable the Real-Time protection option!) in your main account, and Quick scans in any other user accounts.
    Delete everything it finds
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, May 8, 2012 7:47 AM
    Moderator
  • 7 files were found and removed (cf. uploaded log).

    Tuesday, May 8, 2012 9:25 AM
  • "geverl" wrote in message news:0018ad84-f8da-4ca5-8d60-d3c21c8ec6f7...

    7 files were found and removed (cf. uploaded log).

    According to the log, you didn't remove them - you can delete most of them manually, except possible the first (which is probably the one most worth removing).
    I see that there were no registry entries found - which surprises me a little.
    please run the following commands and upload the results.

    REG QUERY HKLM\SOFTWARE\Classes\.asp /s

    REG QUERY HKLM\SOFTWARE\Classes\.css /S

    REG QUERY HKLM\SOFTWARE\Classes\.js /S

    I have to go out for most of the day now - back later.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, May 8, 2012 10:12 AM
    Moderator
  • I saved the log before launching the removal, which required a reboot.

    REG QUERY gives me an "invalid syntax" error.

    Tuesday, May 8, 2012 10:17 AM
  • It certainly shouldn't do so - especially as almost identical queries have worked in the past.

    Can you look for the entries in Regedit, and check that they exist?


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Tuesday, May 8, 2012 10:26 AM
    Moderator
  • C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.asp /s

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asp
        (Default)    REG_SZ    bfaspfile
        Content Type    REG_SZ    text/x-asp

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asp\PersistentHandler
        (Default)    REG_SZ    {eec97550-47a9-11cf-b952-00aa0051fe20}


    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.css /S

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css
        PerceivedType    REG_SZ    text
        (Default)    REG_SZ    bfcssfile
        Content Type    REG_SZ    text/css

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css\PersistentHandler
        (Default)    REG_SZ    {eec97550-47a9-11cf-b952-00aa0051fe20}


    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.js /S

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js
        (Default)    REG_SZ    bfjsfile
        Content Type    REG_SZ    application/javascript

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\OpenWithList

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\PersistentHandler
        (Default)    REG_SZ    {5e941d80-bf96-11cd-b579-08002b30bfeb}

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\ScriptEngine
        (Default)    REG_SZ    JScript

    Tuesday, May 8, 2012 10:28 AM
  • "geverl" wrote in message news:c1a66c06-63a3-485f-afde-70dcc78c1afa...

    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.asp /s

     

    Interesting results - I need to think on them, but I don't believe that these are the cause of the problem (but I will craft a repair anyhow, just in case)
     
    I'll be back later.  Time for an early night for a change, I think!
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Tuesday, May 8, 2012 6:23 PM
    Moderator
  • I don't know whether that's of any use, but I've uploaded a screen shot of the latest Windows Update actions.

    Wednesday, May 9, 2012 6:33 AM
  • "geverl" wrote in message news:1ddf479b-c1a0-44f5-92f3-8ad0e27854aa...

    I don't know whether that's of any use, but I've uploaded a screen shot of the latest Windows Update actions.

     
     
    Ouch - that looks painful! However, I'm not too surprised by it - recommended updates will always fail in a 'non-genuine' system, and if your problem extends further than the WGA/WAT system (as it may if you have multiple problems resulting from  malware), then it may be affecting WU as well.
     
    Do you have BlueFish installed at all? - this will almost certainly break it, if so
     
    please run the following commands, then reboot, and post a new MGADiag report.
     
    REG DELETE HKLM\SOFTWARE\Classes\.asp /va /f
    REG ADD HKLM\SOFTWARE\Classes\.asp /ve /t REG_SZ /d aspfile
    REG ADD HKLM\SOFTWARE\Classes\.asp\PersistentHandler /t REG_SZ /d {eec97550-47a9-11cf-b952-00aa0051fe20}
    REG DELETE HKLM\SOFTWARE\Classes\.css /va /f
    REG ADD HKLM\SOFTWARE\Classes\.css /ve /t REG_SZ /d CSSfile
    REG ADD HKLM\SOFTWARE\Classes\.css /v "Content type" /t REG_SZ /d text/css
    REG ADD HKLM\SOFTWARE\Classes\.css /v  "Perceived Type"/t REG_SZ /d text
    REG ADD HKLM\SOFTWARE\Classes\.css\PersistentHandler /t REG_SZ /d {eec97550-47a9-11cf-b952-00aa0051fe20}
    REG DELETE HKLM\SOFTWARE\Classes\.js /va /f
    REG ADD HKLM\SOFTWARE\Classes\.js /ve /t REG_SZ /d JSFile
    REG ADD HKLM\SOFTWARE\Classes\.js\PersistentHandler /t REG_SZ /d {5e941d80-bf96-11cd-b579-08002b30bfeb}
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 9:38 AM
    Moderator
  • Do you mean http://bluefish.openoffice.nl/index.html, which I tried out some time ago and then removed it?

    Here's the latest MGADiag report (after successful execution of the commands and reboot):

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-7PJFF
    Windows Product Key Hash: 9KppSy2RUX/a2DCWY1zpDBdVk0M=
    Windows Product ID: 55041-091-3046796-86542
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {27B8EE88-82A2-4277-B355-835A60BB5F4C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.111118-2330
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{27B8EE88-82A2-4277-B355-835A60BB5F4C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-091-3046796-86542</PID><PIDType>6</PIDType><SID>S-1-5-21-2099548595-4161321057-3812494868</SID><SYSTEM><Manufacturer>To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P1.70</Version><SMBIOSVersion major="2" minor="6"/><Date>20110117000000.000000+000</Date></BIOS><HWID>BAE43007018400FE</HWID><UserLCID>046E</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Europe Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>B84B64A2945BD00</Val><Hash>AkEyx1BqRAP9Ee8F3oqDlSkMieU=</Hash><Pid>73931-640-1556515-57763</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
    Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 55041-00172-091-304679-03-1134-7600.0000-0292011
    Installation ID: 016803140126104100153456950972883076959551791614483724
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: 7PJFF
    License Status: Licensed
    Remaining Windows rearm count: 4
    Trusted time: 09/05/2012 11:49:38

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 5:6:2012 09:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: MgAAAAEAAQABAAEAAAADAAAAAwABAAEAln0mUbMv1LWMAAx0Yj2u4GMSmpAW/mL+LnM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   ALASKA  A M I
      FACP   ALASKA  A M I
      HPET   ALASKA  A M I
      MCFG   ALASKA  A M I
      SSDT   AMICPU  PROC
      AAFT   ALASKA  OEMAAFT

    Wednesday, May 9, 2012 9:52 AM
  • "geverl" wrote in message news:e60e65bd-62ce-4a91-b533-87a560b4c5b0...

    Do you mean http://bluefish.openoffice.nl/index.html, which I tried out some time ago and then removed it?

    Here's the latest MGADiag report (after successful execution of the commands and reboot):

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-7PJFF
    Windows Product Key Hash: 9KppSy2RUX/a2DCWY1zpDBdVk0M=
    Windows Product ID: 55041-091-3046796-86542
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048

     
     
    Yep - that's the one.
    It looks like the uninstall didn't work very well :(
    In that case, we'll also remove the other references we've already found.
    (there's no change in the report yet, as you've probably noticed)
     
    REG QUERY HKLM\SOFTWARE\Classes\.bflang2 /s
    REG QUERY HKLM\SOFTWARE\Classes\.bfproject /s
    REG DELETE HKLM\SOFTWARE\Classes\.bflang2
    REG DELETE HKLM\SOFTWARE\Classes\.bfproject
     
    please post the results - this will allow us to track down other residuals (and act as backup in case of need <g>)
    also, please run RegScanner, with the following searches
    In all cases, use the following settings
    Matching: Registry item contains the specified string
    Look at: (tick all)
    Scan the following base keys: HKEY_LOCAL_MACHINE
     
    the search items are
    bfvbsfile
    bfaspfile
    bfcssfile
    bfjsfile
    bfproject
    bflang2
     
    save the output (if any) and upload to your Skydrive
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 10:10 AM
    Moderator
  • C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.bflang2 /s

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bflang2
        Content Type    REG_SZ    application/x-bluefish-language2
        (Default)    REG_SZ    bflang2file


    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.bfproject /s

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfproject
        Content Type    REG_SZ    application/x-bluefish-project
        (Default)    REG_SZ    bfprojectfile


    C:\Windows\system32>REG DELETE HKLM\SOFTWARE\Classes\.bflang2
    Permanently delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bflang2
     (Yes/No)? y
    The operation completed successfully.

    C:\Windows\system32>REG DELETE HKLM\SOFTWARE\Classes\.bfproject
    Permanently delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfproje
    ct (Yes/No)? y
    The operation completed successfully.

    The reg scan results are uploaded (RegScan.txt).

    Wednesday, May 9, 2012 10:21 AM
  • "geverl" wrote in message news:a6c7129e-3f47-44bb-90bf-916a704836ce...

    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.bflang2 /s

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bflang2
        Content Type    REG_SZ    application/x-bluefish-language2
        (Default)    REG_SZ    bflang2file


    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.bfproject /s

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfproject
        Content Type    REG_SZ    application/x-bluefish-project
        (Default)    REG_SZ    bfprojectfile


    C:\Windows\system32>REG DELETE HKLM\SOFTWARE\Classes\.bflang2
    Permanently delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bflang2
    (Yes/No)? y
    The operation completed successfully.

    C:\Windows\system32>REG DELETE HKLM\SOFTWARE\Classes\.bfproject
    Permanently delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\. bfproje
    ct (Yes/No)? y
    The operation completed successfully.

    The reg scan results are uploaded (RegScan.txt).

    OK - I don't really want to go any further down this route at the moment, as the essential problem appears not to be related (it sounds as if you have sufficient skills to to the rest yourself anyhow - but leave it until we've sorted the WGA problem, please!)
     
    FWIW, I just installed BlueFish on my VM, and although I did get these two entries, I did not get the changes in the other Classes we've seen here.
    This would imply that the changes were made by something else, either in  or with, BlueFish - possibly an optional component. Did you install any such thing?
     
    I'm going to play a bit, and see if there's anything smacks me in the face - back later.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 10:45 AM
    Moderator
  • "geverl" wrote in message news:a6c7129e-3f47-44bb-90bf-916a704836ce...

    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.bflang2 /s

     

    The reg scan results are uploaded (RegScan.txt).

    While I think of it - let's make sure that the changes went as planned....
    please run
     
    REG QUERY HKLM\SOFTWARE\Classes\.asp /s
    REG QUERY HKLM\SOFTWARE\Classes\.vbs /s
    REG QUERY HKLM\SOFTWARE\Classes\.css /s
    REG QUERY HKLM\SOFTWARE\Classes\.js /s
     
    post the results.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 10:54 AM
    Moderator
  • I can't say for sure, but think I just did a normal install of Bluefish.

    Here are the results:

    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.asp /s

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asp
        (Default)    REG_SZ    aspfile

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asp\PersistentHandler
        (Default)    REG_SZ    {eec97550-47a9-11cf-b952-00aa0051fe20}


    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.vbs /s

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs
        (Default)    REG_SZ    VBSfile

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs\PersistentHandler
        (Default)    REG_SZ    {5e941d80-bf96-11cd-b579-08002b30bfeb}

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs\ScriptEngine
        (Default)    REG_SZ    VBScript


    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.css /s

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css
        (Default)    REG_SZ    CSSfile
        Content type    REG_SZ    text/css
        Perceived Type    REG_SZ    text

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.css\PersistentHandler
        (Default)    REG_SZ    {eec97550-47a9-11cf-b952-00aa0051fe20}


    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Classes\.js /s

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js
        (Default)    REG_SZ    JSFile

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\OpenWithList

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\PersistentHandler
        (Default)    REG_SZ    {5e941d80-bf96-11cd-b579-08002b30bfeb}

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\ScriptEngine
        (Default)    REG_SZ    JScript

    Wednesday, May 9, 2012 1:08 PM
  • "geverl" wrote in message news:09f2e332-07e2-4386-b149-78e805fd6d57...

    I can't say for sure, but think I just did a normal install of Bluefish.

     

    There's two minor errors there still - I don't think it means anything, but best to remove them
     
    REG DELETE HKLM\SOFTWARE\Classes\.vbs\ScriptEngine
    REG DELETE HKLM\SOFTWARE\Classes\.js\ScriptEngine
     
    I'm not sure where they appeared from - I thought I'd removed them with my earlier amendments .
    It may be worth checking the proper locations for these entries
     
    REG QUERY HKLM\SOFTWARE\Classes\JSFile /S
    REG QUERY HKLM\SOFTWARE\Classes\VBSFile /S
     
    post the results - it may be a good idea to upload them to your SkyDrive, as it could be lengthy.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 1:34 PM
    Moderator
  • I've uploaded the results (reg1.txt and reg2.txt).

    I don't know if it's related, but just to let you know, I've been unable to create manual restore points for some time. When I try to it shows the "Creating a restore point..." message box for ages and then fails. I couldn't find any solution for this on the web.

    Wednesday, May 9, 2012 1:43 PM
  • "geverl" wrote in message news:acf071d5-5719-4ce8-b455-d87e8672de00...

    I've uploaded the results (reg1.txt and reg2.txt).

    I don't know if it's related, but just to let you know, I've been unable to create manual restore points for some time. When I try to it shows the "Creating a restore point..." message box for ages and then fails. I couldn't find any solution for this on the web.

    I'm not certain either :) I know that System Restore used to use scripting to a large extent - I wouldn't be surprised if it was related to the vbscript problem that we've hopefully solved. I would suggest disabling SR, rebooting, and then re-enabling it and rebooting again. See if it behaves any better then.
     
     
    The only error there is a missing entry - run the following command to fix that
     
    REG ADD HKLM\SOFTWARE\Classes\JSFile\DefaultIcon /ve /t REG_SZ /d %SystemRoot%\System32\WScript.exe,3
     
    I can't see that having any effect - but please run another  MGADiag report  (only post it if it shows any significant changes - no point in making this thread any longer than it already is!)
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 2:17 PM
    Moderator
  • I disabled SR, rebooted, re-enabled it and rebooted again: no change, SR still fails with the same error (cf. screen shot).

    I ran the REG ADD command, the MGADiag report is still unchanged.

    Wednesday, May 9, 2012 2:43 PM
  • "geverl" wrote in message news:578e7a52-4862-4f4b-bf53-881aa2ca1b43...

    I disabled SR, rebooted, re-enabled it and rebooted again: no change, SR still fails with the same error (cf. screen shot).

    I ran the REG ADD command, the MGADiag report is still unchanged.

    I've not seen a good solution to that error in a quick search  - but the responses to the following may be instructive
     
    NET START VSS
    SC QUERYEX VSS
    SC QC VSS
    SC SDSHOW VSS
     
    I'm also looking for more clues in your Event Viewer logs -
    a couple of Windows Updates refer to an 0x8000ffff error - see here (it's for Vista, but should also work in Win7)
     
    There appears to be an Apache service of some kind running - and failing with the error"httpd.exe: Could not reliably determine the server's fully qualified domain name, using 192.168.0.10 for ServerName"
     
    BitLocker appears to be having problems - but I know absolutely nothing about BL.
     
    Bonjour is having problems - but then I've never seen an installation where it didn't have problems of one kind or another. Apple software may work on apples - but it doesn't work on anything else.
     
    The ones that concern me are the huge number of CAPI2 errors "The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -1032."  - do these still occur? - please upload the latest 24hour event log so we can check.
     
    The DCOM errors appear to be caused by the ATI/AMD Catalyst drivers - updating them may be a good idea.
     
    The Kernel-Processor-Power problems can be caused by a mis-set feature in Windows (I can't remember the details - I'll have to search for them), or by disabling SpeedStep in the BIOS.
     
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 3:54 PM
    Moderator

  • C:\Windows\system32>NET START VSS
    The service is starting or stopping.  Please try again later.


    C:\Windows\system32>SC QUERYEX VSS

    SERVICE_NAME: VSS
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 3  STOP_PENDING
                                    (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 4320
            FLAGS              :

    C:\Windows\system32>SC QC VSS
    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: VSS
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 3   DEMAND_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Windows\system32\vssvc.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Volume Shadow Copy
            DEPENDENCIES       : RPCSS
            SERVICE_START_NAME : LocalSystem

    C:\Windows\system32>SC SDSHOW VSS

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
    RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    Regarding the KB946414 link above: the 3 keys do not exist in the registry.

    A new 24h event log is uploaded (Event Log 9.5.12.evtx).

    Wednesday, May 9, 2012 4:39 PM
  • "geverl" wrote in message news:1f997e5a-9116-486c-ab04-0bb3992d0f42...


    C:\Windows\system32>NET START VSS
    The service is starting or stopping.  Please try again later.


    C:\Windows\system32>SC QUERYEX VSS

    SERVICE_NAME: VSS
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 3  STOP_PENDING

    Regarding the KB946414 link above: the 3 keys do not exist in the registry.

    A new 24h event log is uploaded (Event Log 9.5.12.evtx).

    That would probably explain the System Restore/VSS problem, if the service is locked into a 'stopping but not stopped' state.
     
    Please run the command (elevated)
    vssadmin list writers
    and post the results -
    it may give some details while I see if I can come up with a viable 'fix'
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 5:27 PM
    Moderator
  • This has now been running for ages and never returns:

    C:\Windows\system32>vssadmin list writers
    vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
    (C) Copyright 2001-2005 Microsoft Corp.

    Waiting for responses.
    These may be delayed if a shadow copy is being prepared.

    Wednesday, May 9, 2012 5:50 PM
  • "geverl" wrote in message news:6a47f6a4-830e-48bf-910e-93049493c5ca...

    This has now been running for ages and never returns:

    C:\Windows\system32>vssadmin list writers
    vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
    (C) Copyright 2001-2005 Microsoft Corp.

    Waiting for responses.
    These may be delayed if a shadow copy is being prepared.

    I'm not too surprised :(
    I've uploaded a file to my SkyDrive - 'register VSS dlls.txt'
    download it and save it.
    rename it or copy it so that the file extension becomes .BAT
    then right-click on the bat file, and select Run as Administrator.
    This will bring up a lot of 'success' messages - and may bring up some failure messages.
    We can ignore the success messages, but need any failure ones (just the filename)
    once complete, reboot.
    Wait 10 minutes
    then see if VSS works by starting and stopping the service.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 6:23 PM
    Moderator
  • Pardon my ignorance, but is there a way for me to find your SkyDrive (I'm not used to SkyDrive)?
    Wednesday, May 9, 2012 6:29 PM
  • "Noel D Paton" wrote in message news:599511e4-7beb-460b-b789-835d21c47fcf...
    "geverl" wrote in message news:6a47f6a4-830e-48bf-910e-93049493c5ca...

    This has now been running for ages and never returns:

    C:\Windows\system32>vssadmin list writers
    vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
    (C) Copyright 2001-2005 Microsoft Corp.

    Waiting for responses.
    These may be delayed if a shadow copy is being prepared.

    I'm not too surprised :(
    I've uploaded a file to my SkyDrive - 'register VSS dlls.txt'
    download it and save it.
    rename it or copy it so that the file extension becomes .BAT
    then right-click on the bat file, and select Run as Administrator.
    This will bring up a lot of 'success' messages - and may bring up some failure messages.
    We can ignore the success messages, but need any failure ones (just the filename)
    once complete, reboot.
    Wait 10 minutes
    then see if VSS works by starting and stopping the service.

      Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sorry - my fault!!
    forgot to post the link.....

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 6:42 PM
    Moderator
  • Here are the errors (I'll now reboot and wait 10 minutes):

    D:\Users\Asterix\Desktop>"register VSS dlls.bat"

    D:\Users\Asterix\Desktop>net stop "System Event Notification Service"
    The System Event Notification Service service is stopping.
    A system error has occurred.

    System error 997 has occurred.

    Overlapped I/O operation is in progress.

    The System Event Notification Service service was stopped successfully.


    D:\Users\Asterix\Desktop>net stop "Microsoft Software Shadow Copy Provider"
    The Microsoft Software Shadow Copy Provider service is not started.

    More help is available by typing NET HELPMSG 3521.


    D:\Users\Asterix\Desktop>net stop "Volume Shadow Copy"
    The Volume Shadow Copy service is stopping........
    The Volume Shadow Copy service could not be stopped.

    Wednesday, May 9, 2012 6:52 PM
  • "geverl" wrote in message news:375b2cb0-c18b-40c7-95b5-e0eb3b5be856...

    Here are the errors (I'll now reboot and wait 10 minutes):

    D:\Users\Asterix\Desktop>"register VSS dlls.bat"

     

    So far, as expected.

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 6:56 PM
    Moderator
  • Ignorance?!? No, not at all. 

    You have been able to keep up with Noel while he is in full (track down every error and kill it) troubleshooting mode. That is no small feat, in my opinion.

    I think it's more likely that Noel was just preoccupied thinking about the problem and forgot to provide a link.

    I did some digging through the forums and I think I found Noel's public Skydrive folder:

    https://skydrive.live.com/?cid=936736bb8fceb92f&sc=documents&uc=1&id=936736BB8FCEB92F!115#

    Thanks,


    Darin MS


    Wednesday, May 9, 2012 7:04 PM
  • C:\Windows\system32>net start vss
    The Volume Shadow Copy service is starting.
    The Volume Shadow Copy service was started successfully.


    C:\Windows\system32>net stop vss
    The Volume Shadow Copy service is stopping.
    The Volume Shadow Copy service was stopped successfully.

    Wednesday, May 9, 2012 7:06 PM
  • Thanks a lot, Noel has now provided the link.
    Wednesday, May 9, 2012 7:09 PM
  • "Darin Smith MS" wrote in message news:58b4a714-0d72-4330-8c80-72e49dd99ea2...

    Ignorance?!? No, not at all. 

    You have been able to keep up with Noel while he is in full (track down every error and kill it) troubleshooting mode. That is no small feat, in my opinion.


    Darin MS


     
     
    I need to get a life! :)
    You are quite right, though.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 7:15 PM
    Moderator
  • "geverl" wrote in message news:5b2268ec-5150-4b86-9345-1612099f7719...

    C:\Windows\system32>net start vss
    The Volume Shadow Copy service is starting.
    The Volume Shadow Copy service was started successfully.


    C:\Windows\system32>net stop vss
    The Volume Shadow Copy service is stopping.
    The Volume Shadow Copy service was stopped successfully.

    Yay! - we have (some kind of) lift-off!
    Now see if you can create a System restore point.
    - and just in case, please post another MGADiag report.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 7:17 PM
    Moderator
  • I think we're still grounded.

    Unfortunately nothing has changed with regards to the SR creation or the MGADiag report.

    Wednesday, May 9, 2012 7:24 PM
  • "geverl" wrote in message news:6fa90c31-096e-4ace-8cfa-d4d3560e4358...

    I think we're still grounded.

    Unfortunately nothing has changed with regards to the SR creation or the MGADiag report.

    OK - now please run the command
     
    vssadmin list writers
     
    again and post the results.
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 7:35 PM
    Moderator
  • No change, before and after reboot:

    C:\Windows\system32>vssadmin list writers
    vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
    (C) Copyright 2001-2005 Microsoft Corp.

    Waiting for responses.
    These may be delayed if a shadow copy is being prepared.

    Wednesday, May 9, 2012 7:44 PM
  • "geverl" wrote in message news:d297f823-c8ed-4c54-a833-47e72a8790fa...

    No change, before and after reboot:

    C:\Windows\system32>vssadmin list writers
    vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
    (C) Copyright 2001-2005 Microsoft Corp.

    Waiting for responses.
    These may be delayed if a shadow copy is being prepared.

    ouch.
    does the VSS still stop and start?
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 7:57 PM
    Moderator
  • no:

    C:\Windows\system32>net stop vss
    The Volume Shadow Copy service is stopping........
    The Volume Shadow Copy service could not be stopped.

    Wednesday, May 9, 2012 8:00 PM
  • "geverl" wrote in message news:8b0cf323-206f-4db2-a536-7edfba819e05...

    no:

    C:\Windows\system32>net stop vss
    The Volume Shadow Copy service is stopping........
    The Volume Shadow Copy service could not be stopped.

    Yeurrgh!
    I need to think about this.
    back tomorrow - but it'll probably be late (around 5pm BST) unless I can fiddle a little free time during the day.
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 9, 2012 8:14 PM
    Moderator
  • "Noel D Paton" wrote in message news:f7cb1575-5a41-4b00-9204-12efb6ec734b...
    "geverl" wrote in message news:8b0cf323-206f-4db2-a536-7edfba819e05...

    no:

    C:\Windows\system32>net stop vss
    The Volume Shadow Copy service is stopping........
    The Volume Shadow Copy service could not be stopped.

    Yeurrgh!
    I need to think about this.
    back tomorrow - but it'll probably be late (around 5pm BST) unless I can fiddle a little free time during the day.
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
     
     
    Let's go back to the original problem for the moment.
     
    I have a sneaky suspicion that the problem is caused by those junctions in the SysWOW64 folder. They do not exist on any of my installations
    so let's get rid of them....
     
    RD "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Application Data"
    RD "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\History"
    RD "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Temporary Internet Files"
     
    Once complete, reboot and run another MGADiag report.
     
    Also, please check running in all accounts! - it looks like you have the Administrator account enabled? if so, test that as well.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Thursday, May 10, 2012 1:24 PM
    Moderator
  • I do not have the Administrator account enabled.

    I've executed the 3 commands and rebooted.

    The MGADiag report has not changed.

    Thursday, May 10, 2012 2:39 PM
  • At some point, you almost have to have done - the user folders exist for it, where they wouldn't if it had never been active. (another clue?)

    OK - there's a boatload of related Junctions that should be removed anyhow even if they aren't likely to be a cause....

    RD C:\Windows\SysWOW64\config\systemprofile\Application Data
    RD C:\Windows\SysWOW64\config\systemprofile\Cookies
    RD "C:\Windows\SysWOW64\config\systemprofile\Local Settings"
    RD C:\Windows\SysWOW64\config\systemprofile\My Documents
    RD C:\Windows\SysWOW64\config\systemprofile\NetHood
    RD C:\Windows\SysWOW64\config\systemprofile\PrintHood
    RD C:\Windows\SysWOW64\config\systemprofile\Recent
    RD C:\Windows\SysWOW64\config\systemprofile\SendTo
    RD C:\Windows\SysWOW64\config\systemprofile\Start Menu
    RD C:\Windows\SysWOW64\config\systemprofile\Templates
    RD "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Application Data"
    RD C:\Windows\SysWOW64\config\systemprofile\AppData\Local\History
    RD "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Temporary Internet Files"

     

    Again - please test when complete.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Thursday, May 10, 2012 3:23 PM
    Moderator
  • Done. Still no change in the MGADiag report.
    Thursday, May 10, 2012 3:45 PM
  • OK - I'll go back into thinking mode for a while.

    Please do feel free to contact WGA support of help if you feel inclined - I won't be insulted (disappointed, maybe - but I've already learned a lot from this thread, which always mitigates!).

    back later - more likely tomorrow, unless I have a brainstorm.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Thursday, May 10, 2012 4:12 PM
    Moderator
  • "geverl" wrote in message news:db31d985-04b8-4d6b-ab69-d44e9e400dd1...
    Done. Still no change in the MGADiag report.
     
     
    Hmmm - I missed a set :(
     
    RD "C:\Windows\SysWOW64\config\systemprofile\Documents\My Music"
    RD "C:\Windows\SysWOW64\config\systemprofile\Documents\My Pictures"
    RD "C:\Windows\SysWOW64\config\systemprofile\Documents\My Videos"
     
    still thinking :)
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, May 11, 2012 9:51 AM
    Moderator
  • "Noel D Paton" wrote in message news:17ba815a-a8a1-4fc2-9679-bca4d234dd5b...

    OK - I'll go back into thinking mode for a while.

    Please do feel free to contact WGA support of help if you feel inclined - I won't be insulted (disappointed, maybe - but I've already learned a lot from this thread, which always mitigates!).

    back later - more likely tomorrow, unless I have a brainstorm.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

     
     
    please run the following commands and post the results.
     
    ICACLS C:\Windows\SysWOW64\config\systemprofile
    ICACLS C:\Windows\SysWOW64\config\systemprofile\AppData
    RD C:\Windows\SysWOW64\config\systemprofile\Documents
    DIR C:\Windows\SysWOW64\config\systemprofile\AppData
    DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local
    DIR C:\Windows\SysWOW64\config\systemprofile\AppData /as
    DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local /as
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, May 11, 2012 10:10 AM
    Moderator
  • C:\Windows\system32>ICACLS C:\Windows\SysWOW64\config\systemprofile
    C:\Windows\SysWOW64\config\systemprofile BUILTIN\Administrators:(I)(OI)(IO)(F)
                                             BUILTIN\Administrators:(I)(CI)(F)
                                             NT AUTHORITY\SYSTEM:(I)(OI)(IO)(F)
                                             NT AUTHORITY\SYSTEM:(I)(CI)(F)
                                             Asterix-PC\Asterix:(I)(OI)(CI)(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\SysWOW64\config\systemprofile\AppData
    C:\Windows\SysWOW64\config\systemprofile\AppData BUILTIN\Administrators:(I)(OI)(
    IO)(F)
                                                     BUILTIN\Administrators:(I)(CI)(
    F)
                                                     NT AUTHORITY\SYSTEM:(I)(OI)(IO)
    (F)
                                                     NT AUTHORITY\SYSTEM:(I)(CI)(F)
                                                     Asterix-PC\Asterix:(I)(OI)(CI)(
    F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>RD C:\Windows\SysWOW64\config\systemprofile\Documents
    Access is denied.

    C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile\AppData
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData

    10/05/2012  16:30    <DIR>          Local
    06/10/2011  11:10    <DIR>          Roaming
                   0 File(s)              0 bytes
                   2 Dir(s)  109 269 164 032 bytes free

    C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local

    10/05/2012  16:30    <DIR>          .
    10/05/2012  16:30    <DIR>          ..
    21/04/2012  12:43    <DIR>          Google
    03/05/2011  06:57    <DIR>          Microsoft
    03/05/2011  06:57    <DIR>          Programs
                   0 File(s)              0 bytes
                   5 Dir(s)  109 269 200 896 bytes free

    C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile\AppData /as
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData

    14/07/2009  06:55    <DIR>          .
    14/07/2009  06:55    <DIR>          ..
    06/10/2011  11:12    <DIR>          LocalLow
                   0 File(s)              0 bytes
                   3 Dir(s)  109 269 200 896 bytes free

    C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local /
    as
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local

    File Not Found

    Friday, May 11, 2012 4:00 PM
  • "geverl" wrote in message news:4b18adb0-dea3-4b1b-a0b2-8a8e03fbfd36...

    C:\Windows\system32>RD C:\Windows\SysWOW64\config\systemprofile\Documents
    Access is denied.

     

    C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local
    Volume in drive C has no label.
    Volume Serial Number is 8AB7-BD92

    Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local

    10/05/2012  16:30    <DIR>          ..
    10/05/2012  16:30    <DIR>          ...
    21/04/2012  12:43    <DIR>          Google
    03/05/2011  06:57    <DIR>          Microsoft
    03/05/2011  06:57    <DIR>          Programs

                   0 File(s)              0 bytes
                   5 Dir(s)  109 269 200 896 bytes free

     

     
     
    I've highlighted the problems, above -
    please run the following commands.
     
    DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft
    RD  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Google /s
    RD C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Programs /s
    RD C:\Windows\SysWOW64\config\systemprofile\Documents /s
     
    post the results.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, May 11, 2012 4:24 PM
    Moderator
  • C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local\M
    icrosoft
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft

    03/05/2011  06:57    <DIR>          .
    03/05/2011  06:57    <DIR>          ..
    01/02/2011  14:52    <DIR>          OFFICE
    03/05/2011  06:57    <DIR>          Windows
    03/05/2011  06:57    <DIR>          Windows Photo Gallery
    03/05/2011  06:57    <DIR>          Windows Sidebar
                   0 File(s)              0 bytes
                   6 Dir(s)  109 259 427 840 bytes free

    C:\Windows\system32>RD  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\G
    oogle /s
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Google, Are you sure (Y/N
    )? y

    C:\Windows\system32>RD C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Pr
    ograms /s
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Programs, Are you sure (Y
    /N)? y

    C:\Windows\system32>RD C:\Windows\SysWOW64\config\systemprofile\Documents /s
    C:\Windows\SysWOW64\config\systemprofile\Documents, Are you sure (Y/N)? y

    Friday, May 11, 2012 4:27 PM
  • "geverl" wrote in message news:154b6272-1f8d-4629-a121-6b392be4bd2b...

    Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft

    03/05/2011  06:57    <DIR>          ..
    03/05/2011  06:57    <DIR>          ...
    01/02/2011  14:52    <DIR>          OFFICE
    03/05/2011  06:57    <DIR>          Windows
    03/05/2011  06:57    <DIR>          Windows Photo Gallery
    03/05/2011  06:57    <DIR>          Windows Sidebar

                   0 File(s)              0 bytes
                   6 Dir(s)  109 259 427 840 bytes free

     

    I didn't expect that one!
     
    DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows
    DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows /as
    RD /Q  C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\OFFICE
    RD /Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows Photo Gallery"
    RD /Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows Sidebar"
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, May 11, 2012 5:00 PM
    Moderator
  • C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local\M
    icrosoft\Windows
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\W
    indows

    03/05/2011  06:57    <DIR>          .
    03/05/2011  06:57    <DIR>          ..
    03/05/2011  06:57    <DIR>          Burn
    10/05/2012  16:42    <DIR>          Caches
    03/05/2011  06:57    <DIR>          GameExplorer
    03/05/2011  06:57    <DIR>          Ringtones
                   0 File(s)              0 bytes
                   6 Dir(s)  109 252 886 528 bytes free

    C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local\M
    icrosoft\Windows /as
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\W
    indows

    14/07/2009  06:54    <DIR>          History
    14/07/2009  06:54    <DIR>          Temporary Internet Files
                   0 File(s)              0 bytes
                   2 Dir(s)  109 252 886 528 bytes free

    C:\Windows\system32>RD /Q  C:\Windows\SysWOW64\config\systemprofile\AppData\Loca
    l\Microsoft\OFFICE

    C:\Windows\system32>RD /Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Loca
    l\Microsoft\Windows Photo Gallery"
    The directory is not empty.

    C:\Windows\system32>RD /Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Loca
    l\Microsoft\Windows Sidebar"
    The directory is not empty.

    Friday, May 11, 2012 5:02 PM
  • "geverl" wrote in message news:0ee5813d-fdc6-40e4-9d9c-6acd7a7997b5...

    C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local\M
    icrosoft\Windows
    Volume in drive C has no label.
    Volume Serial Number is 8AB7-BD92

    Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows

    03/05/2011  06:57    <DIR>          ..
    03/05/2011  06:57    <DIR>          ...
    03/05/2011  06:57    <DIR>          Burn
    10/05/2012  16:42    <DIR>          Caches
    03/05/2011  06:57    <DIR>          GameExplorer
    03/05/2011  06:57    <DIR>          Ringtones
                   0 File(s)              0 bytes
                   6 Dir(s)  109 252 886 528 bytes free

    C:\Windows\system32>RD /Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Loca
    l\Microsoft\Windows Photo Gallery"
    The directory is not empty.

    C:\Windows\system32>RD /Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Loca
    l\Microsoft\Windows Sidebar"
    The directory is not empty.

    My fault (trying to be clever!)
     
    RD /Q /S "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows Photo Gallery"
    RD /Q /S "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows Sidebar"
    RD /Q /S C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Burn
    RD /Q /S C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\GameExplorer
    RD /Q /S C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Ringtones
    DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
     
    then reboot and see if MGADiag shows any changes (I doubt it)
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, May 11, 2012 5:12 PM
    Moderator
  • No change in the MGADiag report.

    C:\Windows\system32>RD /Q /S "C:\Windows\SysWOW64\config\systemprofile\AppData\L
    ocal\Microsoft\Windows Photo Gallery"

    C:\Windows\system32>RD /Q /S "C:\Windows\SysWOW64\config\systemprofile\AppData\L
    ocal\Microsoft\Windows Sidebar"

    C:\Windows\system32>RD /Q /S C:\Windows\SysWOW64\config\systemprofile\AppData\Lo
    cal\Microsoft\Windows\Burn

    C:\Windows\system32>RD /Q /S C:\Windows\SysWOW64\config\systemprofile\AppData\Lo
    cal\Microsoft\Windows\GameExplorer

    C:\Windows\system32>RD /Q /S C:\Windows\SysWOW64\config\systemprofile\AppData\Lo
    cal\Microsoft\Windows\Ringtones

    C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile\AppData\Local\M
    icrosoft\Windows\Caches
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\W
    indows\Caches

    10/05/2012  16:42    <DIR>          .
    10/05/2012  16:42    <DIR>          ..
    10/05/2012  16:42            16 384 cversions.1.db
    10/05/2012  16:42           193 632 {6AF0698E-D558-4F6E-9B3C-3716689AF493}.1.ver
    0x0000000000000001.db
                   2 File(s)        210 016 bytes
                   2 Dir(s)  109 252 128 768 bytes free

    Friday, May 11, 2012 5:22 PM
  • "geverl" wrote in message news:ec87b6a7-92b4-4ec1-96eb-5882cc4dc244...

    No change in the MGADiag report.

    Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches

    10/05/2012  16:42    <DIR>          ..
    10/05/2012  16:42    <DIR>          ...
    10/05/2012  16:42            16 384 cversions.1.db
    10/05/2012  16:42           193 632 {6AF0698E-D558-4F6E-9B3C-3716689AF493}.1.ver
    0x0000000000000001.db

     
    Not sure about the significance of those two files - any idea what you were doing at that time?
    In view of the problems we've had with this area, it would be a good idea to go back to the registry and check a few things there.
    Please use RegScanner to look for any items containing the following phrases
     
    syswow64\config
    bluefish
     
    export anything found to MHT and upload to your SkyDrive
     
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, May 11, 2012 6:18 PM
    Moderator
  • Apart from doing what you asked me to, I did not make any system changes at that time.

    I've put the results in RegScan12.5.12.txt and RegScan12.5.12_2.txt.

    Friday, May 11, 2012 6:30 PM
  • "geverl" wrote in message news:78051e80-cdcf-4d5b-8e3d-e39a07110381...

    Apart from doing what you asked me to, I did not make any system changes at that time.

    I've put the results in RegScan12.5.12.txt and RegScan12.5.12_2.txt.

    Thanks -
    The first set of results are normal
    The second set show nothing that can't be let alone.
     
    Let's go back and check a sample of the 'mismatched' files
     
    ICACLS C:\Windows\System32\slcext.*  /T
    ICACLS C:\Windows\SysWOW64\slcext.* /T
    dir C:\windows\slcext*.* /s
     
    SC QUERY type= service >%userprofile%\Documents\serviceslist.txt
     
    You'll need to upload the serviceslist.txt file to your SkyDrive - mine came out at 30KB.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, May 11, 2012 8:16 PM
    Moderator
  • The serviceslist.txt file is uploaded with a size of 30KB.

    C:\Windows\system32>ICACLS C:\Windows\System32\slcext.*  /T
    C:\Windows\System32\slcext.dll NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Users:(RX)
                                   BUILTIN\Administrators:(F)
                                   NT AUTHORITY\SYSTEM:(F)

    C:\Windows\System32\en-US\slcext.dll.mui NT SERVICE\TrustedInstaller:(F)
                                             BUILTIN\Users:(RX)
                                             BUILTIN\Administrators:(F)
                                             NT AUTHORITY\SYSTEM:(F)

    Successfully processed 2 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\SysWOW64\slcext.* /T
    C:\Windows\SysWOW64\slcext.dll NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Users:(RX)
                                   BUILTIN\Administrators:(F)
                                   NT AUTHORITY\SYSTEM:(F)

    C:\Windows\SysWOW64\config\systemprofile\Application Data\slcext.*: Access is de
    nied.
    Successfully processed 1 files; Failed processing 1 files

    C:\Windows\system32>dir C:\windows\slcext*.* /s
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\windows\System32

    14/07/2009  03:41            18 432 slcext.dll
                   1 File(s)         18 432 bytes

     Directory of C:\windows\System32\en-US

    14/07/2009  04:25            17 408 slcext.dll.mui
                   1 File(s)         17 408 bytes

     Directory of C:\windows\SysWOW64

    14/07/2009  03:16            16 384 slcext.dll
                   1 File(s)         16 384 bytes

     Directory of C:\windows\SysWOW64\en-US

    14/07/2009  04:03            17 408 slcext.dll.mui
                   1 File(s)         17 408 bytes

     Directory of C:\windows\winsxs\amd64_microsoft-windows-s..clientext.resources_3
    1bf3856ad364e35_6.1.7600.16385_en-us_c2382769078e1059

    14/07/2009  04:25            17 408 slcext.dll.mui
                   1 File(s)         17 408 bytes

     Directory of C:\windows\winsxs\amd64_microsoft-windows-security-spp-clientext_3
    1bf3856ad364e35_6.1.7600.16385_none_28bbe77bcacffbe4

    14/07/2009  03:41            18 432 slcext.dll
                   1 File(s)         18 432 bytes

     Directory of C:\windows\winsxs\x86_microsoft-windows-s..clientext.resources_31b
    f3856ad364e35_6.1.7600.16385_en-us_66198be54f309f23

    14/07/2009  04:03            17 408 slcext.dll.mui
                   1 File(s)         17 408 bytes

     Directory of C:\windows\winsxs\x86_microsoft-windows-security-spp-clientext_31b
    f3856ad364e35_6.1.7600.16385_none_cc9d4bf812728aae

    14/07/2009  03:16            16 384 slcext.dll
                   1 File(s)         16 384 bytes

         Total Files Listed:
                   8 File(s)        139 264 bytes
                   0 Dir(s)  109 261 074 432 bytes free

    Friday, May 11, 2012 8:25 PM
  • "geverl" wrote in message news:80432006-baed-47ef-b7b1-d999a0664093...

    The serviceslist.txt file is uploaded with a size of 30KB.

     

    C:\Windows\SysWOW64\config\systemprofile\Application Data\slcext.*: Access is de
    nied.
    Successfully processed 1 files; Failed processing 1 files

     

     
     
    WTH???
    I thought we'd got rid of that?
    There has to be something in the file system pointing to that position still
    Perhaps another CHKDSK is called for.
    CHKDSK C: /F
    this time - we can hope that the free space is still OK
    Please post the results from Event Viewer (Wininit event in the Windows Application logs)
    once complete, please run the following commands
     
    ICACLS C:\Windows\SysWOW64\slcext.* /T
    DIR C:\Windows\SysWOW64\config\systemprofile /as
    DIR C:\Windows\SysWOW64\config\systemprofile /ah
    DIR C:\Windows\SysWOW64\config\systemprofile /al
    DIR C:\Windows\SysWOW64\config\systemprofile
    DIR C:\Windows\System32 /AL S
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, May 11, 2012 9:07 PM
    Moderator
  • Checking file system on C:

    The type of the file system is NTFS.

     

    A disk check has been scheduled.

    Windows will now check the disk.                        

    CHKDSK is verifying files (stage 1 of 3)...

      731136 file records processed.                                          File verification completed.

      957 large file records processed.                                      0 bad file records processed.                                        2 EA records processed.                                              60 reparse records processed.                                       CHKDSK is verifying indexes (stage 2 of 3)...

      855358 index entries processed.                                         Index verification completed.

      0 unindexed files scanned.                                           0 unindexed files recovered.                                       CHKDSK is verifying security descriptors (stage 3 of 3)...

      731136 file SDs/SIDs processed.                                         Cleaning up 92 unused index entries from index $SII of file 0x9.

    Cleaning up 92 unused index entries from index $SDH of file 0x9.

    Cleaning up 92 unused security descriptors.

    Security descriptor verification completed.

      62112 data files processed.                                            CHKDSK is verifying Usn Journal...

      36553248 USN bytes processed.                                             Usn Journal verification completed.

    Windows has checked the file system and found no problems.

    204799999 KB total disk space.

      97019808 KB in 384940 files.

        187048 KB in 62113 indexes.

             0 KB in bad sectors.

        841171 KB in use by the system.

         65536 KB occupied by the log file.

    106751972 KB available on disk.

          4096 bytes in each allocation unit.

      51199999 total allocation units on disk.

      26687993 allocation units available on disk.

    Internal Info:

    00 28 0b 00 58 d2 06 00 c9 df 0b 00 00 00 00 00  .(..X...........

    d7 04 00 00 3c 00 00 00 00 00 00 00 00 00 00 00  ....<...........

    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

    Windows has finished checking your disk.

    Please wait while your computer restarts.


    C:\Windows\system32>ICACLS C:\Windows\SysWOW64\slcext.* /T
    C:\Windows\SysWOW64\slcext.dll NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Users:(RX)
                                   BUILTIN\Administrators:(F)
                                   NT AUTHORITY\SYSTEM:(F)

    C:\Windows\SysWOW64\config\systemprofile\Application Data\slcext.*: Access is de
    nied.
    Successfully processed 1 files; Failed processing 1 files

    C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile /as
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile

    14/07/2009  06:55    <DIR>          AppData
    03/05/2011  06:57    <JUNCTION>     Application Data [C:\Windows\system32\config
    \systemprofile\AppData\Roaming]
    03/05/2011  06:57    <JUNCTION>     My Documents [C:\Windows\system32\config\sys
    temprofile\Documents]
    03/05/2011  06:57    <JUNCTION>     Start Menu [C:\Windows\system32\config\syste
    mprofile\AppData\Roaming\Microsoft\Windows\Start Menu]
                   0 File(s)              0 bytes
                   4 Dir(s)  109 287 616 512 bytes free

    C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile /ah
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile

    03/05/2011  06:57    <JUNCTION>     Application Data [C:\Windows\system32\config
    \systemprofile\AppData\Roaming]
    03/05/2011  06:57    <JUNCTION>     My Documents [C:\Windows\system32\config\sys
    temprofile\Documents]
    03/05/2011  06:57    <JUNCTION>     Start Menu [C:\Windows\system32\config\syste
    mprofile\AppData\Roaming\Microsoft\Windows\Start Menu]
                   0 File(s)              0 bytes
                   3 Dir(s)  109 287 616 512 bytes free

    C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile /al
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile

    03/05/2011  06:57    <JUNCTION>     Application Data [C:\Windows\system32\config
    \systemprofile\AppData\Roaming]
    03/05/2011  06:57    <JUNCTION>     My Documents [C:\Windows\system32\config\sys
    temprofile\Documents]
    03/05/2011  06:57    <JUNCTION>     Start Menu [C:\Windows\system32\config\syste
    mprofile\AppData\Roaming\Microsoft\Windows\Start Menu]
                   0 File(s)              0 bytes
                   3 Dir(s)  109 287 616 512 bytes free

    C:\Windows\system32>DIR C:\Windows\SysWOW64\config\systemprofile
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile

    11/05/2012  18:26    <DIR>          .
    11/05/2012  18:26    <DIR>          ..
    03/05/2011  14:30    <DIR>          Contacts
    03/05/2011  14:30    <DIR>          Desktop
    03/05/2011  14:30    <DIR>          Downloads
    03/05/2011  14:30    <DIR>          Favorites
    03/05/2011  14:30    <DIR>          Links
    03/05/2011  14:30    <DIR>          Music
    03/05/2011  14:30    <DIR>          Pictures
    03/05/2011  14:30    <DIR>          Saved Games
    03/05/2011  14:30    <DIR>          Searches
    03/05/2011  14:30    <DIR>          Videos
                   0 File(s)              0 bytes
                  12 Dir(s)  109 287 616 512 bytes free

    C:\Windows\system32>DIR C:\Windows\System32 /AL S
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\System32


     Directory of C:\Windows\System32

    File Not Found

    Friday, May 11, 2012 9:39 PM
  • "geverl" wrote in message news:b5a7f262-2fb3-4181-9bf5-942ce59a6393...

    Checking file system on C:

    The type of the file system is NTFS.

     

    Directory of C:\Windows\SysWOW64\config\systemprofile

    14/07/2009  06:55    <DIR>          AppData
    03/05/2011  06:57    <JUNCTION>     Application Data [C:\Windows\system32\config
    \systemprofile\AppData\Roaming]
    03/05/2011  06:57    <JUNCTION>     My Documents [C:\Windows\system32\config\sys
    temprofile\Documents]
    03/05/2011  06:57    <JUNCTION>     Start Menu [C:\Windows\system32\config\syste
    mprofile\AppData\Roaming\Microsoft\Windows\Start Menu]
                   0 File(s)              0 bytes
                   4 Dir(s)  109 287 616 512 bytes free

     

     

    File Not Found

    This is worrying - perhaps we'd better have another look at malware.
    All the Junctions are back in place.
    follow their instructions for use.
    See what it finds.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, May 11, 2012 10:00 PM
    Moderator
  • 469 objects processed, 0 threats.
    Friday, May 11, 2012 10:10 PM
  • "geverl" wrote in message news:c4ad95e1-ce42-4eea-98c8-0333cfc582f2...
    469 objects processed, 0 threats.
     
    OK
    extract the executable to the C:\Windows\System32 folder
    then run the command
    junction -s c:\windows
     
    I get 6 'Access Denied' errors - and nothing else.
    If you have anything else, either post the results, or upload them (depending on how many)
     
    Then I'll have to have a think ( and sleep!) again.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, May 11, 2012 10:19 PM
    Moderator
  • C:\Windows\system32>junction -s c:\windows

    Junction v1.06 - Windows junction creator and reparse point viewer
    Copyright (C) 2000-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com

    Failed to open \\?\c:\windows\System32\Microsoft\Protect\Recovery\Recovery.dat:
    Access is denied.

    Failed to open \\?\c:\windows\System32\Microsoft\Protect\Recovery\Recovery.dat.L
    OG1: Access is denied.

    Failed to open \\?\c:\windows\System32\Microsoft\Protect\Recovery\Recovery.dat.L
    OG2: Access is denied.

    Failed to open \\?\c:\windows\System32\Microsoft\Protect\Recovery\Recovery.dat{7
    f69ff24-507a-11e0-93a4-0025229344e5}.TM.blf: Access is denied.

    Failed to open \\?\c:\windows\System32\Microsoft\Protect\Recovery\Recovery.dat{7
    f69ff24-507a-11e0-93a4-0025229344e5}.TMContainer00000000000000000001.regtrans-ms
    : Access is denied.

    Failed to open \\?\c:\windows\System32\Microsoft\Protect\Recovery\Recovery.dat{7
    f69ff24-507a-11e0-93a4-0025229344e5}.TMContainer00000000000000000002.regtrans-ms
    : Access is denied.

    \\?\c:\windows\SysWOW64\config\systemprofile\Application Data: JUNCTION
       Print Name     : C:\Windows\system32\config\systemprofile\AppData\Roaming
       Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming

    \\?\c:\windows\SysWOW64\config\systemprofile\My Documents: JUNCTION
       Print Name     : C:\Windows\system32\config\systemprofile\Documents
       Substitute Name: C:\Windows\system32\config\systemprofile\Documents

    \\?\c:\windows\SysWOW64\config\systemprofile\Start Menu: JUNCTION
       Print Name     : C:\Windows\system32\config\systemprofile\AppData\Roaming\Mic
    rosoft\Windows\Start Menu
       Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Mic
    rosoft\Windows\Start Menu

    Friday, May 11, 2012 10:24 PM
  • "geverl" wrote in message news:d2368e39-e7b3-4dd3-a4be-eec542396870...

    \\?\c:\windows\SysWOW64\config\systemprofile\Application Data: JUNCTION
       Print Name     : C:\Windows\system32\config\systemprofile\AppData\Roaming
       Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming

    \\?\c:\windows\SysWOW64\config\systemprofile\My Documents: JUNCTION
       Print Name     : C:\Windows\system32\config\systemprofile\Documents
       Substitute Name: C:\Windows\system32\config\systemprofile\Documents

    \\?\c:\windows\SysWOW64\config\systemprofile\Start Menu: JUNCTION
       Print Name     : C:\Windows\system32\config\systemprofile\AppData\Roaming\Mic
    rosoft\Windows\Start Menu
       Substitute Name: C:\Windows\system32\config\systemprofile\AppData\Roaming\Mic
    rosoft\Windows\Start Menu

    Let's see if we have more luck using junction to delete the offending links.
     
    junction -d "c:\windows\SysWOW64\config\systemprofile\Start Menu"
    junction -d "c:\windows\SysWOW64\config\systemprofile\My Documents"
    junction -d "c:\windows\SysWOW64\config\systemprofile\Application"
    ICACLS C:\Windows\SysWOW64\slcext.* /T
     
    post the results, then reboot, and run
     
    ICACLS C:\Windows\SysWOW64\slcext.* /T
    DIR C:\Windows\SysWOW64 /AL /S
     
    post those results - I plan on being in bed by then.
    catch you tomorrow!

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, May 11, 2012 11:14 PM
    Moderator
  • C:\Windows\system32>junction -d "c:\windows\SysWOW64\config\systemprofile\Start
    Menu"

    Junction v1.06 - Windows junction creator and reparse point viewer
    Copyright (C) 2000-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com

    Deleted c:\windows\SysWOW64\config\systemprofile\Start Menu.

    C:\Windows\system32>junction -d "c:\windows\SysWOW64\config\systemprofile\My Doc
    uments"

    Junction v1.06 - Windows junction creator and reparse point viewer
    Copyright (C) 2000-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com

    Deleted c:\windows\SysWOW64\config\systemprofile\My Documents.

    C:\Windows\system32>junction -d "c:\windows\SysWOW64\config\systemprofile\Applic
    ation"

    Junction v1.06 - Windows junction creator and reparse point viewer
    Copyright (C) 2000-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com

    Error deleting c:\windows\SysWOW64\config\systemprofile\Application: The system
    cannot find the file specified.


    C:\Windows\system32>ICACLS C:\Windows\SysWOW64\slcext.* /T
    C:\Windows\SysWOW64\slcext.dll NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Users:(RX)
                                   BUILTIN\Administrators:(F)
                                   NT AUTHORITY\SYSTEM:(F)

    C:\Windows\SysWOW64\config\systemprofile\Application Data\slcext.*: Access is de
    nied.
    Successfully processed 1 files; Failed processing 1 files

    ===============

    Reboot

    ===============

    C:\Windows\system32>ICACLS C:\Windows\SysWOW64\slcext.* /T
    C:\Windows\SysWOW64\slcext.dll NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Users:(RX)
                                   BUILTIN\Administrators:(F)
                                   NT AUTHORITY\SYSTEM:(F)

    C:\Windows\SysWOW64\config\systemprofile\Application Data\slcext.*: Access is de
    nied.
    Successfully processed 1 files; Failed processing 1 files

    C:\Windows\system32>DIR C:\Windows\SysWOW64 /AL /S
     Volume in drive C has no label.
     Volume Serial Number is 8AB7-BD92

     Directory of C:\Windows\SysWOW64\config\systemprofile

    03/05/2011  06:57    <JUNCTION>     Application Data [C:\Windows\system32\config
    \systemprofile\AppData\Roaming]
                   0 File(s)              0 bytes

         Total Files Listed:
                   0 File(s)              0 bytes
                   1 Dir(s)  109 293 813 760 bytes free

    Saturday, May 12, 2012 7:20 AM
  • "geverl" wrote in message news:a1bab080-73ee-4fea-a0b0-10e37ae75ad8...

    Error deleting c:\windows\SysWOW64\config\systemprofile\Application: The system
    cannot find the file specified.

     

    C:\Windows\SysWOW64\config\systemprofile\Application Data\slcext.*: Access is de
    nied.
    Successfully processed 1 files; Failed processing 1 files

     

     
    Bother, must have typo'd this one.
     
    junction -d "c:\windows\SysWOW64\config\systemprofile\Application Data"
     
    once done, reboot and run another MGADiag report
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Saturday, May 12, 2012 9:42 AM
    Moderator
  • C:\Windows\system32>junction -d "c:\windows\SysWOW64\config\systemprofile\Applic
    ation Data"

    Junction v1.06 - Windows junction creator and reparse point viewer
    Copyright (C) 2000-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com

    Deleted c:\windows\SysWOW64\config\systemprofile\Application Data.

    C:\Windows\system32>ICACLS C:\Windows\SysWOW64\slcext.* /T
    C:\Windows\SysWOW64\slcext.dll NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Users:(RX)
                                   BUILTIN\Administrators:(F)
                                   NT AUTHORITY\SYSTEM:(F)

    C:\Windows\SysWOW64\en-US\slcext.dll.mui NT SERVICE\TrustedInstaller:(F)
                                             BUILTIN\Users:(RX)
                                             BUILTIN\Administrators:(F)
                                             NT AUTHORITY\SYSTEM:(F)

    Successfully processed 2 files; Failed processing 0 files

    The MGADiag report is unchanged.

    Saturday, May 12, 2012 9:50 AM
  • "geverl" wrote in message news:23515497-7b15-4e8d-ab24-c5dfde85796d...

    C:\Windows\system32>junction -d "c:\windows\SysWOW64\config\systemprofile\Applic
    ation Data"

    Junction v1.06 - Windows junction creator and reparse point viewer
    Copyright (C) 2000-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com

    Deleted c:\windows\SysWOW64\config\systemprofile\Application Data.

    C:\Windows\system32>ICACLS C:\Windows\SysWOW64\slcext.* /T
    C:\Windows\SysWOW64\slcext.dll NT SERVICE\TrustedInstaller:(F)
                                   BUILTIN\Users:(RX)
                                   BUILTIN\Administrators:(F)
                                   NT AUTHORITY\SYSTEM:(F)

    C:\Windows\SysWOW64\en-US\slcext.dll.mui NT SERVICE\TrustedInstaller:(F)
                                             BUILTIN\Users:(RX)
                                             BUILTIN\Administrators:(F)
                                             NT AUTHORITY\SYSTEM:(F)

    Successfully processed 2 files; Failed processing 0 files

    The MGADiag report is unchanged.

     
    At least we're not getting the access denied error any more!
     
    please run the following - let's see if there's any more odd junctions/symlinks floating around still, and if there's any references to the latest removals in the registry.
     
    junction -s C:\Windows
    DIR C:\Windows\slcext* /s
     
    (you'll need to upload the results to your SkyDrive )
    run RegScanner, and see if you can find any references to
     
    SysWOW64\config
     
    Scan the following base keys: (highlight all)
    Look at: (tick all)
    Matching: Registry item contains the specified string
    (untick everything else)
     
    I get 15 entries there (three Google, and 12 MRU) - you will probably need to upload the report to SkyDrive.
     
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Saturday, May 12, 2012 10:25 AM
    Moderator
  • res12.5.12_1.txt

    Saturday, May 12, 2012 10:33 AM
  • "geverl" wrote in message news:4b8c79c5-14bc-44b5-b3d8-dc375a19e1a9...

    res12.5.12_1.txt

     
    That all looks normal now :)
    Please try the following -
    Recreate the Licensing Store
    1) Click Start button.
    2) Type: CMD.exe into the 'Search programs and files' field
    3) Right-Click on CMD.exe and select Run as Administrator
    4) Type: net stop sppsvc (It may ask you if you are sure, select yes)
    Note: the Software Protection service may not be running, this is ok.
    5) Type: cd %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform
    6) Type: rename tokens.dat tokens.bar
    7) Type: cd %windir%\system32
    8) Type: net start sppsvc
    9) Type: slui.exe
    10) After a couple of seconds Windows Activation dialog will appear. You will be asked to re-activate and/or re-enter your product Key - enter the Key from your sticker, and wait for activation to complete, or a full error message (the sin) which you should quote in full!

    Reboot and Post back with a new MGADiag report


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Saturday, May 12, 2012 11:54 AM
    Moderator
  • The report has changed: MGADIag Report 12.5.12.txt

    It did not ask for my product key, it just said that the activation was successful.

    Saturday, May 12, 2012 12:07 PM
  • I have now entered my product key and fully activated Windows, given that the MGADiag report indicated that it had only activated the 30 day trial period.
    Saturday, May 12, 2012 12:45 PM
  • "geverl" wrote in message news:09abcbd8-e71a-4693-8fbb-2573ac1a1508...
    I have now entered my product key and fully activated Windows, given that the MGADiag report indicated that it had only activated the 30 day trial period.
     
    Please post another MGADiag report (in the forum)
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Saturday, May 12, 2012 5:24 PM
    Moderator
  • Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-JJD36
    Windows Product Key Hash: xYDT9ADGqg7zMUT6R3nz0Qd/RJk=
    Windows Product ID: 55041-090-8366291-86085
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {27B8EE88-82A2-4277-B355-835A60BB5F4C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.111118-2330
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{27B8EE88-82A2-4277-B355-835A60BB5F4C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-090-8366291-86085</PID><PIDType>6</PIDType><SID>S-1-5-21-2099548595-4161321057-3812494868</SID><SYSTEM><Manufacturer>To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P1.70</Version><SMBIOSVersion major="2" minor="6"/><Date>20110117000000.000000+000</Date></BIOS><HWID>BAE43007018400FE</HWID><UserLCID>046E</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Europe Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>B84B64A2945BD00</Val><Hash>AkEyx1BqRAP9Ee8F3oqDlSkMieU=</Hash><Pid>73931-640-1556515-57763</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
    Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 55041-00172-090-836629-03-1134-7601.0000-1332012
    Installation ID: 018186094665924003636475299986356261780436842511527280
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: JJD36
    License Status: Licensed
    Remaining Windows rearm count: 4
    Trusted time: 12/05/2012 19:28:15

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 5:6:2012 09:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: MgAAAAEAAQABAAEAAAADAAAAAwABAAEAln0mUbMv1LWMAAx0Yj2u4GMSmpAW/mL+LnM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   ALASKA  A M I
      FACP   ALASKA  A M I
      HPET   ALASKA  A M I
      MCFG   ALASKA  A M I
      SSDT   AMICPU  PROC
      AAFT   ALASKA  OEMAAFT

    Saturday, May 12, 2012 5:28 PM
  • "geverl" wrote in message news:c6a7f3b1-199a-4655-8501-85fbbb0a85cc...

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-JJD36
    Windows Product Key Hash: xYDT9ADGqg7zMUT6R3nz0Qd/RJk=
    Windows Product ID: 55041-090-8366291-86085
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    7

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

     

     
     
     
    It's still the same error :(
    However, the report is significantly different to the one you started out with.
    This report has a Volume License Key, which appears to be genuine. (ending JJD36)
    Your original report had a different Volume License Key, ending 7PJFF.
     
    What happened there?
     
    Please try (yet again!) installing a new set of IRST drivers - let's see if that has the desired effect now.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Saturday, May 12, 2012 5:47 PM
    Moderator
  • I installed the wrong product key by mistake.

    The 7PJFF one is for the 64 Bit Win 7 Pro that is installed on the PC.

    The JJd36 is for 32 Bit Win 7 Pro. I'm wondering why it was accepted for activation.

    Shall I recreate the licensing store and activate with the correct product key?

    Here's the MGADiag report after reinstalling the IRST drivers and rebooting:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-JJD36
    Windows Product Key Hash: xYDT9ADGqg7zMUT6R3nz0Qd/RJk=
    Windows Product ID: 55041-090-8366291-86085
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {27B8EE88-82A2-4277-B355-835A60BB5F4C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.111118-2330
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{27B8EE88-82A2-4277-B355-835A60BB5F4C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-090-8366291-86085</PID><PIDType>6</PIDType><SID>S-1-5-21-2099548595-4161321057-3812494868</SID><SYSTEM><Manufacturer>To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P1.70</Version><SMBIOSVersion major="2" minor="6"/><Date>20110117000000.000000+000</Date></BIOS><HWID>BAE43007018400FE</HWID><UserLCID>046E</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Europe Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>B84B64A2945BD00</Val><Hash>AkEyx1BqRAP9Ee8F3oqDlSkMieU=</Hash><Pid>73931-640-1556515-57763</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
    Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 55041-00172-090-836629-03-1134-7601.0000-1332012
    Installation ID: 018186094665924003636475299986356261780436842511527280
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: JJD36
    License Status: Licensed
    Remaining Windows rearm count: 4
    Trusted time: 12/05/2012 19:55:10

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 5:6:2012 09:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: MgAAAAEAAQABAAEAAAADAAAAAwABAAEAln0mUbMv1LWMAAx0Yj2u4GMSmpAW/mL+LnM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   ALASKA  A M I
      FACP   ALASKA  A M I
      HPET   ALASKA  A M I
      MCFG   ALASKA  A M I
      SSDT   AMICPU  PROC
      AAFT   ALASKA  OEMAAFT

    Saturday, May 12, 2012 5:58 PM
  • "geverl" wrote in message news:e7cd387c-4363-4152-9dd8-e540f2dbc74c...

    I installed the wrong product key by mistake.

    The 7PJFF one is for the 64 Bit Win 7 Pro that is installed on the PC.

    The JJd36 is for 32 Bit Win 7 Pro. I'm wondering why it was accepted for activation.

    Shall I recreate the licensing store and activate with the correct product key?

    Here's the MGADiag report after reinstalling the IRST drivers and rebooting:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-JJD36
    Windows Product Key Hash: xYDT9ADGqg7zMUT6R3nz0Qd/RJk=
    Windows Product ID: 55041-090-8366291-86085
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048

     
     
    All Keys are bit-agnostic - they work on both 32- and 64- bit installs.
     
    Still no change in the report.
     
    I am seriously running out of ideas, here!
     
    I'll have to do some deeper diving into the registry, and I'm not that comfortable there, so it may be a day or so before I can come back with anything sensible.
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Saturday, May 12, 2012 6:07 PM
    Moderator
  • "geverl" wrote in message news:77bcc919-c2d9-42d8-be36-82717a4b21c9...

    I've installed the latest Intel Rapid Storage Drivers.



    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\wat\watux.exe[7.1.7600.16395], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office
    Details:
    <GenuineResults><MachineData><UGUID>{27B8EE88-82A2-4277-B355-835A60BB5F4C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-091-3046796-86542</PID><PIDType>6</PIDType><SID>S-1-5-21-2099548595-4161321057-3812494868</SID><SYSTEM><Manufacturer>To
    Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By
    O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American
    Megatrends
    Inc.</Manufacturer><Version>P1.70</Version><SMBIOSVersion
    major="2"
    minor="6"/><Date>20110117000000.000000+000</Date></BIOS><HWID>BAE43007018400FE</HWID><UserLCID>046E</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W..
    Europe Standard
    Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product

    GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft
    Office Professional Edition
    2003</Name><Ver>11</Ver><Val>B84B64A2945BD00</Val><Hash>AkEyx1BqRAP9Ee8F3oqDlSkMieU=</Hash><Pid>73931-640-1556515-57763</Pid><PidType>14</PidType></Product></Products><Applications><App
    Id="15" Version="11" Result="100"/><App Id="16" Version="11"
    Result="100"/><App Id="18" Version="11" Result="100"/><App
    Id="19" Version="11" Result="100"/><App Id="1A" Version="11"
    Result="100"/><App Id="1B" Version="11" Result="100"/><App
    Id="44" Version="11"
    Result="100"/></Applications></Office></Software></GenuineResults>
     

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Input Error: There is no script engine for file extension ".vbs".

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 5:6:2012 09:13
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys

    Gilles
    in an elevated Command prompt, run the following command
    regsvr32.exe wintrust.dll
    reboot
    run another MGADiag report - post the results.
     
    (sorry about the mis-post just now!)
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, May 13, 2012 10:39 PM
    Moderator
  • How do you know my first name?

    There's no change in the report.

    Sunday, May 13, 2012 10:53 PM
  • Unfortunately, your Windows 7 Professional installation is hopelessly corrupt.  Please back-up your personal files and proceed with a "clean install" of the Windows 7 Professional operating system.

    Carey Frisch

    • Marked as answer by geverl Tuesday, May 29, 2012 8:09 PM
    Monday, May 14, 2012 2:33 AM
    Moderator
  • Noel, do you share Carey's opinion that I should do a clean install or do you think there's another solution?
    Monday, May 14, 2012 11:05 AM
  • "geverl" wrote in message news:fd987b95-c282-431c-a004-4854f4cc4765...
    Noel, do you share Carey's opinion that I should do a clean install or do you think there's another solution?
     
    I very rarely share Carey's opinion about anything :)
     
    I'm 90%+ certain that there is a solution without a clean install - at worst a repair install should fix it.
     
    It may be that we have really come to the end of the road in this instance, as at the moment I can see no specific reason for the problem - all the correct files appear to be in the correct places with the correct permissions. The only thing we haven't done really is a full registry comparison and a re-registration of all dll's involved - the former is really beyond my skills, and the latter is a nightmare :)
    FWIW, I tracked a run of MGADiag  yesterday - and 58 dll's were involved merely starting the the tool, let alone running the detection!
     
    Every dll I've tried unregistering has either refused (because it's not the right type), not given any error in MGADiag, or listed every protected file. Your list excludes two files from the WAT Update, and I have no current idea why that should be the case.
     
    You may want to try uninstalling the WAT Update (KB971033) and rebooting - then and attempt validation at www.microsoft.com/genuine/validate 
    What happens?
    then post another MGADiag report.
     
    Note that even if the above  removes the non-genuine notification, it doesn't necessarily mean that the problem is solved - merely that it's been hidden.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 14, 2012 11:45 AM
    Moderator
  • I've uninstalled KB971033 and rebooted. I downloaded and started WindowsActivationUpdate.exe from www.microsoft.com/genuine/validate. It says: "Update installation failed. Error information - 0x8000FFFF

    But the tampered files have disappeared from the MGADiag report:

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-*****-*****-JJD36
    Windows Product Key Hash: xYDT9ADGqg7zMUT6R3nz0Qd/RJk=
    Windows Product ID: 55041-090-8366291-86085
    Windows Product ID Type: 6
    Windows License Type: Volume MAK
    Windows OS version: 6.1.7601.2.00010100.1.0.048
    ID: {27B8EE88-82A2-4277-B355-835A60BB5F4C}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Professional
    Architecture: 0x00000009
    Build lab: 7601.win7sp1_gdr.111118-2330
    TTS Error:
    Validation Diagnostic:
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Professional Edition 2003 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[Hr = 0x80070003]
    File Mismatch: C:\Windows\system32\wat\npwatweb.dll[Hr = 0x80070003]
    File Mismatch: C:\Windows\system32\wat\watux.exe[Hr = 0x80070003]
    File Mismatch: C:\Windows\system32\wat\watweb.dll[Hr = 0x80070003]
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{27B8EE88-82A2-4277-B355-835A60BB5F4C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-BBBBB</PKey><PID>55041-090-8366291-86085</PID><PIDType>6</PIDType><SID>S-1-5-21-2099548595-4161321057-3812494868</SID><SYSTEM><Manufacturer>To Be Filled By O.E.M.</Manufacturer><Model>To Be Filled By O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>P1.70</Version><SMBIOSVersion major="2" minor="6"/><Date>20110117000000.000000+000</Date></BIOS><HWID>BAE43007018400FE</HWID><UserLCID>046E</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Europe Standard Time(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>B84B64A2945BD00</Val><Hash>AkEyx1BqRAP9Ee8F3oqDlSkMieU=</Hash><Pid>73931-640-1556515-57763</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, Professional edition
    Description: Windows Operating System - Windows(R) 7, VOLUME_MAK channel
    Activation ID: 9abf5984-9c16-46f2-ad1e-7fe15931a8dd
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 55041-00172-090-836629-03-1134-7601.0000-1332012
    Installation ID: 018186094665924003636475299986356261780436842511527280
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: JJD36
    License Status: Licensed
    Remaining Windows rearm count: 4
    Trusted time: 14/05/2012 14:03:06

    Windows Activation Technologies-->
    HrOffline: 0x00000000
    HrOnline: 0x00000000
    HealthStatus: 0x0000000000000000
    Event Time Stamp: 5:13:2012 14:39
    ActiveX: Not Registered - 0x80040154
    Admin Service: Not Registered - 0x80040154
    HealthStatus Bitmask Output:


    HWID Data-->
    HWID Hash Current: MgAAAAEAAQABAAEAAAADAAAAAwABAAEAln0mUbMv1LWMAAx0Yj2u4GMSmpAW/mL+LnM=

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes, but no SLIC table
    Windows marker version: N/A
    OEMID and OEMTableID Consistent: N/A
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   ALASKA  A M I
      FACP   ALASKA  A M I
      HPET   ALASKA  A M I
      MCFG   ALASKA  A M I
      SSDT   AMICPU  PROC
      AAFT   ALASKA  OEMAAFT

     
    Monday, May 14, 2012 12:03 PM
  • I knew that the Tampered em now shows as being genuineystwould disappear - they will only ever show when the WATupdate is installed. 

    The File Mismatches, however, are still present (ignore the first four lines, they simply show that the WAT Update is no longer installed)

    What IS interesting is that the system now shows as being genuine, despite the file mismatches.

    Are you stil lgetting a non-genuine notification??


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, May 14, 2012 6:48 PM
    Moderator
  • No, but when I try to install Microsoft Security Essentials, it still fails claiming that it can only be installed on a genuine Windows system.
    Monday, May 14, 2012 6:51 PM
  • "geverl" wrote in message news:c8e58e31-465b-4564-86f7-23a540316d7d...
    No, but when I try to install Microsoft Security Essentials, it still fails claiming that it can only be installed on a genuine Windows system.
     
     
    That's interesting! - although I don't think that it illuminates the issue at all.
     
    I think we are at that stage where a choice has to be made - continue with the troubleshooting or attempt a repair install.
     
    It's your decision.
    For details of how to do a repair install, see this tutorial...
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 14, 2012 8:05 PM
    Moderator
  • From my perspective that's very simple: if you tell me that all hope's lost, I'll try a repair install. Otherwise, I'm happy to continue troubleshooting if you are. But then again I'll also understand if you tell me that enough is enough.

    Monday, May 14, 2012 8:09 PM
  • "geverl" wrote in message news:d202aad6-d37b-4a46-bdc1-6055f72002e6...

    From my perspective that's very simple: if you tell me that all hope's lost, I'll try a repair install. Otherwise, I'm happy to continue troubleshooting if you are. But then again I'll also understand if you tell me that enough is enough.

    Not lost - merely mislaid! <g>
    (and thanks for the vote of support) - Anytime you've had  enough, just shout, and we'll call it a day.
    I  need to play a little and see how may ways I can find to screw the report - back tomorrow.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Monday, May 14, 2012 8:28 PM
    Moderator
  • "Noel D Paton" wrote in message news:3d1666c7-4d51-49ed-bf57-40ac01309dcb...
    "geverl" wrote in message news:d202aad6-d37b-4a46-bdc1-6055f72002e6...

    From my perspective that's very simple: if you tell me that all hope's lost, I'll try a repair install. Otherwise, I'm happy to continue troubleshooting if you are. But then again I'll also understand if you tell me that enough is enough.

    Not lost - merely mislaid! <g>
    (and thanks for the vote of support) - Anytime you've had  enough, just shout, and we'll call it a day.
    I  need to play a little and see how may ways I can find to screw the report - back tomorrow.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
     
    No - I haven't forgotten you :)
     
    Lets have a look elsewhere in the registry

    reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /S

    You'll need to upload that - it runs to 26KB on a default install!
    (this is an area I've not been into before - so it'll take a while to make any sense).

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 16, 2012 1:21 PM
    Moderator
  • Mine is only 11KB: reg16.5.12.txt
    Wednesday, May 16, 2012 1:27 PM
  • "geverl" wrote in message news:8bb7d246-da2a-420f-b732-eacfc218e695...
    Mine is only 11KB: reg16.5.12.txt
     
    - actually so is mine when I use the command, rather than export from regedit :)
     
    There's no difference from my default install with a Retail disk - and only one change from my 'live' (OEM) one -
    so I don't think there's anything to be gained by following down that route.
     
    (back indo hunt mode - see you later!)

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 16, 2012 2:11 PM
    Moderator
  • "Noel D Paton" wrote in message news:b6c196b1-241a-49be-bfcd-20d4aff88e4d...
    "geverl" wrote in message news:8bb7d246-da2a-420f-b732-eacfc218e695...
    Mine is only 11KB: reg16.5.12.txt
     
    - actually so is mine when I use the command, rather than export from regedit :)
     
    There's no difference from my default install with a Retail disk - and only one change from my 'live' (OEM) one -
    so I don't think there's anything to be gained by following down that route.
     
    (back indo hunt mode - see you later!)

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
     
     
    Something just happened elsewhere which gave me an idea.....
     
    Please open Windows Explorer, and navigate to the C:\Windows folder.
    in the Search box (top right) type
    size:empty
    wait for the list to complete (could be a few minutes) - how many files are found? (I get 10)
    Are any of type 'Application' or 'DLL File' ?
    If so, please list them
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 16, 2012 3:32 PM
    Moderator
  • 127 files, no applications or DLLs
    Wednesday, May 16, 2012 3:35 PM
  • "geverl" wrote in message news:57715660-f4f9-487f-8ed5-ed7da61b043e...
    127 files, no applications or DLLs
     
    Let's see what else you have installed on the machine - please download and install Belarc Advisor (www.belarc.com) and run it.
    This will produce a large report in HTML which can be saved from IE as a *.txt file (which doesn't look pretty, but can at least be edited easily - so please remove the Software Licenses section!) then upload it to your SkyDrive.
     
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Saturday, May 19, 2012 1:54 PM
    Moderator
  • I've edited and uploaded the HTML file ((Asterix-PC).html).

    Saturday, May 19, 2012 2:06 PM
  • "geverl" wrote in message news:1882d9b5-a247-4633-aec4-ad0bc3c2b268...

    I've edited and uploaded the HTML file ((Asterix-PC).html).

    I can see nothing there that's likely to have caused your problems.
    [back into hunt mode]

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Saturday, May 19, 2012 5:07 PM
    Moderator
  • "Noel D Paton" wrote in message news:17f18f88-4def-4a8a-924b-296f371f9c88...
    "geverl" wrote in message news:1882d9b5-a247-4633-aec4-ad0bc3c2b268...

    I've edited and uploaded the HTML file ((Asterix-PC).html).

    I can see nothing there that's likely to have caused your problems.
    [back into hunt mode]

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
     
    Going back over the thread, I find I missed something -
    Please open Windows Explorer, and navigate to the C:\Windows folder.
    in the Search box (top right) type
    size:empty
    wait for the list to complete (could be a few minutes) - how many files are found? (I get 10)
    Are any of type 'Application' or 'DLL File'  or 'MUI File' ?
    If so, please list them  (I missed the MUI file possibility last time).
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Saturday, May 19, 2012 8:18 PM
    Moderator
  • "Noel D Paton" wrote in message news:b8953c7d-987d-4e65-9f74-a473470dde4a...
    Going back over the thread, I find I missed something -
    Please open Windows Explorer, and navigate to the C:\Windows folder.
    in the Search box (top right) type
    size:empty
    wait for the list to complete (could be a few minutes) - how many files are found? (I get 10)
    Are any of type 'Application' or 'DLL File'  or 'MUI File' ?
    If so, please list them  (I missed the MUI file possibility last time).
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
     
    Also please run the following commands - you'll probably need to save and upload the output to your SKyDrive
     
    dir C:\Windows\sl*.* /s
    dir C:\Windows\spp*.* /s
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Saturday, May 19, 2012 8:36 PM
    Moderator
  • There are no MUI files in c:\windows

    The output from the 2 commands is in 19.5.12.txt.

    Saturday, May 19, 2012 9:00 PM
  • "geverl" wrote in message news:efea5e6c-5465-4219-9d0f-a03223aa726b...

    There are no MUI files in c:\windows

    The output from the 2 commands is in 19.5.12.txt.

    Nothing  there out of the ordinary.
    I'm struggling here to find anything that can reproduce anything like your problem.
     
    You  should consider a repair install at least - back up your data first, just in case, if you decide on that option!
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Sunday, May 20, 2012 6:25 PM
    Moderator
  • I'm planning to do a repair install next Sunday.

    Do you have experience with this procedure?

    How likely is it that I will have to reinstall many if not most of my applications and their specific settings?

    Sunday, May 20, 2012 6:45 PM
  • "geverl" wrote in message news:012bd1bf-5938-4718-a1ff-5b9e671ac549...

    I'm planning to do a repair install next Sunday.

    Do you have experience with this procedure?

    How likely is it that I will have to reinstall many if not most of my applications and their specific settings?

    With a repair install, and a little luck, you won't have to reinstall anything other than the Windows updates, and your anti-virus.
     
    See here for one of the best set of instructions I know.....

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by Darin Smith MS Friday, May 25, 2012 9:29 PM
    • Unmarked as answer by geverl Tuesday, May 29, 2012 8:15 PM
    Sunday, May 20, 2012 6:57 PM
    Moderator
  • I'm getting ready to do a repair install.

    In http://www.sevenforums.com/tutorials/3413-repair-install.html?ltr=R it says

    Here I see a major problem, given that all my documents, pictures, videos, music files etc. i.e. my My Music, My Documents, My Pictures and My Videos folders are on my large D: partition, whereas Windows 7 is installed on the C: partition. Given that we are talking hundreds of GB, it is not possible to move these files to the C: partition (and it would completely invalidate the purpose of creating a separate data partition in the first place).

    Is there an acceptable solution to this problem?


    • Edited by geverl Friday, May 25, 2012 5:32 PM
    Friday, May 25, 2012 5:29 PM
  • Simply switch the defaults back to where they should be without copying the data - that will preserve the current files ( although possibly not the metadata)

    This is one of the big problems with using unsupported changes to the file structure. :(

    My experience doesn't extend this far - so I can't really help.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Friday, May 25, 2012 5:43 PM
    Moderator
  • I've switched the defaults back without copying, which seems to have worked fine.

    But when I try to do a repair install, it spends a long time to "check compatibility" and then fails with the following error:

    The following issues are preventing Windows from upgrading. Cancel the upgrade, complete each task, and then restart the upgrade to continue.
    An error prevented a required compliance check from completing. Cancel the installation and try upgrading again.

    Now how funny and useful is that message?

    I cannot even do a repair install!

    Saturday, May 26, 2012 9:44 AM
  • "geverl" wrote in message news:d2361463-056e-4529-aef4-485595aad382...

    I've switched the defaults back without copying, which seems to have worked fine.

    But when I try to do a repair install, it spends a long time to "check compatibility" and then fails with the following error:

    The following issues are preventing Windows from upgrading. Cancel the upgrade, complete each task, and then restart the upgrade to continue.
    An error prevented a required compliance check from completing. Cancel the installation and try upgrading again.

    Now how funny and useful is that message?

    I cannot even do a repair install!

    I have to admit I have no idea what causes that message.
     
    I would suggest posting for assistance in a more appropriate forum - either
     
    or
    2) SevenForums - (I think this is the e right one to pick...) http://www.sevenforums.com/installation-setup/
     
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    • Marked as answer by geverl Tuesday, May 29, 2012 8:13 PM
    Saturday, May 26, 2012 10:19 AM
    Moderator
  • Carey,

    Unfortunately you were right.

    After 2 days of work and a clean reinstall, I'm operational again.

    To say that I am disappointed by the lacking ability of my "professional" OS to communicate with human beings would be a major understatement.

    It seems like the problem was due to my dual boot installation with GRUB 1.99 in the MBR.

    Cheers,

    Gilles

    Tuesday, May 29, 2012 8:13 PM
  • Noel,

    Many thanks for your relentless efforts to help.

    Your pointing me to the sevenforums site finally gave me at least a probable explanation for what had gone wrong.

    Cheers,

    Gilles

    Tuesday, May 29, 2012 8:15 PM
  • "geverl" wrote in message news:c62a00e8-9a68-4ad5-a70a-51824554a7cb...

    Noel,

    Many thanks for your relentless efforts to help.

    Your pointing me to the sevenforums site finally gave me at least a probable explanation for what had gone wrong.

    Cheers,

    Gilles

    You're welcome - I don't recall GRUB being mentioned in our thread  here, or I may have given up earlier :)
    I would tend to think in terms of third-party boot managers when dual-booting Windows and *nix because of historical problems in a conventional dual-boot situation with the two  - but have no personal experience of *nix anyhow, so can't honestly advise.
     
    Good Luck with the 'new computers' :)
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Wednesday, May 30, 2012 10:03 AM
    Moderator