Remove From My Forums

Windows not genuine after system restore -- error 0x800700B7

Question
0

Sign in to vote
This is on a desktop that had been upgraded from Vista to 7 -- after cleaning off a malware infection, it would not fully boot to the login screen, so a System Restore was attempted to fix it. The Restore said it did not complete successfully, but when I rebooted, the problem had been fixed and it said the system had been restored.

But then a new problem arose: Windows now thinks it is counterfeit.

I've already run sfc, chkdsk, updated storage drivers, tried the permissions fix, tried clean startup... nothing helped. So the next thing I was going to try was a repair install from the Win7 upgrade disc.

So here's my MGAdiag.

---
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: N/A, hr = 0x800700b7
Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
Windows Product ID: 00359-030-1202835-85167
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.120330-1504
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc. </Manufacturer><Model>Dell DXC061 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc. </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>B8K </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x800700B7' to display the error text.
Error: 0x800700B7

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: N/A
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys

HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbvIEsM6yM8KDkewqhQ==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x0
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL B8K
FACP DELL B8K
HPET DELL B8K
BOOT DELL B8K
MCFG DELL B8K
SSDT DELL st_ex
DUMY DELL B8K
SLIC DELL B8K
- Edited by GarrettW87 Thursday, September 13, 2012 10:01 PM corrected error code in thread title
Thursday, September 13, 2012 9:53 PM

Answers

2

Sign in to vote
There's no sign of any such SFC problems in the log?

However there are indications that the Catroot2 folder is corrupt - not surprising if the content was locked by permissions problems elsewhere.

http://support.microsoft.com/kb/822798 probably applies.

I have to admit to considering a repair install myself - there do seem to be a large number of permissions problems, and I doubt that we've found all of them.

Do you have an SP1 disk? - iif not, Download the SP1
Refresh for your language and edition from the links on these pages...

Heidoc - Microsoft DR Download links

The links are for downloads from the Digital River servers run for MS, so are about as safe as
you can get :)

Once you have it downloaded, you then need to burn the DVD from it - use either the Windows Disk
Image Burner, or (better still) your favourite burning application at the slowest speed possible.

Note that you do NOT 'drag and drop' the file to the disk, you must use the 'burn an image' option
from your app - or you'll end up with a useless coaster :)

Once you have the disk burnt, check that it boots the (or any other) system OK - but do NOT start
the repair from there - you must start the repair from within a normal Windows boot.

Follow the instructions in this tutorial - http://www.sevenforums.com/tutorials/3413-repair-install.html?ltr=R

- and they should help you get through it (it's not as difficult as it looks!)

Always ask questions first if you're unsure - either here, or in sevenforums.

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
- Marked as answer by GarrettW87 Tuesday, September 18, 2012 2:59 PM
Monday, September 17, 2012 9:19 PM

Moderator

All replies

0

Sign in to vote

Please run the
following commands in an Elevated Command Prompt

NET STOP CRYPTSVC

REN C:\WINDOWS\SYSTEM32\CATROOT2 CATROOT2OLD

NET START CRYPTSVC

once complete, reboot, and run another MGADiag report.

Note that this will delete your Update History - but all updates will remain
installed, and can be viewed in the Installed Updates listing.

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Friday, September 14, 2012 8:25 AM

Moderator
0

Sign in to vote

Hey, thanks for helping out.

The new MGADiag report is exactly the same as the one I posted above. :/

Friday, September 14, 2012 6:12 PM
1

Sign in to vote
The error is complaining about duplicate filenames - but doesn't explain which ones it's talking about.

A number are created when MGDiag is run - please run the following commands in an Elevated Command Prompt

DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform /S ATTRIB C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\*.* /S ATTRIB C:\Windows\7b*.* /S ICACLS C:\Windows\ServiceProfiles\NetworkService\AppData ICACLS C:\Windows\ServiceProfiles\Networkservice ICACLS C:\Windows\ServiceProfiles ICACLS C:\Windows ICACLS C:\Windows\System32

Here are some instructions to make life easier :)

1) To open an Elevated Command Prompt Window (the CP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.

2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.

3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
- Edited by Noel D PatonModerator Friday, September 14, 2012 6:27 PM add instructions
Friday, September 14, 2012 6:26 PM

Moderator
0

Sign in to vote

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>DIR %windir%\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform /S
Volume in drive C is OS
Volume Serial Number is 266C-E9DC

Directory of C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform

09/12/2012 11:05 PM <DIR> .
09/12/2012 11:05 PM <DIR> ..
07/13/2009 11:34 PM <DIR> Cache
09/05/2012 05:27 PM 7,178,489 tokens.bar
1 File(s) 7,178,489 bytes

Directory of C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache

07/13/2009 11:34 PM <DIR> .
07/13/2009 11:34 PM <DIR> ..
09/05/2012 06:26 PM 92,072 cache.dat
1 File(s) 92,072 bytes

Total Files Listed:
2 File(s) 7,270,561 bytes
5 Dir(s) 255,677,657,088 bytes free

C:\Windows\system32>ATTRIB C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\*.* /S
A I C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
A I C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.bar

C:\Windows\system32>ATTRIB C:\Windows\7b*.* /S
A R C:\Windows\Installer\7b0b8.msp
A S I C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
A S I C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
A S I C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
A S I C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_4E8F6C8278BCBC42EAD05
60F6112023C
A S I C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9
A S I C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_4E8F6C8278BCBC42EAD0
560F6112023C
A H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
A H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
A H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
A H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
A C:\Windows\winsxs\Catalogs\7babd2d1fb37e8c2ace373b22dac383b0469fe8fe9b7ec6659da1a0b2409e477.cat
A C:\Windows\winsxs\Catalogs\7bbd5694f52a6da7f347a0775dea29798731ffa15462194a615442c370e2dfd8.cat
A C:\Windows\winsxs\Temp\PendingRenames\7b3384da6891cd017e150000d0063416.$$_diagnostics_system_performance_d48bf95b5c828123.cdf-ms
A C:\Windows\winsxs\Temp\PendingRenames\7b44e7f86891cd01d3170000d0063416.program_files_microsoft_games_purble_place_44b505b0372ceb5f.cdf-ms
A C:\Windows\winsxs\Temp\PendingRenames\7bae78946891cd01b20f0000d0063416.$$_inf_w3svc_0ef6c7aee1e4154f.cdf-ms
A C:\Windows\winsxs\Temp\PendingRenames\7bb62c9d6891cd01f8100000d0063416.$$_system32_migwiz_dlmanifests_microsoft-windows-textservicesframework-migration-dl_549205906affe6bf.cdf-ms

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\NetworkService\AppData
C:\Windows\ServiceProfiles\NetworkService\AppData NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\Networkservice
C:\Windows\ServiceProfiles\Networkservice NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles
C:\Windows\ServiceProfiles NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows
C:\Windows NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\System32
C:\Windows\System32 NT SERVICE\TrustedInstaller:(F)

NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

Friday, September 14, 2012 9:21 PM
1

Sign in to vote

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\NetworkService\AppData
C:\Windows\ServiceProfiles\NetworkService\AppData NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\Networkservice
C:\Windows\ServiceProfiles\Networkservice NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

Seem to be the cause of the problem - the services don't have any permissions, and the existing permissions are wrong.

Please run the following commands in an Elevated Command Prompt

ICACLS C:\Windows\ServiceProfiles\Networkservice /grant:r Administrators:(OI)(CI)(F)

ICACLS C:\Windows\ServiceProfiles\Networkservice /grant:r "NETWORK SERVICE":(OI)(CI)(F)

ICACLS C:\Windows\ServiceProfiles\Networkservice /grant:r SYSTEM:(OI)(CI)(F)

ICACLS C:\Windows\ServiceProfiles\Networkservice\AppData /grant:r Administrators:(OI)(CI)(F)

ICACLS C:\Windows\ServiceProfiles\Networkservice\AppData /grant:r "NETWORK SERVICE":(OI)(CI)(F)

ICACLS C:\Windows\ServiceProfiles\Networkservice\AppData /grant:r SYSTEM:(OI)(CI)(F)

Once complete, reboot and run another MGADiag report - post the results.
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Friday, September 14, 2012 10:02 PM

Moderator
0

Sign in to vote
I think that did it!
MGADiag still throws up an error when I hit Copy -- as of now, it's 0x800706b5 -- but of course it copies ok, so here it is.

[EDIT] Not so fast... I just now got a popup with the window title "Windows Activation Technologies" saying it's still not genuine, with the error code 0x8004FE21.

Diagnostic Report (1.9.0027.0):

-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
Windows Product ID: 00359-030-1202835-85167
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.120330-1504
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc. </Manufacturer><Model>Dell DXC061 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc. </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>B8K </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00170-030-120283-01-1033-7601.0000-2582012
Installation ID: 020555999504445036330772525183246516309593344574792801
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: MQVK8
License Status: Initial grace period
Time remaining: 43200 minute(s) (30 day(s))
Remaining Windows rearm count: 5
Trusted time: 9/14/2012 5:12:22 PM

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: N/A
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys

HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbrDO8gSyM8KDkewqhQ==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x0
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL B8K
FACP DELL B8K
HPET DELL B8K
BOOT DELL B8K
MCFG DELL B8K
SSDT DELL st_ex
DUMY DELL B8K
SLIC DELL B8K
- Edited by GarrettW87 Saturday, September 15, 2012 4:44 AM still not fixed :(
Friday, September 14, 2012 11:44 PM
0

Sign in to vote

That one relatively common - I hope......

This may simply be caused by a bad set of Intel Rapid Storage Technology drivers -

Installing the Intel Rapid Storage Drivers

try downloading and installing them from here - http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&ProdId=2101&DwnldID=21730

Once complete, please reboot twice, then post another MGADiag report.
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Saturday, September 15, 2012 8:19 AM

Moderator
0

Sign in to vote

That one won't install on my system (it says my computer "doesn't meet the minimum requirements for installation") and I believe that's not the exact one I need.
I've already looked into this fix and determined that what mine needs is the Matrix Storage Manager, but there's one problem: when I try to install that, the installer crashes about halfway through, so not all of the files get installed.

Saturday, September 15, 2012 12:39 PM
0

Sign in to vote

Have you checked to see if a version of it is already installed? (It may appear in the Programs & Features list) - I assume that it was the IATA89ENU.exe file that you downloaded?

What response did you get from the NET STOP CRYPTSVC command above? - if it said 'not running' then that may be the problem.

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Saturday, September 15, 2012 12:46 PM

Moderator
0

Sign in to vote

Yes there was an older version installed -- yes that's the file I downloaded -- and I believe "net stop cryptsvc" did stop the service successfully.

Saturday, September 15, 2012 3:54 PM
0

Sign in to vote

What is the EXACT error message you get when you try to install the Matrix driver?

I have a link for a slightly older version, which has worked for some...

http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&ProdId=2101&DwnldID=17412&ProductFamily=Software+Products&ProductLine=Chipset+Software&ProductProduct=Intel%c2%ae+Rapid+Storage+Technology+(Intel%c2%ae+RST)&lang=eng

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Saturday, September 15, 2012 4:06 PM

Moderator
0

Sign in to vote
I just tried uninstalling the old one and then installing the new one again, and it gave me the same problem.

I'll try the older version now.

[EDIT] Aaaand it has the same issue.
- Edited by GarrettW87 Saturday, September 15, 2012 4:35 PM
Saturday, September 15, 2012 4:28 PM
0

Sign in to vote

Interesting - there are reports that this error/crash can be caused by Comodo firewall.

http://www.overclock.net/t/942913/solved-intel-r-install-frame-has-stopped-working

http://forums.comodo.com/defense-sandbox-help-cis/problem-updating-intel-raid-controller-t72008.0.html

Please check in your Event Viewer, and see if you can find what's crashing here.
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Saturday, September 15, 2012 4:35 PM

Moderator
0

Sign in to vote
Interesting. I think that was installed on this computer at one time but it hasn't been for a while.

Anyway, when I tried to open up Event Viewer I discovered that the Event Log service was not started -- and when I tried to start it, it said "Error 5: Access is denied." So I googled that and was able to solve it fairly easily.

Fixing the Event Log service allowed the Intel installer (8.9.x version) to complete successfully.
So here's the latest MGADiag.
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
Windows Product ID: 00359-030-1202835-85167
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.120330-1504
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc. </Manufacturer><Model>Dell DXC061 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc. </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>B8K </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00170-030-120283-01-1033-7601.0000-2582012
Installation ID: 020555999504445036330772525183246516309593344574792801
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: MQVK8
License Status: Initial grace period
Time remaining: 42120 minute(s) (29 day(s))
Remaining Windows rearm count: 5
Trusted time: 9/15/2012 12:07:37 PM

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: 7:19:2012 18:34
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys

HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbrDO8gSyM8KDkewqhQ==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x0
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL B8K
FACP DELL B8K
HPET DELL B8K
BOOT DELL B8K
MCFG DELL B8K
SSDT DELL st_ex
DUMY DELL B8K
SLIC DELL B8K
- Edited by GarrettW87 Saturday, September 15, 2012 5:09 PM added version installed
Saturday, September 15, 2012 5:08 PM
0

Sign in to vote
Interesting - please reboot, then run the following commands and post the results

NET START EVENTLOG

SC QC EVENTLOG

SC QUERYEX EVENTLOG

SC SDSHOW EVENTLOG

SC QSIDTYPE EVENTLOG

SC QPRIVS EVENTLOG

also export and upload the System and Application Event logs.

Here are some instructions to make life easier :)

1) To open an Elevated Command Prompt Window (the CP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.

2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.

3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
- Edited by Noel D PatonModerator Saturday, September 15, 2012 5:51 PM
Saturday, September 15, 2012 5:46 PM

Moderator
0

Sign in to vote

Download:

Application Event Log
System Event Log

-----

Command output:

C:\Windows\system32>net start eventlog
The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

C:\Windows\system32>sc qc eventlog
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: eventlog
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k LocalServiceNetw
orkRestricted
LOAD_ORDER_GROUP : Event Log
TAG : 0
DISPLAY_NAME : Windows Event Log
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\LocalService

C:\Windows\system32>sc queryex eventlog

SERVICE_NAME: eventlog
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1012
FLAGS :

C:\Windows\system32>sc sdshow eventlog

D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCR
RC;;;SY)S:(AU;SA;DCRPWPDTCRSDWDWO;;;WD)(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\system32>sc qsidtype eventlog
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: eventlog
SERVICE_SID_TYPE: UNRESTRICTED

C:\Windows\system32>sc qprivs eventlog
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: eventlog
PRIVILEGES : SeChangeNotifyPrivilege
: SeImpersonatePrivilege

Sunday, September 16, 2012 3:07 AM
0

Sign in to vote

The SC output looks normal

Please run the following commands in an Elevated Command Prompt

net stop cryptsvc

esentutl /p %systemroot%\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

post the results.

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Sunday, September 16, 2012 9:14 AM

Moderator
0

Sign in to vote

SOme of the errors in the event logs appear to be associated with malware -

Please download and install Malwarebytes Anti-malware (free version) from www.malwarebytes.org - UNtick 'Enable free trial of MBAM PRO' at the end of the installation - and update it, then run a full scan in your main account, and Quick scans in any other user accounts.

Delete everything it finds
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Sunday, September 16, 2012 9:29 AM

Moderator
0

Sign in to vote

C:\Windows\system32>net stop cryptsvc
The Cryptographic Services service is stopping..
The Cryptographic Services service was stopped successfully.

C:\Windows\system32>esentutl /p %systemroot%\System32\catroot2\{F750E6C3-38EE-11
D1-85E5-00C04FC295EE}\catdb

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 6.1
Copyright (C) Microsoft Corporation. All Rights Reserved.

Error: Access to source database 'C:\Windows\System32\catroot2\{F750E6C3-38EE-11
D1-85E5-00C04FC295EE}\catdb' failed with Jet error -1811.

Operation terminated with error -1811 (JET_errFileNotFound, File not found) afte
r 0.15 seconds.

Sunday, September 16, 2012 4:33 PM
1

Sign in to vote

Very Interesting!

- but not terribly informative, since all it means as far as I can tell is that the database wasn't rebuilt properly when we renamed it earlier. This implies that there is a problem in that area

let's just check that the folder isn't tagged as read-only, amongst other things....

Please run the following in an Elevated Command Prompt, and post the results.

DIR C:\Windows\System32 /AR /S

ICACLS C:\Windows\System32\Catroot2

REG QUERY HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck

REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\

DIR C:\Windows\wintrust.dll.* /s

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Sunday, September 16, 2012 5:05 PM

Moderator
0

Sign in to vote
C:\Windows\system32>DIR C:\Windows\System32 /AR /S
Volume in drive C is OS
Volume Serial Number is 266C-E9DC

Directory of C:\Windows\System32

06/23/2006 09:09 AM 19,968 cpuinf32.dll
11/28/2007 05:34 AM 41,296 hlp95en.dll
07/05/2006 02:42 PM 81,920 mplaa6.dll
07/05/2006 02:42 PM 69,632 mplam6.dll
07/05/2006 02:42 PM 69,632 mplapx.dll
07/05/2006 02:42 PM 81,920 mplaw7.dll
07/05/2006 02:42 PM 1,679,360 mplva6.dll
07/05/2006 02:42 PM 1,585,152 mplvm6.dll
07/05/2006 02:42 PM 1,159,168 mplvpx.dll
07/05/2006 02:42 PM 1,654,784 mplvw7.dll
08/17/2004 09:14 PM 442,368 vp6vfw.dll
11 File(s) 6,885,200 bytes

Directory of C:\Windows\System32\config\systemprofile

06/14/2012 07:58 PM <DIR> Desktop
0 File(s) 0 bytes

Directory of C:\Windows\System32\config\systemprofile\Desktop

06/14/2012 07:58 PM <DIR> .
06/14/2012 07:58 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\inetsrv\config\schema

11/04/2010 08:52 PM 38,809 ASPNET_schema.xml
06/10/2009 04:18 PM 31,863 Ftp_schema.xml
11/04/2010 08:53 PM 27,105 FX_schema.xml
11/04/2010 08:53 PM 82,037 IIS_schema.xml
06/10/2009 04:20 PM 4,757 WebDAV_schema.xml
5 File(s) 184,571 bytes

Directory of C:\Windows\System32\Macromed\Flash

09/05/2012 03:35 PM 9,639,624 Flash32_11_4_402_265.ocx
1 File(s) 9,639,624 bytes

Directory of C:\Windows\System32\oobe

07/14/2009 04:26 AM 84,480 drvmgrtn.dll
07/14/2009 04:26 AM 10,883 envmig.xml
07/14/2009 04:26 AM 146,432 hwcompat.dll
07/14/2009 04:26 AM 101,888 migisol.dll
07/14/2009 04:26 AM 36,864 migtestplugin.dll
07/14/2009 04:26 AM 587,704 oscomps.xml
07/14/2009 04:26 AM 21,026 osfilter.inf
07/14/2009 04:26 AM 1,824 sfcn.dat
07/14/2009 04:26 AM 1,644 sflcid.dat
07/14/2009 04:26 AM 3,225,610 sflistlh.dat
07/14/2009 04:26 AM 2,119,152 sflistw7.dat
07/14/2009 04:26 AM 1,445,052 sflistxp.dat
07/14/2009 04:26 AM 10,457 sfpat.inf
07/14/2009 04:26 AM 9,665 sfpatlh.inf
07/14/2009 04:26 AM 462 sfpatpg.inf
07/14/2009 04:26 AM 3,371 sfpatw7.inf
07/14/2009 04:26 AM 4,386 sfpatxp.inf
07/14/2009 04:26 AM 164,352 upgcmi2migxml.dll
07/14/2009 04:26 AM 5,815,808 upgcore.dll
07/14/2009 04:26 AM 329,216 upgcsiagent.dll
07/14/2009 04:26 AM 689,664 upgdriver.dll
07/14/2009 04:26 AM 258,560 upghost.exe
07/14/2009 04:26 AM 111,616 upgmxeagent.dll
07/14/2009 04:26 AM 2,820,096 upgradeagent.dll
07/14/2009 04:26 AM 59,673 upgradeagent.xml
07/14/2009 04:26 AM 167,756 upgrade_bulk.xml
07/14/2009 04:26 AM 36,864 upgres.dll
07/14/2009 04:26 AM 189,952 wdscore.dll
28 File(s) 18,454,457 bytes

Directory of C:\Windows\System32\oobe\en-US

07/14/2009 04:26 AM 6,656 upgdriver.dll.mui
07/14/2009 04:26 AM 9,216 upgres.dll.mui
2 File(s) 15,872 bytes

Directory of C:\Windows\System32\restore

10/24/2009 12:08 AM 76 MachineGuid.txt
1 File(s) 76 bytes

Total Files Listed:
48 File(s) 35,179,800 bytes
3 Dir(s) 254,171,545,600 bytes free

C:\Windows\system32>ICACLS C:\Windows\System32\Catroot2
C:\Windows\System32\Catroot2 NT SERVICE\CryptSvc:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trus
t\CertCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00
AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{09
6CE0A5-8160-4557-866E-3A80540F34A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{18
9A3842-3041-11D1-85E1-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{31
D1ADC1-D329-11D1-8ED8-0080C76516C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{57
3E31F8-AABA-11D0-8CCB-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{57
3E31F8-DDBA-11D0-8CCB-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{64
B9D180-8DA2-11CF-8736-00AA00A485EB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{78
01EBD0-CF4B-11D0-851F-0060979387EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7
F4C378-21BE-494e-BA0F-BB12C5D208C5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6
B2E8D0-E005-11CF-A134-00C04FD7BF43}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{D4
1E4F1D-A407-11D1-8BC9-00C04FA30A41}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{D4
1E4F1F-A407-11D1-8BC9-00C04FA30A41}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{F7
50E6C3-38EE-11D1-85E5-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC
451C16-AC75-11D1-B4B8-00C04FB66EA0}

C:\Windows\system32>REG QUERY HKLM\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Pr
oviders\Trust\CertCheck\
ERROR: The system was unable to find the specified registry key or value.

C:\Windows\system32>DIR C:\Windows\wintrust.dll.* /s
Volume in drive C is OS
Volume Serial Number is 266C-E9DC

Directory of C:\Windows\System32

03/01/2012 12:37 AM 172,544 wintrust.dll
1 File(s) 172,544 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
e35_6.1.7600.16385_none_ef848fe8fb647a74

07/13/2009 08:16 PM 172,544 wintrust.dll
1 File(s) 172,544 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
e35_6.1.7600.16493_none_ef77c14efb6e60de

12/29/2009 01:55 AM 172,032 wintrust.dll
1 File(s) 172,032 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
e35_6.1.7600.16970_none_ef8a69c6fb60ceba

03/01/2012 12:49 AM 172,544 wintrust.dll
1 File(s) 172,544 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
e35_6.1.7600.20605_none_f064afe014413504

12/29/2009 02:11 AM 172,032 wintrust.dll
1 File(s) 172,032 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
e35_6.1.7600.21160_none_f01eaea0147685d5

03/01/2012 12:29 AM 172,544 wintrust.dll
1 File(s) 172,544 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
e35_6.1.7601.17514_none_f1b5a3b0f852fe0e

11/20/2010 07:21 AM 172,032 wintrust.dll
1 File(s) 172,032 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
e35_6.1.7601.17787_none_f16cf8e6f88907f8

03/01/2012 12:37 AM 172,544 wintrust.dll
1 File(s) 172,544 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-wintrust-dll_31bf3856ad364
e35_6.1.7601.21933_none_f228a60c1181b3d8

03/01/2012 12:23 AM 172,544 wintrust.dll
1 File(s) 172,544 bytes

Total Files Listed:
9 File(s) 1,551,360 bytes
0 Dir(s) 254,170,984,448 bytes free
- Edited by GarrettW87 Sunday, September 16, 2012 7:48 PM removed a duplicate command
Sunday, September 16, 2012 6:25 PM
1

Sign in to vote

You have some very odd folders tagged as read-only! - namely :-

C:\ Windows\System32\oobe

C:\Windows\System32\oobe\en-US

C:\Windows\Config\Systemprofile

We need to correct those before we can see the wood for the trees!

Open Windows
Explorer (Computer)

Navigate to the C:\Windows folder

Find the System32 sub-folder and right-click on it

select Properties

Clear the 'blob'
from the 'Read-only (Only applies to files in folder)' box by clicking on it
until it's plain white.

Click on Apply.

Make sure that the
radio button for 'Apply changes to this folder, subfolders and files' is set,
and click OK.

Accept the
Administrator prompt. After a couple of seconds, you'll be told there is an
error - click on the 'Ignore all' button.

Wait for it to finish - it could take a couple
of minutes.

OK out, and exit
Windows Explorer.

Reboot twice

Then run the following command again

DIR C:\Windows\System32\*.* /AR /S

and post the results.

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Sunday, September 16, 2012 8:15 PM

Moderator
0

Sign in to vote

C:\Windows\system32>DIR C:\Windows\System32\*.* /AR /S
Volume in drive C is OS
Volume Serial Number is 266C-E9DC

Directory of C:\Windows\System32\config\systemprofile

06/14/2012 07:58 PM <DIR> Desktop
0 File(s) 0 bytes

Directory of C:\Windows\System32\config\systemprofile\Desktop

06/14/2012 07:58 PM <DIR> .
06/14/2012 07:58 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\inetsrv\config\schema

11/04/2010 08:52 PM 38,809 ASPNET_schema.xml
06/10/2009 04:18 PM 31,863 Ftp_schema.xml
11/04/2010 08:53 PM 27,105 FX_schema.xml
11/04/2010 08:53 PM 82,037 IIS_schema.xml
06/10/2009 04:20 PM 4,757 WebDAV_schema.xml
5 File(s) 184,571 bytes

Directory of C:\Windows\System32\Macromed\Flash

09/05/2012 03:35 PM 9,639,624 Flash32_11_4_402_265.ocx
1 File(s) 9,639,624 bytes

Directory of C:\Windows\System32\restore

10/24/2009 12:08 AM 76 MachineGuid.txt
1 File(s) 76 bytes

Total Files Listed:
7 File(s) 9,824,271 bytes
3 Dir(s) 256,281,489,408 bytes free

Sunday, September 16, 2012 9:18 PM
1

Sign in to vote

That's a little better :)

Please run the following commands in an Elevated Command prompt, and post the results.

ICACLS C:\Windows\System32\config\Systemprofile

ICACLS C:\Windows\System32\config\Systemprofile\Desktop

DIR C:\Windows\System32 /AL /S
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Sunday, September 16, 2012 9:58 PM

Moderator
0

Sign in to vote

C:\Windows\system32>ICACLS C:\Windows\System32\config\Systemprofile
C:\Windows\System32\config\Systemprofile NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\System32\config\Systemprofile\Desktop
C:\Windows\System32\config\Systemprofile\Desktop NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>DIR C:\Windows\System32 /AL /S
Volume in drive C is OS
Volume Serial Number is 266C-E9DC
File Not Found

Sunday, September 16, 2012 10:06 PM
1

Sign in to vote

VERY strange!

I was expecting a Junction for the desktop item there. please run the following n=in an elevated Command prompt, and post the results.

ICACLS C:\Windows\System32\config\Systemprofile /grant SYSTEM:(OI)(CI)(F)

ICACLS C:\Windows\System32\config\Systemprofile /grant Administrators:(OI)(CI)(F)

DIR C:\Windows\System32\config\Systemprofile\Desktop

Run another MGADiag report and post that as well
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Sunday, September 16, 2012 10:17 PM

Moderator
0

Sign in to vote

C:\Windows\system32>ICACLS C:\Windows\System32\config\Systemprofile /grant SYSTEM:(OI)(CI)(F)
processed file: C:\Windows\System32\config\Systemprofile
Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\System32\config\Systemprofile /grant Administrators:(OI)(CI)(F)
processed file: C:\Windows\System32\config\Systemprofile
Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>DIR C:\Windows\System32\config\Systemprofile\Desktop
Volume in drive C is OS
Volume Serial Number is 266C-E9DC

Directory of C:\Windows\System32\config\Systemprofile\Desktop

06/14/2012 07:58 PM <DIR> .
06/14/2012 07:58 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 256,276,484,096 bytes free

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
Windows Product ID: 00359-030-1202835-85167
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.120330-1504
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc. </Manufacturer><Model>Dell DXC061 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc. </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>B8K </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00170-030-120283-01-1033-7601.0000-2582012
Installation ID: 020555999504445036330772525183246516309593344574792801
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: MQVK8
License Status: Initial grace period
Time remaining: 40320 minute(s) (28 day(s))
Remaining Windows rearm count: 5
Trusted time: 9/16/2012 5:39:32 PM

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: 7:19:2012 18:34
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys

HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbrDO8gSyM8KDkewqhQ==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x0
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL B8K
FACP DELL B8K
HPET DELL B8K
BOOT DELL B8K
MCFG DELL B8K
SSDT DELL st_ex
DUMY DELL B8K
SLIC DELL B8K

Sunday, September 16, 2012 10:39 PM
0

Sign in to vote

I'm pretty sure that we're getting close to the solution :)

please run the following and post the result

DIR C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft /s

ICACLS C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Sunday, September 16, 2012 11:01 PM

Moderator
0

Sign in to vote

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>DIR C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft /s
Volume in drive C is OS
Volume Serial Number is 266C-E9DC

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft

11/15/2010 06:48 PM <DIR> .
11/15/2010 06:48 PM <DIR> ..
11/15/2010 06:48 PM <DIR> IdentityCRL
10/23/2009 11:16 PM <DIR> Media Player
05/02/2010 01:24 PM <DIR> Portable Devices
03/07/2010 05:28 PM <DIR> Vault
10/23/2009 11:28 PM <DIR> Windows
0 File(s) 0 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\IdentityCRL

11/15/2010 06:48 PM <DIR> .
11/15/2010 06:48 PM <DIR> ..
11/15/2010 06:48 PM <DIR> production
0 File(s) 0 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\IdentityCRL\production

11/15/2010 06:48 PM <DIR> .
11/15/2010 06:48 PM <DIR> ..
11/15/2010 06:48 PM <DIR> temp
0 File(s) 0 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\IdentityCRL\production\temp

11/15/2010 06:48 PM <DIR> .
11/15/2010 06:48 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Media Player

10/23/2009 11:16 PM <DIR> .
10/23/2009 11:16 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Portable Devices

05/02/2010 01:24 PM <DIR> .
05/02/2010 01:24 PM <DIR> ..
05/24/2010 05:35 AM 284 wpdlog00.sqm
09/05/2012 01:45 PM 284 wpdlog01.sqm
05/02/2010 01:24 PM 284 wpdlog02.sqm
3 File(s) 852 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Vault

03/07/2010 05:28 PM <DIR> .
03/07/2010 05:28 PM <DIR> ..
03/07/2010 05:28 PM <DIR> 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
0 File(s) 0 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28

03/07/2010 05:28 PM <DIR> .
03/07/2010 05:28 PM <DIR> ..
03/07/2010 05:28 PM 186 FEC87291-14F6-40B6-BD98-7FF245986B26.vsch
03/07/2010 05:28 PM 1,478 Policy.vpol
2 File(s) 1,664 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows

10/23/2009 11:28 PM <DIR> .
10/23/2009 11:28 PM <DIR> ..
07/13/2009 11:37 PM <DIR> Caches
10/23/2009 11:28 PM <DIR> WER
0 File(s) 0 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\Caches

07/13/2009 11:37 PM <DIR> .
07/13/2009 11:37 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MK0O5ILC

11/06/2010 10:17 PM 17,163 IDR_XML_DEFAULT_TRANSFORM[1]
1 File(s) 17,163 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N7YCJ1JB

03/01/2010 09:46 PM 2,648 wpad[1].dat
1 File(s) 2,648 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLH1CA1W

09/04/2012 11:38 AM 17,163 IDR_XML_DEFAULT_TRANSFORM[1]
1 File(s) 17,163 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\WER

10/23/2009 11:28 PM <DIR> .
10/23/2009 11:28 PM <DIR> ..
10/23/2009 11:28 PM <DIR> ReportQueue
0 File(s) 0 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\WER\ReportQueue

10/23/2009 11:28 PM <DIR> .
10/23/2009 11:28 PM <DIR> ..
10/23/2009 11:28 PM <DIR> NonCritical_win7_rtm_ed4518af73fd7bd39feb5e4284f015249b50f3_cab_033dd789
0 File(s) 0 bytes

Directory of C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_win7_rtm_ed4518af73fd7bd39feb5e4284f015249b50f3_cab_033dd789

10/23/2009 11:28 PM <DIR> .
10/23/2009 11:28 PM <DIR> ..
10/24/2009 01:49 AM 38,162 cbs.log
10/23/2009 11:16 PM 32,483 diagerr.xml
10/23/2009 11:28 PM 4,092 Report.wer
10/23/2009 11:28 PM 29,002,150 setupact.log
10/23/2009 11:27 PM 213,735 setupapi.app.log
10/23/2009 10:59 PM 2,291,025 setupapi.dev.log
10/24/2009 01:49 AM 806,804 setupapi.offline.log
7 File(s) 32,388,451 bytes

Total Files Listed:
15 File(s) 32,427,941 bytes
38 Dir(s) 256,274,628,608 bytes free

C:\Windows\system32>ICACLS C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft
C:\Windows\System32\config\Systemprofile\AppData\Local\Microsoft NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

Sunday, September 16, 2012 11:08 PM
0

Sign in to vote

that looks normal enough

Please run the following commands and post the results

ICACLS C:\Windows\System32\config\*.

ICACLS C:\Windows\System32

ICACLS C:\Windows
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Sunday, September 16, 2012 11:31 PM

Moderator
0

Sign in to vote

C:\Windows\system32>ICACLS C:\Windows\System32\config\*.
C:\Windows\System32\config\BCD-Template NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

C:\Windows\System32\config\components NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)

C:\Windows\System32\config\default NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

C:\Windows\System32\config\Journal NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

C:\Windows\System32\config\RegBack NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

C:\Windows\System32\config\sam NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

C:\Windows\System32\config\security NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

C:\Windows\System32\config\software NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

C:\Windows\System32\config\system NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

C:\Windows\System32\config\systemprofile NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)

C:\Windows\System32\config\TxR NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

C:\Windows\System32\config\userdiff NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

Successfully processed 12 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\System32
C:\Windows\System32 NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows
C:\Windows NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

Sunday, September 16, 2012 11:35 PM
0

Sign in to vote

Interesting - but it needs me to be fresh to work out the implications.

It's 00:45 here now - so I'll get to bad. Back tomorrow.
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Sunday, September 16, 2012 11:41 PM

Moderator
0

Sign in to vote

The permissions are somewhat screwed, to say the least!

let's see what we can do about it....

Please run the following in an Elevated Command Prompt

ICACLS C:\Windows\System32\config /grant TrustedInstaller:(CI)(F)

ICACLS C:\Windows\System32\config /grant SYSTEM:(OI)(CI)(F)

ICACLS C:\Windows\System32\config /grant Administrators:(OI)(CI)(F)

ICACLS C:\Windows\System32\config /grant "CREATOR OWNER":(OI)(CI)(F)

ICACLS C:\Windows\System32\config\*.

post the results.

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Monday, September 17, 2012 8:20 AM

Moderator
0

Sign in to vote

C:\Windows\system32>ICACLS C:\Windows\System32\config /grant TrustedInstaller:(CI)(F)
TrustedInstaller: No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files

C:\Windows\system32>ICACLS C:\Windows\System32\config /grant SYSTEM:(OI)(CI)(F)
processed file: C:\Windows\System32\config
Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\System32\config /grant Administrators:(OI)(CI)(F)
processed file: C:\Windows\System32\config
Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\System32\config /grant "CREATOR OWNER":(OI)(CI)(F)
processed file: C:\Windows\System32\config
Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\System32\config\*.
C:\Windows\System32\config\BCD-Template NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)

C:\Windows\System32\config\components BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)

C:\Windows\System32\config\default NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)

C:\Windows\System32\config\Journal NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

C:\Windows\System32\config\RegBack NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

C:\Windows\System32\config\sam NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)

C:\Windows\System32\config\security NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)

C:\Windows\System32\config\software NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)

C:\Windows\System32\config\system NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)

C:\Windows\System32\config\systemprofile NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

C:\Windows\System32\config\TxR NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

C:\Windows\System32\config\userdiff NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)

Successfully processed 12 files; Failed processing 0 files

Monday, September 17, 2012 1:39 PM
0

Sign in to vote

Looks like I may have goofed on the first command...

please run this one

ICACLS C:\Windows\System32\config /grant "NT SERVICE\TrustedInstaller":(CI)(F)

then reboot and run an MGADiag report and post that

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Monday, September 17, 2012 1:49 PM

Moderator
0

Sign in to vote

That one worked.

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
Windows Product ID: 00359-030-1202835-85167
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.120330-1504
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc. </Manufacturer><Model>Dell DXC061 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc. </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>B8K </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00170-030-120283-01-1033-7601.0000-2582012
Installation ID: 020555999504445036330772525183246516309593344574792801
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: MQVK8
License Status: Initial grace period
Time remaining: 39360 minute(s) (27 day(s))
Remaining Windows rearm count: 5
Trusted time: 9/17/2012 9:33:38 AM

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: 7:19:2012 18:34
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys

HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbrDO8gSyM8KDkewqhQ==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x0
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL B8K
FACP DELL B8K
HPET DELL B8K
BOOT DELL B8K
MCFG DELL B8K
SSDT DELL st_ex
DUMY DELL B8K
SLIC DELL B8K

Monday, September 17, 2012 2:35 PM
0

Sign in to vote

OK -

run the following commands and post the results

Attrib C:\windows\system32\config\ntuser.* /s

dir C:\windows\system32\config\ntuser.* /s

dir C:\windows\system32\config\ntuser.* /ah /s

ICACLS C:\windows\system32\config\SystemProfile\ntuser.dat

REG QUERY HKU

REG QUERY HKU\S-1-5-18\Software

ICACLS C:\Windows\ServiceProfiles

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Monday, September 17, 2012 3:05 PM

Moderator
0

Sign in to vote

C:\Windows\system32>Attrib C:\windows\system32\config\ntuser.* /s
A C:\windows\system32\config\systemprofile\ntuser.dat
A H C:\windows\system32\config\systemprofile\ntuser.dat.LOG
A SH C:\windows\system32\config\systemprofile\ntuser.dat.LOG1
A SH C:\windows\system32\config\systemprofile\ntuser.dat.LOG2
A SH C:\windows\system32\config\systemprofile\ntuser.dat{5e4c29fa-c050-11de-8faf-806e6f6e6963}.TM.blf
A SH C:\windows\system32\config\systemprofile\ntuser.dat{5e4c29fa-c050-11de-8faf-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms
A SH C:\windows\system32\config\systemprofile\ntuser.dat{5e4c29fa-c050-11de-8faf-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms

C:\Windows\system32>dir C:\windows\system32\config\ntuser.* /s
Volume in drive C is OS
Volume Serial Number is 266C-E9DC

Directory of C:\windows\system32\config\systemprofile

09/11/2012 09:43 PM 262,144 ntuser.dat
1 File(s) 262,144 bytes

Total Files Listed:
1 File(s) 262,144 bytes
0 Dir(s) 255,166,869,504 bytes free

C:\Windows\system32>dir C:\windows\system32\config\ntuser.* /ah /s
Volume in drive C is OS
Volume Serial Number is 266C-E9DC

Directory of C:\windows\system32\config\systemprofile

07/14/2009 02:18 AM 1,024 ntuser.dat.LOG
06/14/2012 08:13 PM 9,216 ntuser.dat.LOG1
07/13/2009 11:57 PM 0 ntuser.dat.LOG2
10/23/2009 10:50 PM 65,536 ntuser.dat{5e4c29fa-c050-11de-8faf-806e6f6e6963}.TM.blf
10/23/2009 10:50 PM 524,288 ntuser.dat{5e4c29fa-c050-11de-8faf-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms
10/23/2009 10:50 PM 524,288 ntuser.dat{5e4c29fa-c050-11de-8faf-806e6f6e6963}.TMContainer00000000000000000002.regtrans-ms
6 File(s) 1,124,352 bytes

Total Files Listed:
6 File(s) 1,124,352 bytes
0 Dir(s) 255,166,345,216 bytes free

C:\Windows\system32>ICACLS C:\windows\system32\config\SystemProfile\ntuser.dat
C:\windows\system32\config\SystemProfile\ntuser.dat BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>REG QUERY HKU

HKEY_USERS\.DEFAULT
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-20
HKEY_USERS\S-1-5-21-1968992023-205071136-760349905-1005
HKEY_USERS\S-1-5-21-1968992023-205071136-760349905-1005_Classes
HKEY_USERS\S-1-5-18

C:\Windows\system32>REG QUERY HKU\S-1-5-18\Software

HKEY_USERS\S-1-5-18\Software\Apple Computer, Inc.
HKEY_USERS\S-1-5-18\Software\Apple Inc.
HKEY_USERS\S-1-5-18\Software\Auslogics
HKEY_USERS\S-1-5-18\Software\BAE
HKEY_USERS\S-1-5-18\Software\Classes
HKEY_USERS\S-1-5-18\Software\Google
HKEY_USERS\S-1-5-18\Software\JavaSoft
HKEY_USERS\S-1-5-18\Software\Microsoft
HKEY_USERS\S-1-5-18\Software\Policies
HKEY_USERS\S-1-5-18\Software\SupportSoft
HKEY_USERS\S-1-5-18\Software\TeamViewer

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles
C:\Windows\ServiceProfiles NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

Monday, September 17, 2012 3:09 PM
0

Sign in to vote

That all looks OK

Please run the following commands, then reboot and post a new MGADiag report

REGSVR32 WINTRUST.DLL

C:\Windows\SysWOW64\regsvr32 C:\Windows\SysWOW64\wintrust.dll
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Monday, September 17, 2012 3:45 PM

Moderator
0

Sign in to vote

It's only a 32-bit system, so the second command won't work.

I'm scanning with Microsoft Safety Scanner right now, and it's actually finding a few things (that neither MBAM or AVG caught), so as soon as that's complete I'll reboot and post a report.

Monday, September 17, 2012 3:58 PM
0

Sign in to vote

Sorry about the extra line there! - I tend to go into autopilot typing that kind of instruction, and forgot that you're x86 rather than x64.

Safety Scanner is definitely a good idea - especially if you download it on another machine nown to be clean. running Offline scanners is almost always necessary if a rootkit is suspected, as they tend to be able to at least partially hide from installed scanners.
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Monday, September 17, 2012 4:30 PM

Moderator
0

Sign in to vote

Found and removed 29 infected objects.
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
Windows Product ID: 00359-030-1202835-85167
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.120330-1504
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc. </Manufacturer><Model>Dell DXC061 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc. </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>B8K </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00170-030-120283-01-1033-7601.0000-2582012
Installation ID: 020555999504445036330772525183246516309593344574792801
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: MQVK8
License Status: Initial grace period
Time remaining: 39240 minute(s) (27 day(s))
Remaining Windows rearm count: 5
Trusted time: 9/17/2012 11:55:06 AM

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: 7:19:2012 18:34
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys

HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbrDO8gSyM8KDkewqhQ==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x0
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL B8K
FACP DELL B8K
HPET DELL B8K
BOOT DELL B8K
MCFG DELL B8K
SSDT DELL st_ex
DUMY DELL B8K
SLIC DELL B8K

Monday, September 17, 2012 4:56 PM
0

Sign in to vote

Incidentally, I'm getting error 80070005 from Windows Update, which seems to be all about bad permissions.

Monday, September 17, 2012 5:04 PM
0

Sign in to vote

It's certainly related - the literal translation of the code is 'Access Denied'

Please run the following commands.

ICACLS C:\Windows\SoftwareDistribution

ICACLS C:\Windows\System32\Catroot2

ATTRIB C:\Windows\System32\Catroot2\*.*

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Monday, September 17, 2012 5:20 PM

Moderator
0

Sign in to vote

C:\Windows\system32>icacls ..\SoftwareDistribution
C:\Windows\SoftwareDistribution NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>icacls catroot2
catroot2 NT SERVICE\CryptSvc:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>attrib catroot2\*.*
A I C:\Windows\system32\catroot2\dberr.txt
A I C:\Windows\system32\catroot2\edb.chk
A I C:\Windows\system32\catroot2\edb.log
A I C:\Windows\system32\catroot2\edb00023.log
A I C:\Windows\system32\catroot2\edbres00001.jrs
A I C:\Windows\system32\catroot2\edbres00002.jrs

Monday, September 17, 2012 5:24 PM

The permissions on the SoftwareDistribution folder are way off.

ICACLS C:\Windows\SoftwareDistribution /grant "NT SERVICE\TrustedInstaller":(I)(F)
ICACLS C:\Windows\SoftwareDistribution /grant "NT SERVICE\TrustedInstaller":(CI)(IO)(F)
ICACLS C:\Windows\SoftwareDistribution /grant SYSTEM:(I)(F)
ICACLS C:\Windows\SoftwareDistribution /grant SYSTEM:(OI)(CI)(IO)(F)
ICACLS C:\Windows\SoftwareDistribution /grant Administrators:(OI)(CI)(IO)(F)
ICACLS C:\Windows\SoftwareDistribution /grant Users:(I)(RX)
ICACLS C:\Windows\SoftwareDistribution /grant Users:(OI)(CI)(IO)(GR,GE)
ICACLS C:\Windows\SoftwareDistribution /grant "CREATOR OWNER":(OI)(CI)(IO)(F)

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Edited by Noel D PatonModerator Monday, September 17, 2012 5:44 PM

Monday, September 17, 2012 5:40 PM

Moderator

0

Sign in to vote

C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant "NT SERVICE\TrustedInstaller":(I)(F)
Invalid parameter "NT SERVICE\TrustedInstaller:(I)(F)"

C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant "NT SERVICE\TrustedInstaller":(CI)(IO)(F)
processed file: C:\Windows\SoftwareDistribution
Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant SYSTEM:(I)(F)
Invalid parameter "SYSTEM:(I)(F)"

C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant SYSTEM:(OI)(CI)(IO)(F)
processed file: C:\Windows\SoftwareDistribution
Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant Administrators:(OI)(CI)(IO)(F)
processed file: C:\Windows\SoftwareDistribution
Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant Users:(I)(RX)
Invalid parameter "Users:(I)(RX)"

C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant Users:(OI)(CI)(IO)(GR,GE)
processed file: C:\Windows\SoftwareDistribution
Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant "CREATOR OWNER":(OI)(CI)(IO)(F)
processed file: C:\Windows\SoftwareDistribution
Successfully processed 1 files; Failed processing 0 files

Monday, September 17, 2012 5:49 PM
0

Sign in to vote

I could sworn I'd changed the (I) parameters!

ICACLS C:\Windows\SoftwareDistribution /grant Users:(RX)

ICACLS C:\Windows\SoftwareDistribution /grant SYSTEM:(F)

ICACLS C:\Windows\SoftwareDistribution /grant "NT SERVICE\TrustedInstaller":(F)

ICACLS C:\Windows\SoftwareDistribution

(Please post the results - we need to see whether they are right, now)
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Monday, September 17, 2012 6:02 PM

Moderator
0

Sign in to vote

C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant Users:(RX)
processed file: C:\Windows\SoftwareDistribution
Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant SYSTEM:(F)
processed file: C:\Windows\SoftwareDistribution
Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution /grant "NT SERVICE\Tr
ustedInstaller":(F)
processed file: C:\Windows\SoftwareDistribution
Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\SoftwareDistribution
C:\Windows\SoftwareDistribution NT SERVICE\TrustedInstaller:(F)
BUILTIN\Users:(RX)
NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

Monday, September 17, 2012 7:24 PM
0

Sign in to vote

I think it's right now (somewhere in there - if you use Windows Explorer, you can tidy up the duplicates yourself whenever you feel like it)

Please attempt validation at www.microsoft.com/genuine/validate and see what happens, then run another MGADiag report
Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Monday, September 17, 2012 7:51 PM

Moderator
0

Sign in to vote

The site still wants me to buy a new license, and Windows Update still has the same error. Should I just do a repair install of Windows?
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-BFK42-C2FFR-MQVK8
Windows Product Key Hash: FFmViCyrREe9oJqY5bDq91/FCoc=
Windows Product ID: 00359-030-1202835-85167
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {6782A0EB-3A1F-400E-8E7F-A4F4449CE101}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.120330-1504
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6782A0EB-3A1F-400E-8E7F-A4F4449CE101}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-MQVK8</PKey><PID>00359-030-1202835-85167</PID><PIDType>5</PIDType><SID>S-1-5-21-1968992023-205071136-760349905</SID><SYSTEM><Manufacturer>Dell Inc. </Manufacturer><Model>Dell DXC061 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc. </Manufacturer><Version>2.4.0 </Version><SMBIOSVersion major="2" minor="3"/><Date>20070524000000.000000+000</Date></BIOS><HWID>69253C07018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>B8K </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: 2e7d060d-4714-40f2-9896-1e4f15b612ad
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00170-030-120283-01-1033-7601.0000-2582012
Installation ID: 020555999504445036330772525183246516309593344574792801
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: MQVK8
License Status: Initial grace period
Time remaining: 39000 minute(s) (27 day(s))
Remaining Windows rearm count: 5
Trusted time: 9/17/2012 3:18:18 PM

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: 9:17:2012 15:14
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys

HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAIAAAABAAAAAgABAAEAJJQS9/h9QktCbrDO8gSyM8KDkewqhQ==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x0
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL B8K
FACP DELL B8K
HPET DELL B8K
BOOT DELL B8K
MCFG DELL B8K
SSDT DELL st_ex
DUMY DELL B8K
SLIC DELL B8K

Monday, September 17, 2012 8:20 PM
0

Sign in to vote

Just ran "sfc /scannow" and got the logs from it (10 MB), if that helps any. It did say it found "corrupted" files that it was unable to fix.

Monday, September 17, 2012 8:48 PM
2

Sign in to vote
There's no sign of any such SFC problems in the log?

However there are indications that the Catroot2 folder is corrupt - not surprising if the content was locked by permissions problems elsewhere.

http://support.microsoft.com/kb/822798 probably applies.

I have to admit to considering a repair install myself - there do seem to be a large number of permissions problems, and I doubt that we've found all of them.

Do you have an SP1 disk? - iif not, Download the SP1
Refresh for your language and edition from the links on these pages...

Heidoc - Microsoft DR Download links

The links are for downloads from the Digital River servers run for MS, so are about as safe as
you can get :)

Once you have it downloaded, you then need to burn the DVD from it - use either the Windows Disk
Image Burner, or (better still) your favourite burning application at the slowest speed possible.

Note that you do NOT 'drag and drop' the file to the disk, you must use the 'burn an image' option
from your app - or you'll end up with a useless coaster :)

Once you have the disk burnt, check that it boots the (or any other) system OK - but do NOT start
the repair from there - you must start the repair from within a normal Windows boot.

Follow the instructions in this tutorial - http://www.sevenforums.com/tutorials/3413-repair-install.html?ltr=R

- and they should help you get through it (it's not as difficult as it looks!)

Always ask questions first if you're unsure - either here, or in sevenforums.

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
- Marked as answer by GarrettW87 Tuesday, September 18, 2012 2:59 PM
Monday, September 17, 2012 9:19 PM

Moderator
0

Sign in to vote

Well again, thanks a ton for all the help. I've done the repair install and it's working on updates right now.

Tuesday, September 18, 2012 2:59 PM
0

Sign in to vote

Just for completeness, please post an MGADiag report :)

Thanks for bearing with me as long as you did - it gave me a chance to refine some ideas, and learn a little myself.

Well done with the repair!

Good luck!

Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth

Tuesday, September 18, 2012 3:21 PM

Moderator

Answered by:

Windows not genuine after system restore -- error 0x800700B7

Question

Answers

All replies