locked
Windows not genuine after system restore -- error 0x800700B7 RRS feed

  • Question

  • This is on a desktop that had been upgraded from Vista to 7 -- after cleaning off a malware infection, it would not fully boot to the login screen, so a System Restore was attempted to fix it. The Restore said it did not complete successfully, but when I rebooted, the problem had been fixed and it said the system had been restored.

    But then a new problem arose: Windows now thinks it is counterfeit.

    I've already run sfc, chkdsk, updated storage drivers, tried the permissions fix, tried clean startup... nothing helped. So the next thing I was going to try was a repair install from the Win7 upgrade disc.

    So here's my MGAdiag.

    ---

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: N/A, hr = 0x800700b7
    Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
    Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
    Windows Product ID: 00359-030-1202835-85167
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000000
    Build lab: 7601.win7sp1_gdr.120330-1504
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc.                </Manufacturer><Model>Dell DXC061                  </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.                </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B8K    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x800700B7' to display the error text.
    Error: 0x800700B7 

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: N/A
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbvIEsM6yM8KDkewqhQ==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC DELL   B8K    
      FACP DELL   B8K    
      HPET DELL   B8K    
      BOOT DELL   B8K    
      MCFG DELL   B8K    
      SSDT DELL st_ex
      DUMY DELL   B8K    
      SLIC DELL   B8K    


    • Edited by GarrettW87 Thursday, September 13, 2012 10:01 PM corrected error code in thread title
    Thursday, September 13, 2012 9:53 PM

Answers

  • There's no sign of any such SFC  problems in the log?

    However there are indications that the Catroot2 folder is corrupt - not surprising if the content was locked by  permissions problems elsewhere.

    http://support.microsoft.com/kb/822798 probably applies.

    I have to admit to considering a repair install myself - there do seem to be a large number of permissions problems, and I doubt that we've found all of them.

    Do you have an SP1 disk? - iif not, Download the SP1
    Refresh for your language and edition from the links on these pages...

     

    Heidoc - Microsoft DR Download links

     

    The links are for downloads from the Digital River servers run for MS, so are about as safe as
    you can get :)

     

    Once you have it downloaded, you then need to burn the DVD from it - use either the Windows Disk
    Image Burner, or (better still) your favourite burning application at the slowest speed possible.

     

    Note that you do NOT 'drag and drop' the file to the disk, you must use the 'burn an image' option
    from your app - or you'll end up with a useless coaster :)

     

    Once you have the disk burnt, check that it boots the (or any other) system OK - but do NOT start
    the repair from there - you must start the repair from within a normal Windows boot.

     

    Follow the instructions in this tutorial - http://www.sevenforums.com/tutorials/3413-repair-install.html?ltr=R

    - and they should help you get through it (it's not as difficult as it looks!)

     

    Always ask questions first if you're unsure - either here, or in sevenforums.



    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    • Marked as answer by GarrettW87 Tuesday, September 18, 2012 2:59 PM
    Monday, September 17, 2012 9:19 PM
    Moderator

All replies

  • Please run the
    following commands in an Elevated Command Prompt

    NET STOP CRYPTSVC

    REN C:\WINDOWS\SYSTEM32\CATROOT2 CATROOT2OLD

    NET START CRYPTSVC

    once complete, reboot, and run another MGADiag report.

    Note that this will delete your Update History - but all updates will remain
    installed, and can be viewed in the Installed Updates listing.

     

     



    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Friday, September 14, 2012 8:25 AM
    Moderator
  • Hey, thanks for helping out.

    The new MGADiag report is exactly the same as the one I posted above. :/

    Friday, September 14, 2012 6:12 PM
  • The error is complaining about duplicate filenames - but doesn't explain which ones it's talking about.

    A number are created when MGDiag is run - please run the following commands in an Elevated Command Prompt

    DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform /S
    ATTRIB C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\*.* /S
    ATTRIB C:\Windows\7b*.* /S
    ICACLS C:\Windows\ServiceProfiles\NetworkService\AppData 
    ICACLS C:\Windows\ServiceProfiles\Networkservice 
    ICACLS C:\Windows\ServiceProfiles 
    ICACLS C:\Windows 
    ICACLS C:\Windows\System32

      Here are some instructions to make life easier :)

    1) To open an Elevated Command Prompt Window (the CP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt. 

    2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once. 

    3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.     


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth


    Friday, September 14, 2012 6:26 PM
    Moderator
  • Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform /S
     Volume in drive C is OS
     Volume Serial Number is 266C-E9DC

     Directory of C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform

    09/12/2012  11:05 PM    <DIR>          .
    09/12/2012  11:05 PM    <DIR>          ..
    07/13/2009  11:34 PM    <DIR>          Cache
    09/05/2012  05:27 PM         7,178,489 tokens.bar
                   1 File(s)      7,178,489 bytes

     Directory of C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache

    07/13/2009  11:34 PM    <DIR>          .
    07/13/2009  11:34 PM    <DIR>          ..
    09/05/2012  06:26 PM            92,072 cache.dat
                   1 File(s)         92,072 bytes

         Total Files Listed:
                   2 File(s)      7,270,561 bytes
                   5 Dir(s)  255,677,657,088 bytes free

    C:\Windows\system32>ATTRIB C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\*.* /S
    A       I    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    A       I    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.bar

    C:\Windows\system32>ATTRIB C:\Windows\7b*.* /S
    A    R       C:\Windows\Installer\7b0b8.msp
    A  S    I    C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
    A  S    I    C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
    A  S    I    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
    A  S    I    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_4E8F6C8278BCBC42EAD05
    60F6112023C
    A  S    I    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
    A  S    I    C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_4E8F6C8278BCBC42EAD0
    560F6112023C
    A   H        C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    A   H        C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    A   H        C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    A   H        C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    A            C:\Windows\winsxs\Catalogs\7babd2d1fb37e8c2ace373b22dac383b0469fe8fe9b7ec6659da1a0b2409e477.cat
    A            C:\Windows\winsxs\Catalogs\7bbd5694f52a6da7f347a0775dea29798731ffa15462194a615442c370e2dfd8.cat
    A            C:\Windows\winsxs\Temp\PendingRenames\7b3384da6891cd017e150000d0063416.$$_diagnostics_system_performance_d48bf95b5c828123.cdf-ms
    A            C:\Windows\winsxs\Temp\PendingRenames\7b44e7f86891cd01d3170000d0063416.program_files_microsoft_games_purble_place_44b505b0372ceb5f.cdf-ms
    A            C:\Windows\winsxs\Temp\PendingRenames\7bae78946891cd01b20f0000d0063416.$$_inf_w3svc_0ef6c7aee1e4154f.cdf-ms
    A            C:\Windows\winsxs\Temp\PendingRenames\7bb62c9d6891cd01f8100000d0063416.$$_system32_migwiz_dlmanifests_microsoft-windows-textservicesframework-migration-dl_549205906affe6bf.cdf-ms

    C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\NetworkService\AppData
    C:\Windows\ServiceProfiles\NetworkService\AppData NT AUTHORITY\SYSTEM:(F)
                                                      BUILTIN\Administrators:(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\Networkservice
    C:\Windows\ServiceProfiles\Networkservice NT AUTHORITY\SYSTEM:(F)
                                              BUILTIN\Administrators:(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles
    C:\Windows\ServiceProfiles NT SERVICE\TrustedInstaller:(I)(F)
                               NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                               NT AUTHORITY\SYSTEM:(I)(F)
                               NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                               BUILTIN\Administrators:(I)(F)
                               BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                               BUILTIN\Users:(I)(RX)
                               BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                               CREATOR OWNER:(I)(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows
    C:\Windows NT SERVICE\TrustedInstaller:(F)
               NT SERVICE\TrustedInstaller:(CI)(IO)(F)
               NT AUTHORITY\SYSTEM:(M)
               NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
               BUILTIN\Administrators:(M)
               BUILTIN\Administrators:(OI)(CI)(IO)(F)
               BUILTIN\Users:(RX)
               BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
               CREATOR OWNER:(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\System32
    C:\Windows\System32 NT SERVICE\TrustedInstaller:(F)

                        NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                        NT AUTHORITY\SYSTEM:(M)
                        NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                        BUILTIN\Administrators:(M)
                        BUILTIN\Administrators:(OI)(CI)(IO)(F)
                        BUILTIN\Users:(RX)
                        BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
                        CREATOR OWNER:(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files

    Friday, September 14, 2012 9:21 PM
  • C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\NetworkService\AppData
    C:\Windows\ServiceProfiles\NetworkService\AppData NT AUTHORITY\SYSTEM:(F)
                                                      BUILTIN\Administrators:(F)

    C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\Networkservice
    C:\Windows\ServiceProfiles\Networkservice NT AUTHORITY\SYSTEM:(F)
                                              BUILTIN\Administrators:(F)

    Seem to be the cause of the problem - the services don't have any permissions, and the existing permissions are wrong.

    Please run the following commands in an Elevated Command Prompt

    ICACLS C:\Windows\ServiceProfiles\Networkservice /grant:r Administrators:(OI)(CI)(F)

    ICACLS C:\Windows\ServiceProfiles\Networkservice /grant:r "NETWORK SERVICE":(OI)(CI)(F)

    ICACLS C:\Windows\ServiceProfiles\Networkservice /grant:r SYSTEM:(OI)(CI)(F)

    ICACLS C:\Windows\ServiceProfiles\Networkservice\AppData /grant:r Administrators:(OI)(CI)(F)

    ICACLS C:\Windows\ServiceProfiles\Networkservice\AppData /grant:r "NETWORK SERVICE":(OI)(CI)(F)

    ICACLS C:\Windows\ServiceProfiles\Networkservice\AppData /grant:r SYSTEM:(OI)(CI)(F)

    Once complete, reboot and run another MGADiag report - post the results.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Friday, September 14, 2012 10:02 PM
    Moderator
  • I think that did it!
    MGADiag still throws up an error when I hit Copy -- as of now, it's 0x800706b5 -- but of course it copies ok, so here it is.

    [EDIT] Not so fast... I just now got a popup with the window title "Windows Activation Technologies" saying it's still not genuine, with the error code 0x8004FE21.

    Diagnostic Report (1.9.0027.0):

    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
    Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
    Windows Product ID: 00359-030-1202835-85167
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000000
    Build lab: 7601.win7sp1_gdr.120330-1504
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc.                </Manufacturer><Model>Dell DXC061                  </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.                </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B8K    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, HomePremium edition
    Description: Windows Operating System - Windows(R) 7, RETAIL channel
    Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00359-00170-030-120283-01-1033-7601.0000-2582012
    Installation ID: 020555999504445036330772525183246516309593344574792801
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: MQVK8
    License Status: Initial grace period
    Time remaining: 43200 minute(s) (30 day(s))
    Remaining Windows rearm count: 5
    Trusted time: 9/14/2012 5:12:22 PM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: N/A
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbrDO8gSyM8KDkewqhQ==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC DELL   B8K    
      FACP DELL   B8K    
      HPET DELL   B8K    
      BOOT DELL   B8K    
      MCFG DELL   B8K    
      SSDT DELL st_ex
      DUMY DELL   B8K    
      SLIC DELL   B8K    


    • Edited by GarrettW87 Saturday, September 15, 2012 4:44 AM still not fixed :(
    Friday, September 14, 2012 11:44 PM
  • That one relatively common - I hope......

    This may simply be caused by a bad set of Intel Rapid Storage Technology drivers -  

     

    Installing the Intel Rapid Storage Drivers

    try downloading and installing them from here - http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&ProdId=2101&DwnldID=21730

     

    Once complete, please reboot twice, then post another MGADiag report.   


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Saturday, September 15, 2012 8:19 AM
    Moderator
  • That one won't install on my system (it says my computer "doesn't meet the minimum requirements for installation") and I believe that's not the exact one I need.
    I've already looked into this fix and determined that what mine needs is the Matrix Storage Manager, but there's one problem: when I try to install that, the installer crashes about halfway through, so not all of the files get installed.
    Saturday, September 15, 2012 12:39 PM
  • Have you checked to see if a version of it is already installed? (It may appear in the Programs & Features list) - I assume that it was the IATA89ENU.exe file that you downloaded?

    What response did you get from the NET STOP CRYPTSVC command above? - if it said 'not running' then that may be the problem.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Saturday, September 15, 2012 12:46 PM
    Moderator
  • Yes there was an older version installed -- yes that's the file I downloaded -- and I believe "net stop cryptsvc" did stop the service successfully.
    Saturday, September 15, 2012 3:54 PM
  • What is the EXACT error message you get when you try to install the Matrix driver?

    I have a link for a slightly older version, which has worked for some...

    http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&ProdId=2101&DwnldID=17412&ProductFamily=Software+Products&ProductLine=Chipset+Software&ProductProduct=Intel%c2%ae+Rapid+Storage+Technology+(Intel%c2%ae+RST)&lang=eng



    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Saturday, September 15, 2012 4:06 PM
    Moderator
  • I just tried uninstalling the old one and then installing the new one again, and it gave me the same problem.

    I'll try the older version now.

    [EDIT] Aaaand it has the same issue.


    • Edited by GarrettW87 Saturday, September 15, 2012 4:35 PM
    Saturday, September 15, 2012 4:28 PM
  • Interesting - there are reports that this error/crash can be caused by Comodo firewall.

    http://www.overclock.net/t/942913/solved-intel-r-install-frame-has-stopped-working

    http://forums.comodo.com/defense-sandbox-help-cis/problem-updating-intel-raid-controller-t72008.0.html

    Please check in your Event Viewer, and see if you can find what's crashing here.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Saturday, September 15, 2012 4:35 PM
    Moderator
  • Interesting. I think that was installed on this computer at one time but it hasn't been for a while.

    Anyway, when I tried to open up Event Viewer I discovered that the Event Log service was not started -- and when I tried to start it, it said "Error 5: Access is denied." So I googled that and was able to solve it fairly easily.

    Fixing the Event Log service allowed the Intel installer (8.9.x version) to complete successfully.
    So here's the latest MGADiag.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
    Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
    Windows Product ID: 00359-030-1202835-85167
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000000
    Build lab: 7601.win7sp1_gdr.120330-1504
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc.                </Manufacturer><Model>Dell DXC061                  </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.                </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B8K    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, HomePremium edition
    Description: Windows Operating System - Windows(R) 7, RETAIL channel
    Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00359-00170-030-120283-01-1033-7601.0000-2582012
    Installation ID: 020555999504445036330772525183246516309593344574792801
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: MQVK8
    License Status: Initial grace period
    Time remaining: 42120 minute(s) (29 day(s))
    Remaining Windows rearm count: 5
    Trusted time: 9/15/2012 12:07:37 PM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 7:19:2012 18:34
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbrDO8gSyM8KDkewqhQ==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC DELL   B8K    
      FACP DELL   B8K    
      HPET DELL   B8K    
      BOOT DELL   B8K    
      MCFG DELL   B8K    
      SSDT DELL st_ex
      DUMY DELL   B8K    
      SLIC DELL   B8K    



    • Edited by GarrettW87 Saturday, September 15, 2012 5:09 PM added version installed
    Saturday, September 15, 2012 5:08 PM
  • Interesting  - please reboot, then  run the following commands and post the results

    NET START EVENTLOG

    SC QC EVENTLOG

    SC QUERYEX EVENTLOG

    SC SDSHOW EVENTLOG

    SC QSIDTYPE EVENTLOG

    SC QPRIVS EVENTLOG

    also export and upload the System and Application  Event logs.

      Here are some instructions to make life easier :)

    1) To open an Elevated Command Prompt Window (the CP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt. 

    2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once. 

    3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.     


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth


    Saturday, September 15, 2012 5:46 PM
    Moderator
  • Download:

    Application Event Log
    System Event Log

    -----

    Command output:

    C:\Windows\system32>net start eventlog
    The requested service has already been started.

    More help is available by typing NET HELPMSG 2182.

    C:\Windows\system32>sc qc eventlog
    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: eventlog
            TYPE               : 20  WIN32_SHARE_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k LocalServiceNetw
    orkRestricted
            LOAD_ORDER_GROUP   : Event Log
            TAG                : 0
            DISPLAY_NAME       : Windows Event Log
            DEPENDENCIES       :
            SERVICE_START_NAME : NT AUTHORITY\LocalService

    C:\Windows\system32>sc queryex eventlog

    SERVICE_NAME: eventlog
            TYPE               : 20  WIN32_SHARE_PROCESS
            STATE              : 4  RUNNING
                                    (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0
            PID                : 1012
            FLAGS              :

    C:\Windows\system32>sc sdshow eventlog

    D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCR
    RC;;;SY)S:(AU;SA;DCRPWPDTCRSDWDWO;;;WD)(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    C:\Windows\system32>sc qsidtype eventlog
    [SC] QueryServiceConfig2 SUCCESS

    SERVICE_NAME: eventlog
    SERVICE_SID_TYPE:  UNRESTRICTED

    C:\Windows\system32>sc qprivs eventlog
    [SC] QueryServiceConfig2 SUCCESS

    SERVICE_NAME: eventlog
            PRIVILEGES       : SeChangeNotifyPrivilege
                             : SeImpersonatePrivilege

    Sunday, September 16, 2012 3:07 AM
  • The SC output looks normal

    Please run the following commands in an Elevated Command Prompt

    net stop cryptsvc

    esentutl /p %systemroot%\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

    post the results.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Sunday, September 16, 2012 9:14 AM
    Moderator
  • SOme of the errors in the event logs appear to be associated with malware -

    Please download and install  Malwarebytes Anti-malware (free version) from  www.malwarebytes.org - UNtick 'Enable free trial of MBAM PRO' at the end of the installation -  and update it, then run a full scan  in your main account, and Quick scans in any other user accounts.

     

    Delete everything it finds   


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Sunday, September 16, 2012 9:29 AM
    Moderator
  • C:\Windows\system32>net stop cryptsvc
    The Cryptographic Services service is stopping..
    The Cryptographic Services service was stopped successfully.

    C:\Windows\system32>esentutl /p %systemroot%\System32\catroot2\{F750E6C3-38EE-11
    D1-85E5-00C04FC295EE}\catdb

    Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
    Version 6.1
    Copyright (C) Microsoft Corporation. All Rights Reserved.

    Error: Access to source database 'C:\Windows\System32\catroot2\{F750E6C3-38EE-11
    D1-85E5-00C04FC295EE}\catdb' failed with Jet error -1811.

    Operation terminated with error -1811 (JET_errFileNotFound, File not found) afte
    r 0.15 seconds.
    Sunday, September 16, 2012 4:33 PM
  • Very Interesting!

     - but not terribly informative, since all it means as far as I can tell is that the database wasn't rebuilt properly when we renamed it earlier. This implies that there is a problem in that area

    let's just check that the folder isn't tagged as read-only, amongst other things....

    Please run the following in an Elevated Command Prompt, and post the results.

    DIR C:\Windows\System32 /AR /S

    ICACLS C:\Windows\System32\Catroot2

    REG QUERY HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck

    REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\

    DIR C:\Windows\wintrust.dll.* /s


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Sunday, September 16, 2012 5:05 PM
    Moderator
  • C:\Windows\system32>DIR C:\Windows\System32 /AR /S
     Volume in drive C is OS
     Volume Serial Number is 266C-E9DC

     Directory of C:\Windows\System32

    06/23/2006  09:09 AM            19,968 cpuinf32.dll
    11/28/2007  05:34 AM            41,296 hlp95en.dll
    07/05/2006  02:42 PM            81,920 mplaa6.dll
    07/05/2006  02:42 PM            69,632 mplam6.dll
    07/05/2006  02:42 PM            69,632 mplapx.dll
    07/05/2006  02:42 PM            81,920 mplaw7.dll
    07/05/2006  02:42 PM         1,679,360 mplva6.dll
    07/05/2006  02:42 PM         1,585,152 mplvm6.dll
    07/05/2006  02:42 PM         1,159,168 mplvpx.dll
    07/05/2006  02:42 PM         1,654,784 mplvw7.dll
    08/17/2004  09:14 PM           442,368 vp6vfw.dll
                  11 File(s)      6,885,200 bytes

     Directory of C:\Windows\System32\config\systemprofile

    06/14/2012  07:58 PM    <DIR>          Desktop
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\config\systemprofile\Desktop

    06/14/2012  07:58 PM    <DIR>          .
    06/14/2012  07:58 PM    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\inetsrv\config\schema

    11/04/2010  08:52 PM            38,809 ASPNET_schema.xml
    06/10/2009  04:18 PM            31,863 Ftp_schema.xml
    11/04/2010  08:53 PM            27,105 FX_schema.xml
    11/04/2010  08:53 PM            82,037 IIS_schema.xml
    06/10/2009  04:20 PM             4,757 WebDAV_schema.xml
                   5 File(s)        184,571 bytes

     Directory of C:\Windows\System32\Macromed\Flash

    09/05/2012  03:35 PM         9,639,624 Flash32_11_4_402_265.ocx
                   1 File(s)      9,639,624 bytes

     Directory of C:\Windows\System32\oobe

    07/14/2009  04:26 AM            84,480 drvmgrtn.dll
    07/14/2009  04:26 AM            10,883 envmig.xml
    07/14/2009  04:26 AM           146,432 hwcompat.dll
    07/14/2009  04:26 AM           101,888 migisol.dll
    07/14/2009  04:26 AM            36,864 migtestplugin.dll
    07/14/2009  04:26 AM           587,704 oscomps.xml
    07/14/2009  04:26 AM            21,026 osfilter.inf
    07/14/2009  04:26 AM             1,824 sfcn.dat
    07/14/2009  04:26 AM             1,644 sflcid.dat
    07/14/2009  04:26 AM         3,225,610 sflistlh.dat
    07/14/2009  04:26 AM         2,119,152 sflistw7.dat
    07/14/2009  04:26 AM         1,445,052 sflistxp.dat
    07/14/2009  04:26 AM            10,457 sfpat.inf
    07/14/2009  04:26 AM             9,665 sfpatlh.inf
    07/14/2009  04:26 AM               462 sfpatpg.inf
    07/14/2009  04:26 AM             3,371 sfpatw7.inf
    07/14/2009  04:26 AM             4,386 sfpatxp.inf
    07/14/2009  04:26 AM           164,352 upgcmi2migxml.dll
    07/14/2009  04:26 AM         5,815,808 upgcore.dll
    07/14/2009  04:26 AM           329,216 upgcsiagent.dll
    07/14/2009  04:26 AM           689,664 upgdriver.dll
    07/14/2009  04:26 AM           258,560 upghost.exe
    07/14/2009  04:26 AM           111,616 upgmxeagent.dll
    07/14/2009  04:26 AM         2,820,096 upgradeagent.dll
    07/14/2009  04:26 AM            59,673 upgradeagent.xml
    07/14/2009  04:26 AM           167,756 upgrade_bulk.xml
    07/14/2009  04:26 AM            36,864 upgres.dll
    07/14/2009  04:26 AM           189,952 wdscore.dll
                  28 File(s)     18,454,457 bytes

     Directory of C:\Windows\System32\oobe\en-US

    07/14/2009  04:26 AM             6,656 upgdriver.dll.mui
    07/14/2009  04:26 AM             9,216 upgres.dll.mui
                   2 File(s)         15,872 bytes

     Directory of C:\Windows\System32\restore

    10/24/2009  12:08 AM                76 MachineGuid.txt
                   1 File(s)             76 bytes

         Total Files Listed:
                  48 File(s)     35,179,800 bytes
                   3 Dir(s)  254,171,545,600 bytes free

    C:\Windows\system32>ICACLS C:\Windows\System32\Catroot2
    C:\Windows\System32\Catroot2 NT SERVICE\CryptSvc:(OI)(CI)(F)
                                 NT SERVICE\TrustedInstaller:(I)(F)
                                 NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                 NT AUTHORITY\SYSTEM:(I)(F)
                                 NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                 BUILTIN\Administrators:(I)(F)
                                 BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                 BUILTIN\Users:(I)(RX)
                                 BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                 CREATOR OWNER:(I)(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trus
    t\CertCheck

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00
    AAC56B-CD44-11D0-8CC2-00C04FC295EE}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{09
    6CE0A5-8160-4557-866E-3A80540F34A1}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{18
    9A3842-3041-11D1-85E1-00C04FC295EE}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{31
    D1ADC1-D329-11D1-8ED8-0080C76516C6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{57
    3E31F8-AABA-11D0-8CCB-00C04FC295EE}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{57
    3E31F8-DDBA-11D0-8CCB-00C04FC295EE}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{64
    B9D180-8DA2-11CF-8736-00AA00A485EB}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{78
    01EBD0-CF4B-11D0-851F-0060979387EA}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7
    F4C378-21BE-494e-BA0F-BB12C5D208C5}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6
    B2E8D0-E005-11CF-A134-00C04FD7BF43}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{D4
    1E4F1D-A407-11D1-8BC9-00C04FA30A41}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{D4
    1E4F1F-A407-11D1-8BC9-00C04FA30A41}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{F7
    50E6C3-38EE-11D1-85E5-00C04FC295EE}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC
    451C16-AC75-11D1-B4B8-00C04FB66EA0}

    C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Pr
    oviders\Trust\CertCheck\
    ERROR: The system was unable to find the specified registry key or value.

    C:\Windows\system32>DIR C:\Windows\wintrust.dll.* /s
     Volume in drive C is OS
     Volume Serial Number is 266C-E9DC

     Directory of C:\Windows\System32

    03/01/2012  12:37 AM           172,544 wintrust.dll
                   1 File(s)        172,544 bytes

     Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
    e35_6.1.7600.16385_none_ef848fe8fb647a74

    07/13/2009  08:16 PM           172,544 wintrust.dll
                   1 File(s)        172,544 bytes

     Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
    e35_6.1.7600.16493_none_ef77c14efb6e60de

    12/29/2009  01:55 AM           172,032 wintrust.dll
                   1 File(s)        172,032 bytes

     Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
    e35_6.1.7600.16970_none_ef8a69c6fb60ceba

    03/01/2012  12:49 AM           172,544 wintrust.dll
                   1 File(s)        172,544 bytes

     Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
    e35_6.1.7600.20605_none_f064afe014413504

    12/29/2009  02:11 AM           172,032 wintrust.dll
                   1 File(s)        172,032 bytes

     Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
    e35_6.1.7600.21160_none_f01eaea0147685d5

    03/01/2012  12:29 AM           172,544 wintrust.dll
                   1 File(s)        172,544 bytes

     Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
    e35_6.1.7601.17514_none_f1b5a3b0f852fe0e

    11/20/2010  07:21 AM           172,032 wintrust.dll
                   1 File(s)        172,032 bytes

     Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
    e35_6.1.7601.17787_none_f16cf8e6f88907f8

    03/01/2012  12:37 AM           172,544 wintrust.dll
                   1 File(s)        172,544 bytes

     Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
    e35_6.1.7601.21933_none_f228a60c1181b3d8

    03/01/2012  12:23 AM           172,544 wintrust.dll
                   1 File(s)        172,544 bytes

         Total Files Listed:
                   9 File(s)      1,551,360 bytes
                   0 Dir(s)  254,170,984,448 bytes free


    • Edited by GarrettW87 Sunday, September 16, 2012 7:48 PM removed a duplicate command
    Sunday, September 16, 2012 6:25 PM
  • You have some very odd folders tagged as read-only! - namely :-

    C:\ Windows\System32\oobe

    C:\Windows\System32\oobe\en-US

    C:\Windows\Config\Systemprofile

    We need to correct those before we can see the wood for the trees!

    Open Windows
    Explorer (Computer)

    Navigate to the C:\Windows folder

    Find the System32 sub-folder and right-click on it

    select Properties

     

    Clear the 'blob'
    from the 'Read-only (Only applies to files in folder)' box by clicking on it
    until it's plain white.

    Click on Apply.

     

    Make sure that the
    radio button for 'Apply changes to this folder, subfolders and files' is set,
    and click OK.

     

    Accept the
    Administrator prompt. After a couple of seconds, you'll be told there is an
    error - click on the 'Ignore all' button.

     

    Wait for it to finish - it could take a couple
    of minutes.

     

    OK out, and exit
    Windows Explorer.

     

    Reboot twice

    Then run the following command again

    DIR C:\Windows\System32\*.* /AR /S

    and post the results.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Sunday, September 16, 2012 8:15 PM
    Moderator
  • C:\Windows\system32>DIR C:\Windows\System32\*.* /AR /S
     Volume in drive C is OS
     Volume Serial Number is 266C-E9DC

     Directory of C:\Windows\System32\config\systemprofile

    06/14/2012  07:58 PM    <DIR>          Desktop
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\config\systemprofile\Desktop

    06/14/2012  07:58 PM    <DIR>          .
    06/14/2012  07:58 PM    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\inetsrv\config\schema

    11/04/2010  08:52 PM            38,809 ASPNET_schema.xml
    06/10/2009  04:18 PM            31,863 Ftp_schema.xml
    11/04/2010  08:53 PM            27,105 FX_schema.xml
    11/04/2010  08:53 PM            82,037 IIS_schema.xml
    06/10/2009  04:20 PM             4,757 WebDAV_schema.xml
                   5 File(s)        184,571 bytes

     Directory of C:\Windows\System32\Macromed\Flash

    09/05/2012  03:35 PM         9,639,624 Flash32_11_4_402_265.ocx
                   1 File(s)      9,639,624 bytes

     Directory of C:\Windows\System32\restore

    10/24/2009  12:08 AM                76 MachineGuid.txt
                   1 File(s)             76 bytes

         Total Files Listed:
                   7 File(s)      9,824,271 bytes
                   3 Dir(s)  256,281,489,408 bytes free

    Sunday, September 16, 2012 9:18 PM
  • That's a little better :)

    Please run the following commands in an Elevated Command prompt, and post the results.

    ICACLS C:\Windows\System32\config\Systemprofile

    ICACLS C:\Windows\System32\config\Systemprofile\Desktop

    DIR C:\Windows\System32 /AL /S


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Sunday, September 16, 2012 9:58 PM
    Moderator
  • C:\Windows\system32>ICACLS C:\Windows\System32\config\Systemprofile
    C:\Windows\System32\config\Systemprofile NT AUTHORITY\SYSTEM:(F)
                                             BUILTIN\Administrators:(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\System32\config\Systemprofile\Desktop
    C:\Windows\System32\config\Systemprofile\Desktop NT AUTHORITY\SYSTEM:(F)
                                                     BUILTIN\Administrators:(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>DIR C:\Windows\System32 /AL /S
     Volume in drive C is OS
     Volume Serial Number is 266C-E9DC
    File Not Found
    Sunday, September 16, 2012 10:06 PM
  • VERY strange!

    I was expecting a Junction for the desktop item there. please run the following n=in an elevated Command prompt, and post the results.

    ICACLS C:\Windows\System32\config\Systemprofile  /grant SYSTEM:(OI)(CI)(F)

    ICACLS C:\Windows\System32\config\Systemprofile  /grant Administrators:(OI)(CI)(F)

    DIR  C:\Windows\System32\config\Systemprofile\Desktop

    Run another MGADiag report and post that as well


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Sunday, September 16, 2012 10:17 PM
    Moderator
  • C:\Windows\system32>ICACLS C:\Windows\System32\config\Systemprofile  /grant SYSTEM:(OI)(CI)(F)
    processed file: C:\Windows\System32\config\Systemprofile
    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\System32\config\Systemprofile  /grant Administrators:(OI)(CI)(F)
    processed file: C:\Windows\System32\config\Systemprofile
    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>DIR  C:\Windows\System32\config\Systemprofile\Desktop
     Volume in drive C is OS
     Volume Serial Number is 266C-E9DC

     Directory of C:\Windows\System32\config\Systemprofile\Desktop

    06/14/2012  07:58 PM    <DIR>          .
    06/14/2012  07:58 PM    <DIR>          ..
                   0 File(s)              0 bytes
                   2 Dir(s)  256,276,484,096 bytes free


    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
    Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
    Windows Product ID: 00359-030-1202835-85167
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000000
    Build lab: 7601.win7sp1_gdr.120330-1504
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc.                </Manufacturer><Model>Dell DXC061                  </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.                </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B8K    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, HomePremium edition
    Description: Windows Operating System - Windows(R) 7, RETAIL channel
    Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00359-00170-030-120283-01-1033-7601.0000-2582012
    Installation ID: 020555999504445036330772525183246516309593344574792801
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: MQVK8
    License Status: Initial grace period
    Time remaining: 40320 minute(s) (28 day(s))
    Remaining Windows rearm count: 5
    Trusted time: 9/16/2012 5:39:32 PM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 7:19:2012 18:34
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbrDO8gSyM8KDkewqhQ==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC DELL   B8K    
      FACP DELL   B8K    
      HPET DELL   B8K    
      BOOT DELL   B8K    
      MCFG DELL   B8K    
      SSDT DELL st_ex
      DUMY DELL   B8K    
      SLIC DELL   B8K    

    Sunday, September 16, 2012 10:39 PM
  • I'm pretty sure that we're getting close to the solution :)

    please run the following and post the result

    DIR  C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft /s

    ICACLS  C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Sunday, September 16, 2012 11:01 PM
    Moderator
  • Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>DIR  C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft /s
     Volume in drive C is OS
     Volume Serial Number is 266C-E9DC

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft

    11/15/2010  06:48 PM    <DIR>          .
    11/15/2010  06:48 PM    <DIR>          ..
    11/15/2010  06:48 PM    <DIR>          IdentityCRL
    10/23/2009  11:16 PM    <DIR>          Media Player
    05/02/2010  01:24 PM    <DIR>          Portable Devices
    03/07/2010  05:28 PM    <DIR>          Vault
    10/23/2009  11:28 PM    <DIR>          Windows
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\IdentityCRL

    11/15/2010  06:48 PM    <DIR>          .
    11/15/2010  06:48 PM    <DIR>          ..
    11/15/2010  06:48 PM    <DIR>          production
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\IdentityCRL\production

    11/15/2010  06:48 PM    <DIR>          .
    11/15/2010  06:48 PM    <DIR>          ..
    11/15/2010  06:48 PM    <DIR>          temp
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\IdentityCRL\production\temp

    11/15/2010  06:48 PM    <DIR>          .
    11/15/2010  06:48 PM    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Media Player

    10/23/2009  11:16 PM    <DIR>          .
    10/23/2009  11:16 PM    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Portable Devices

    05/02/2010  01:24 PM    <DIR>          .
    05/02/2010  01:24 PM    <DIR>          ..
    05/24/2010  05:35 AM               284 wpdlog00.sqm
    09/05/2012  01:45 PM               284 wpdlog01.sqm
    05/02/2010  01:24 PM               284 wpdlog02.sqm
                   3 File(s)            852 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Vault

    03/07/2010  05:28 PM    <DIR>          .
    03/07/2010  05:28 PM    <DIR>          ..
    03/07/2010  05:28 PM    <DIR>          4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

    03/07/2010  05:28 PM    <DIR>          .
    03/07/2010  05:28 PM    <DIR>          ..
    03/07/2010  05:28 PM               186 FEC87291-14F6-40B6-BD98-7FF245986B26.vsch
    03/07/2010  05:28 PM             1,478 Policy.vpol
                   2 File(s)          1,664 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows

    10/23/2009  11:28 PM    <DIR>          .
    10/23/2009  11:28 PM    <DIR>          ..
    07/13/2009  11:37 PM    <DIR>          Caches
    10/23/2009  11:28 PM    <DIR>          WER
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\Caches

    07/13/2009  11:37 PM    <DIR>          .
    07/13/2009  11:37 PM    <DIR>          ..
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MK0O5ILC

    11/06/2010  10:17 PM            17,163 IDR_XML_DEFAULT_TRANSFORM[1]
                   1 File(s)         17,163 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N7YCJ1JB

    03/01/2010  09:46 PM             2,648 wpad[1].dat
                   1 File(s)          2,648 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLH1CA1W

    09/04/2012  11:38 AM            17,163 IDR_XML_DEFAULT_TRANSFORM[1]
                   1 File(s)         17,163 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\WER

    10/23/2009  11:28 PM    <DIR>          .
    10/23/2009  11:28 PM    <DIR>          ..
    10/23/2009  11:28 PM    <DIR>          ReportQueue
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\WER\ReportQueue

    10/23/2009  11:28 PM    <DIR>          .
    10/23/2009  11:28 PM    <DIR>          ..
    10/23/2009  11:28 PM    <DIR>          NonCritical_win7_rtm_ed4518af73fd7bd39feb5e4284f015249b50f3_cab_033dd789
                   0 File(s)              0 bytes

     Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_win7_rtm_ed4518af73fd7bd39feb5e4284f015249b50f3_cab_033dd789

    10/23/2009  11:28 PM    <DIR>          .
    10/23/2009  11:28 PM    <DIR>          ..
    10/24/2009  01:49 AM            38,162 cbs.log
    10/23/2009  11:16 PM            32,483 diagerr.xml
    10/23/2009  11:28 PM             4,092 Report.wer
    10/23/2009  11:28 PM        29,002,150 setupact.log
    10/23/2009  11:27 PM           213,735 setupapi.app.log
    10/23/2009  10:59 PM         2,291,025 setupapi.dev.log
    10/24/2009  01:49 AM           806,804 setupapi.offline.log
                   7 File(s)     32,388,451 bytes

         Total Files Listed:
                  15 File(s)     32,427,941 bytes
                  38 Dir(s)  256,274,628,608 bytes free

    C:\Windows\system32>ICACLS  C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft
    C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft NT AUTHORITY\SYSTEM:(F)
                                                                     BUILTIN\Administrators:(F)
                                                                     BUILTIN\Administrators:(I)(OI)(CI)(F)
                                                                     NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)

    Successfully processed 1 files; Failed processing 0 files

    Sunday, September 16, 2012 11:08 PM
  • that looks normal enough

    Please run the following commands and post the results

    ICACLS C:\Windows\System32\config\*.

    ICACLS C:\Windows\System32

    ICACLS C:\Windows


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Sunday, September 16, 2012 11:31 PM
    Moderator
  • C:\Windows\system32>ICACLS C:\Windows\System32\config\*.
    C:\Windows\System32\config\BCD-Template NT AUTHORITY\SYSTEM:(F)
                                            BUILTIN\Administrators:(F)

    C:\Windows\System32\config\components NT AUTHORITY\SYSTEM:(I)(F)
                                          BUILTIN\Administrators:(I)(F)

    C:\Windows\System32\config\default NT AUTHORITY\SYSTEM:(F)
                                       BUILTIN\Administrators:(F)

    C:\Windows\System32\config\Journal NT AUTHORITY\SYSTEM:(F)
                                       BUILTIN\Administrators:(F)

    C:\Windows\System32\config\RegBack NT AUTHORITY\SYSTEM:(F)
                                       BUILTIN\Administrators:(F)

    C:\Windows\System32\config\sam NT AUTHORITY\SYSTEM:(F)
                                   BUILTIN\Administrators:(F)

    C:\Windows\System32\config\security NT AUTHORITY\SYSTEM:(F)
                                        BUILTIN\Administrators:(F)

    C:\Windows\System32\config\software NT AUTHORITY\SYSTEM:(F)
                                        BUILTIN\Administrators:(F)

    C:\Windows\System32\config\system NT AUTHORITY\SYSTEM:(F)
                                      BUILTIN\Administrators:(F)

    C:\Windows\System32\config\systemprofile NT AUTHORITY\SYSTEM:(F)
                                             BUILTIN\Administrators:(F)
                                             BUILTIN\Administrators:(OI)(CI)(F)
                                             NT AUTHORITY\SYSTEM:(OI)(CI)(F)

    C:\Windows\System32\config\TxR NT AUTHORITY\SYSTEM:(F)
                                   BUILTIN\Administrators:(F)

    C:\Windows\System32\config\userdiff NT AUTHORITY\SYSTEM:(F)
                                        BUILTIN\Administrators:(F)

    Successfully processed 12 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\System32
    C:\Windows\System32 NT SERVICE\TrustedInstaller:(F)
                        NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                        NT AUTHORITY\SYSTEM:(M)
                        NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                        BUILTIN\Administrators:(M)
                        BUILTIN\Administrators:(OI)(CI)(IO)(F)
                        BUILTIN\Users:(RX)
                        BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
                        CREATOR OWNER:(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows
    C:\Windows NT SERVICE\TrustedInstaller:(F)
               NT SERVICE\TrustedInstaller:(CI)(IO)(F)
               NT AUTHORITY\SYSTEM:(M)
               NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
               BUILTIN\Administrators:(M)
               BUILTIN\Administrators:(OI)(CI)(IO)(F)
               BUILTIN\Users:(RX)
               BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
               CREATOR OWNER:(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files

    Sunday, September 16, 2012 11:35 PM
  • Interesting - but it needs me to be fresh to work out the implications.

    It's 00:45 here now - so I'll get to bad. Back tomorrow.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Sunday, September 16, 2012 11:41 PM
    Moderator
  • The permissions are somewhat screwed, to say the least!

    let's see what we can do about it....

    Please run the following in an Elevated Command Prompt

    ICACLS C:\Windows\System32\config /grant TrustedInstaller:(CI)(F)

    ICACLS C:\Windows\System32\config /grant SYSTEM:(OI)(CI)(F)

    ICACLS C:\Windows\System32\config /grant Administrators:(OI)(CI)(F)

    ICACLS C:\Windows\System32\config /grant "CREATOR OWNER":(OI)(CI)(F)

    ICACLS C:\Windows\System32\config\*.

    post the results.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, September 17, 2012 8:20 AM
    Moderator
  • C:\Windows\system32>ICACLS C:\Windows\System32\config /grant TrustedInstaller:(CI)(F)
    TrustedInstaller: No mapping between account names and security IDs was done.
    Successfully processed 0 files; Failed processing 1 files

    C:\Windows\system32>ICACLS C:\Windows\System32\config /grant SYSTEM:(OI)(CI)(F)
    processed file: C:\Windows\System32\config
    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\System32\config /grant Administrators:(OI)(CI)(F)
    processed file: C:\Windows\System32\config
    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\System32\config /grant "CREATOR OWNER":(OI)(CI)(F)
    processed file: C:\Windows\System32\config
    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\System32\config\*.
    C:\Windows\System32\config\BCD-Template NT AUTHORITY\SYSTEM:(F)
                                            BUILTIN\Administrators:(F)
                                            BUILTIN\Administrators:(I)(F)
                                            NT AUTHORITY\SYSTEM:(I)(F)
                                            BUILTIN\Users:(I)(RX)

    C:\Windows\System32\config\components BUILTIN\Administrators:(I)(F)
                                          NT AUTHORITY\SYSTEM:(I)(F)
                                          BUILTIN\Users:(I)(RX)

    C:\Windows\System32\config\default NT AUTHORITY\SYSTEM:(F)
                                       BUILTIN\Administrators:(F)
                                       BUILTIN\Administrators:(I)(F)
                                       NT AUTHORITY\SYSTEM:(I)(F)
                                       BUILTIN\Users:(I)(RX)

    C:\Windows\System32\config\Journal NT AUTHORITY\SYSTEM:(F)
                                       BUILTIN\Administrators:(F)
                                       BUILTIN\Administrators:(I)(F)
                                       CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                       BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                       NT SERVICE\TrustedInstaller:(I)(F)
                                       NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                       BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                       BUILTIN\Users:(I)(RX)
                                       BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                       CREATOR OWNER:(I)(OI)(CI)(IO)(F)

    C:\Windows\System32\config\RegBack NT AUTHORITY\SYSTEM:(F)
                                       BUILTIN\Administrators:(F)
                                       BUILTIN\Administrators:(I)(F)
                                       CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                       BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                       NT SERVICE\TrustedInstaller:(I)(F)
                                       NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                       BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                       BUILTIN\Users:(I)(RX)
                                       BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                       CREATOR OWNER:(I)(OI)(CI)(IO)(F)

    C:\Windows\System32\config\sam NT AUTHORITY\SYSTEM:(F)
                                   BUILTIN\Administrators:(F)
                                   BUILTIN\Administrators:(I)(F)
                                   NT AUTHORITY\SYSTEM:(I)(F)
                                   BUILTIN\Users:(I)(RX)

    C:\Windows\System32\config\security NT AUTHORITY\SYSTEM:(F)
                                        BUILTIN\Administrators:(F)
                                        BUILTIN\Administrators:(I)(F)
                                        NT AUTHORITY\SYSTEM:(I)(F)
                                        BUILTIN\Users:(I)(RX)

    C:\Windows\System32\config\software NT AUTHORITY\SYSTEM:(F)
                                        BUILTIN\Administrators:(F)
                                        BUILTIN\Administrators:(I)(F)
                                        NT AUTHORITY\SYSTEM:(I)(F)
                                        BUILTIN\Users:(I)(RX)

    C:\Windows\System32\config\system NT AUTHORITY\SYSTEM:(F)
                                      BUILTIN\Administrators:(F)
                                      BUILTIN\Administrators:(I)(F)
                                      NT AUTHORITY\SYSTEM:(I)(F)
                                      BUILTIN\Users:(I)(RX)

    C:\Windows\System32\config\systemprofile NT AUTHORITY\SYSTEM:(F)
                                             BUILTIN\Administrators:(F)
                                             BUILTIN\Administrators:(OI)(CI)(F)
                                             NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                             BUILTIN\Administrators:(I)(F)
                                             CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                             BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                             NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                             NT SERVICE\TrustedInstaller:(I)(F)
                                             NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                             NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                             BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                             BUILTIN\Users:(I)(RX)
                                             BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                             CREATOR OWNER:(I)(OI)(CI)(IO)(F)

    C:\Windows\System32\config\TxR NT AUTHORITY\SYSTEM:(F)
                                   BUILTIN\Administrators:(F)
                                   BUILTIN\Administrators:(I)(F)
                                   CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                   BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                   NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                   NT SERVICE\TrustedInstaller:(I)(F)
                                   NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                   NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                   BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                   BUILTIN\Users:(I)(RX)
                                   BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                   CREATOR OWNER:(I)(OI)(CI)(IO)(F)

    C:\Windows\System32\config\userdiff NT AUTHORITY\SYSTEM:(F)
                                        BUILTIN\Administrators:(F)
                                        BUILTIN\Administrators:(I)(F)
                                        NT AUTHORITY\SYSTEM:(I)(F)
                                        BUILTIN\Users:(I)(RX)

    Successfully processed 12 files; Failed processing 0 files
    Monday, September 17, 2012 1:39 PM
  • Looks like I may have goofed on the first command...

    please run this one

    ICACLS C:\Windows\System32\config /grant "NT SERVICE\TrustedInstaller":(CI)(F)

    then reboot and run an MGADiag report and post that


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, September 17, 2012 1:49 PM
    Moderator
  • That one worked.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
    Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
    Windows Product ID: 00359-030-1202835-85167
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000000
    Build lab: 7601.win7sp1_gdr.120330-1504
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc.                </Manufacturer><Model>Dell DXC061                  </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.                </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B8K    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, HomePremium edition
    Description: Windows Operating System - Windows(R) 7, RETAIL channel
    Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00359-00170-030-120283-01-1033-7601.0000-2582012
    Installation ID: 020555999504445036330772525183246516309593344574792801
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: MQVK8
    License Status: Initial grace period
    Time remaining: 39360 minute(s) (27 day(s))
    Remaining Windows rearm count: 5
    Trusted time: 9/17/2012 9:33:38 AM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 7:19:2012 18:34
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbrDO8gSyM8KDkewqhQ==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC DELL   B8K    
      FACP DELL   B8K    
      HPET DELL   B8K    
      BOOT DELL   B8K    
      MCFG DELL   B8K    
      SSDT DELL st_ex
      DUMY DELL   B8K    
      SLIC DELL   B8K    

    Monday, September 17, 2012 2:35 PM
  • OK -

    run the following commands and post the results

    Attrib C:\windows\system32\config\ntuser.* /s

    dir C:\windows\system32\config\ntuser.* /s

    dir C:\windows\system32\config\ntuser.* /ah /s

    ICACLS C:\windows\system32\config\SystemProfile\ntuser.dat

    REG QUERY HKU

    REG QUERY HKU\S-1-5-18\Software

    ICACLS C:\Windows\ServiceProfiles


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, September 17, 2012 3:05 PM
    Moderator
  • C:\Windows\system32>Attrib C:\windows\system32\config\ntuser.* /s
    A            C:\windows\system32\config\systemprofile\ntuser.dat
    A   H        C:\windows\system32\config\systemprofile\ntuser.dat.LOG
    A  SH        C:\windows\system32\config\systemprofile\ntuser.dat.LOG1
    A  SH        C:\windows\system32\config\systemprofile\ntuser.dat.LOG2
    A  SH        C:\windows\system32\config\systemprofile\ntuser.dat{5e4c29fa-c050-11de-8faf-806e6f6e6963}.TM.blf
    A  SH        C:\windows\system32\config\systemprofile\ntuser.dat{5e4c29fa-c050-11de-8faf-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms
    A  SH        C:\windows\system32\config\systemprofile\ntuser.dat{5e4c29fa-c050-11de-8faf-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms

    C:\Windows\system32>dir C:\windows\system32\config\ntuser.* /s
     Volume in drive C is OS
     Volume Serial Number is 266C-E9DC

     Directory of C:\windows\system32\config\systemprofile

    09/11/2012  09:43 PM           262,144 ntuser.dat
                   1 File(s)        262,144 bytes

         Total Files Listed:
                   1 File(s)        262,144 bytes
                   0 Dir(s)  255,166,869,504 bytes free

    C:\Windows\system32>dir C:\windows\system32\config\ntuser.* /ah /s
     Volume in drive C is OS
     Volume Serial Number is 266C-E9DC

     Directory of C:\windows\system32\config\systemprofile

    07/14/2009  02:18 AM             1,024 ntuser.dat.LOG
    06/14/2012  08:13 PM             9,216 ntuser.dat.LOG1
    07/13/2009  11:57 PM                 0 ntuser.dat.LOG2
    10/23/2009  10:50 PM            65,536 ntuser.dat{5e4c29fa-c050-11de-8faf-806e6f6e6963}.TM.blf
    10/23/2009  10:50 PM           524,288 ntuser.dat{5e4c29fa-c050-11de-8faf-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms
    10/23/2009  10:50 PM           524,288 ntuser.dat{5e4c29fa-c050-11de-8faf-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms
                   6 File(s)      1,124,352 bytes

         Total Files Listed:
                   6 File(s)      1,124,352 bytes
                   0 Dir(s)  255,166,345,216 bytes free

    C:\Windows\system32>ICACLS C:\windows\system32\config\SystemProfile\ntuser.dat
    C:\windows\system32\config\SystemProfile\ntuser.dat BUILTIN\Administrators:(I)(F)
                                                        NT AUTHORITY\SYSTEM:(I)(F)
                                                        BUILTIN\Users:(I)(RX)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>REG QUERY HKU

    HKEY_USERS\.DEFAULT
    HKEY_USERS\S-1-5-19
    HKEY_USERS\S-1-5-20
    HKEY_USERS\S-1-5-21-1968992023-205071136-760349905-1005
    HKEY_USERS\S-1-5-21-1968992023-205071136-760349905-1005_Classes
    HKEY_USERS\S-1-5-18

    C:\Windows\system32>REG QUERY HKU\S-1-5-18\Software

    HKEY_USERS\S-1-5-18\Software\Apple Computer, Inc.
    HKEY_USERS\S-1-5-18\Software\Apple Inc.
    HKEY_USERS\S-1-5-18\Software\Auslogics
    HKEY_USERS\S-1-5-18\Software\BAE
    HKEY_USERS\S-1-5-18\Software\Classes
    HKEY_USERS\S-1-5-18\Software\Google
    HKEY_USERS\S-1-5-18\Software\JavaSoft
    HKEY_USERS\S-1-5-18\Software\Microsoft
    HKEY_USERS\S-1-5-18\Software\Policies
    HKEY_USERS\S-1-5-18\Software\SupportSoft
    HKEY_USERS\S-1-5-18\Software\TeamViewer

    C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles
    C:\Windows\ServiceProfiles NT SERVICE\TrustedInstaller:(I)(F)
                               NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                               NT AUTHORITY\SYSTEM:(I)(F)
                               NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                               BUILTIN\Administrators:(I)(F)
                               BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                               BUILTIN\Users:(I)(RX)
                               BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                               CREATOR OWNER:(I)(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files
    Monday, September 17, 2012 3:09 PM
  • That all looks OK

    Please run the following commands, then reboot and post a new MGADiag report

    REGSVR32 WINTRUST.DLL

    C:\Windows\SysWOW64\regsvr32 C:\Windows\SysWOW64\wintrust.dll


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, September 17, 2012 3:45 PM
    Moderator
  • It's only a 32-bit system, so the second command won't work.

    I'm scanning with Microsoft Safety Scanner right now, and it's actually finding a few things (that neither MBAM or AVG caught), so as soon as that's complete I'll reboot and post a report.

    Monday, September 17, 2012 3:58 PM
  • Sorry about the extra line there! - I tend to go into autopilot typing that kind of instruction, and forgot that you're x86 rather than x64.

    Safety Scanner is definitely a good idea - especially if you download it on another machine nown to be clean. running Offline scanners is almost always necessary if a rootkit is suspected, as they tend to be able to at least partially hide from installed scanners.


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, September 17, 2012 4:30 PM
    Moderator
  • Found and removed 29 infected objects.

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
    Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
    Windows Product ID: 00359-030-1202835-85167
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000000
    Build lab: 7601.win7sp1_gdr.120330-1504
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc.                </Manufacturer><Model>Dell DXC061                  </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.                </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B8K    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, HomePremium edition
    Description: Windows Operating System - Windows(R) 7, RETAIL channel
    Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00359-00170-030-120283-01-1033-7601.0000-2582012
    Installation ID: 020555999504445036330772525183246516309593344574792801
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: MQVK8
    License Status: Initial grace period
    Time remaining: 39240 minute(s) (27 day(s))
    Remaining Windows rearm count: 5
    Trusted time: 9/17/2012 11:55:06 AM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 7:19:2012 18:34
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbrDO8gSyM8KDkewqhQ==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC DELL   B8K    
      FACP DELL   B8K    
      HPET DELL   B8K    
      BOOT DELL   B8K    
      MCFG DELL   B8K    
      SSDT DELL st_ex
      DUMY DELL   B8K    
      SLIC DELL   B8K    

    Monday, September 17, 2012 4:56 PM
  • Incidentally, I'm getting error 80070005 from Windows Update, which seems to be all about bad permissions.
    Monday, September 17, 2012 5:04 PM
  • It's certainly related - the literal translation of the code is 'Access Denied'

    Please run the following commands.

    ICACLS C:\Windows\SoftwareDistribution

    ICACLS C:\Windows\System32\Catroot2

    ATTRIB C:\Windows\System32\Catroot2\*.*


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, September 17, 2012 5:20 PM
    Moderator
  • C:\Windows\system32>icacls ..\SoftwareDistribution
    C:\Windows\SoftwareDistribution NT AUTHORITY\SYSTEM:(F)
                                    BUILTIN\Administrators:(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>icacls catroot2
    catroot2 NT SERVICE\CryptSvc:(OI)(CI)(F)
             NT SERVICE\TrustedInstaller:(I)(F)
             NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
             NT AUTHORITY\SYSTEM:(I)(F)
             NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
             BUILTIN\Administrators:(I)(F)
             BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
             BUILTIN\Users:(I)(RX)
             BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
             CREATOR OWNER:(I)(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>attrib catroot2\*.*
    A       I    C:\Windows\system32\catroot2\dberr.txt
    A       I    C:\Windows\system32\catroot2\edb.chk
    A       I    C:\Windows\system32\catroot2\edb.log
    A       I    C:\Windows\system32\catroot2\edb00023.log
    A       I    C:\Windows\system32\catroot2\edbres00001.jrs
    A       I    C:\Windows\system32\catroot2\edbres00002.jrs
    Monday, September 17, 2012 5:24 PM
  • The permissions on the SoftwareDistribution folder are way off.

    ICACLS C:\Windows\SoftwareDistribution /grant "NT SERVICE\TrustedInstaller":(I)(F)
    ICACLS C:\Windows\SoftwareDistribution /grant "NT SERVICE\TrustedInstaller":(CI)(IO)(F)
    ICACLS C:\Windows\SoftwareDistribution /grant SYSTEM:(I)(F)
    ICACLS C:\Windows\SoftwareDistribution /grant SYSTEM:(OI)(CI)(IO)(F)
    ICACLS C:\Windows\SoftwareDistribution /grant Administrators:(OI)(CI)(IO)(F)
    ICACLS C:\Windows\SoftwareDistribution /grant Users:(I)(RX)
    ICACLS C:\Windows\SoftwareDistribution /grant Users:(OI)(CI)(IO)(GR,GE)
    ICACLS C:\Windows\SoftwareDistribution /grant "CREATOR OWNER":(OI)(CI)(IO)(F)


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth




    Monday, September 17, 2012 5:40 PM
    Moderator
  • C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant "NT SERVICE\TrustedInstaller":(I)(F)
    Invalid parameter "NT SERVICE\TrustedInstaller:(I)(F)"

    C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant "NT SERVICE\TrustedInstaller":(CI)(IO)(F)
    processed file: C:\Windows\SoftwareDistribution
    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant SYSTEM:(I)(F)
    Invalid parameter "SYSTEM:(I)(F)"

    C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant SYSTEM:(OI)(CI)(IO)(F)
    processed file: C:\Windows\SoftwareDistribution
    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant Administrators:(OI)(CI)(IO)(F)
    processed file: C:\Windows\SoftwareDistribution
    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant Users:(I)(RX)
    Invalid parameter "Users:(I)(RX)"

    C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant Users:(OI)(CI)(IO)(GR,GE)
    processed file: C:\Windows\SoftwareDistribution
    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant "CREATOR OWNER":(OI)(CI)(IO)(F)
    processed file: C:\Windows\SoftwareDistribution
    Successfully processed 1 files; Failed processing 0 files
    Monday, September 17, 2012 5:49 PM
  • I could sworn I'd changed the (I) parameters!

    ICACLS C:\Windows\SoftwareDistribution /grant Users:(RX)

    ICACLS C:\Windows\SoftwareDistribution /grant SYSTEM:(F)

    ICACLS C:\Windows\SoftwareDistribution /grant "NT SERVICE\TrustedInstaller":(F)

    ICACLS C:\Windows\SoftwareDistribution

    (Please post the results - we need to see whether they are right, now)


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, September 17, 2012 6:02 PM
    Moderator
  • C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant Users:(RX)
    processed file: C:\Windows\SoftwareDistribution
    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant SYSTEM:(F)
    processed file: C:\Windows\SoftwareDistribution
    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant "NT SERVICE\Tr
    ustedInstaller":(F)
    processed file: C:\Windows\SoftwareDistribution
    Successfully processed 1 files; Failed processing 0 files

    C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution
    C:\Windows\SoftwareDistribution NT SERVICE\TrustedInstaller:(F)
                                    BUILTIN\Users:(RX)
                                    NT AUTHORITY\SYSTEM:(F)
                                    BUILTIN\Administrators:(F)
                                    NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                                    CREATOR OWNER:(OI)(CI)(IO)(F)
                                    BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
                                    BUILTIN\Administrators:(OI)(CI)(IO)(F)
                                    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                                    NT SERVICE\TrustedInstaller:(I)(F)
                                    NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                    NT AUTHORITY\SYSTEM:(I)(F)
                                    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                    BUILTIN\Administrators:(I)(F)
                                    BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                    BUILTIN\Users:(I)(RX)
                                    BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                    CREATOR OWNER:(I)(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files
    Monday, September 17, 2012 7:24 PM
  • I think it's right now (somewhere in there - if you use Windows Explorer, you can tidy up the duplicates yourself whenever you feel like it)

    Please attempt validation at www.microsoft.com/genuine/validate and see what happens, then run another MGADiag report


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Monday, September 17, 2012 7:51 PM
    Moderator
  • The site still wants me to buy a new license, and Windows Update still has the same error. Should I just do a repair install of Windows?

    Diagnostic Report (1.9.0027.0):
    -----------------------------------------
    Windows Validation Data-->

    Validation Code: 0x8004FE21
    Cached Online Validation Code: 0x0
    Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
    Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
    Windows Product ID: 00359-030-1202835-85167
    Windows Product ID Type: 5
    Windows License Type: Retail
    Windows OS version: 6.1.7601.2.00010300.1.0.003
    ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
    Is Admin: Yes
    TestCab: 0x0
    LegitcheckControl ActiveX: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows 7 Home Premium
    Architecture: 0x00000000
    Build lab: 7601.win7sp1_gdr.120330-1504
    TTS Error: 
    Validation Diagnostic: 
    Resolution Status: N/A

    Vista WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002

    Windows XP Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 109 N/A
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
    File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc.                </Manufacturer><Model>Dell DXC061                  </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.                </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>B8K    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

    Spsys.log Content: 0x80070002

    Licensing Data-->
    Software licensing service version: 6.1.7601.17514

    Name: Windows(R) 7, HomePremium edition
    Description: Windows Operating System - Windows(R) 7, RETAIL channel
    Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
    Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
    Extended PID: 00359-00170-030-120283-01-1033-7601.0000-2582012
    Installation ID: 020555999504445036330772525183246516309593344574792801
    Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
    Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
    Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
    Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
    Partial Product Key: MQVK8
    License Status: Initial grace period
    Time remaining: 39000 minute(s) (27 day(s))
    Remaining Windows rearm count: 5
    Trusted time: 9/17/2012 3:18:18 PM

    Windows Activation Technologies-->
    HrOffline: 0x8004FE21
    HrOnline: N/A
    HealthStatus: 0x000000000001EFF0
    Event Time Stamp: 9:17:2012 15:14
    ActiveX: Registered, Version: 7.1.7600.16395
    Admin Service: Registered, Version: 7.1.7600.16395
    HealthStatus Bitmask Output:
    Tampered File: %systemroot%\system32\sppobjs.dll
    Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
    Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
    Tampered File: %systemroot%\system32\sppwinob.dll
    Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
    Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
    Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
    Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
    Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
    Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
    Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
    Tampered File: %systemroot%\system32\drivers\spsys.sys


    HWID Data-->
    HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbrDO8gSyM8KDkewqhQ==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x0
    OEMID and OEMTableID Consistent: yes
    BIOS Information: 
      ACPI Table Name OEMID Value OEMTableID Value
      APIC DELL   B8K    
      FACP DELL   B8K    
      HPET DELL   B8K    
      BOOT DELL   B8K    
      MCFG DELL   B8K    
      SSDT DELL st_ex
      DUMY DELL   B8K    
      SLIC DELL   B8K    

    Monday, September 17, 2012 8:20 PM
  • Just ran "sfc /scannow" and got the logs from it (10 MB), if that helps any. It did say it found "corrupted" files that it was unable to fix.
    Monday, September 17, 2012 8:48 PM
  • There's no sign of any such SFC  problems in the log?

    However there are indications that the Catroot2 folder is corrupt - not surprising if the content was locked by  permissions problems elsewhere.

    http://support.microsoft.com/kb/822798 probably applies.

    I have to admit to considering a repair install myself - there do seem to be a large number of permissions problems, and I doubt that we've found all of them.

    Do you have an SP1 disk? - iif not, Download the SP1
    Refresh for your language and edition from the links on these pages...

     

    Heidoc - Microsoft DR Download links

     

    The links are for downloads from the Digital River servers run for MS, so are about as safe as
    you can get :)

     

    Once you have it downloaded, you then need to burn the DVD from it - use either the Windows Disk
    Image Burner, or (better still) your favourite burning application at the slowest speed possible.

     

    Note that you do NOT 'drag and drop' the file to the disk, you must use the 'burn an image' option
    from your app - or you'll end up with a useless coaster :)

     

    Once you have the disk burnt, check that it boots the (or any other) system OK - but do NOT start
    the repair from there - you must start the repair from within a normal Windows boot.

     

    Follow the instructions in this tutorial - http://www.sevenforums.com/tutorials/3413-repair-install.html?ltr=R

    - and they should help you get through it (it's not as difficult as it looks!)

     

    Always ask questions first if you're unsure - either here, or in sevenforums.



    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    • Marked as answer by GarrettW87 Tuesday, September 18, 2012 2:59 PM
    Monday, September 17, 2012 9:19 PM
    Moderator
  • Well again, thanks a ton for all the help. I've done the repair install and it's working on updates right now.
    Tuesday, September 18, 2012 2:59 PM
  • Just for completeness, please post an MGADiag report :)

    Thanks for bearing with me as long as you did - it gave me a chance to refine some ideas, and learn a little myself.

    Well done with the repair!

    Good luck!


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

    Tuesday, September 18, 2012 3:21 PM
    Moderator