locked
unauthorized changes in windows vista after SP1 update RRS feed

  • Question

  • Hi everybody

    I have a 32-bit home premium vista since january of this year. A few weeks before, i got a notification as soon as did my login in it, something similar to "An unathorized change was made to Windows Vista", then it gives me two options. Looking up for ways of solving it in the net, or closing it, which will log me off again.
    It doesn't happen to me all the time i turn my computer on, i'd say about 20% of the times, and it s never occured in safe mode. It's been a while since i've installed anything new, so i guess the problem is been caused by an old program and the issue was triggered by SP 1 installation.  I looked for answers in some posts here, and i ran >sfc /scannow, which said that there were some corrupted files but he couldn't fix them. I also checked on vista's reliability report for recent (un)installations, but all of them were updates, mostly security updates for windows defender and general updates of windows. I guess there's also no problem with slsvc.exe process cause when i ran >net start slsvc it said the process was already running.
    Here´s the WGA report:

    Diagnostic Report (1.9.0011.0):
    -----------------------------------------
    WGA Data-->
    Validation Status: Invalid License
    Validation Code: 50

    Cached Validation Code: N/A, hr = 0xc004d401
    Windows Product Key: *****-*****-F4GJK-KG77H-B9HD2
    Windows Product Key Hash: iJAth4TbScMi8HdcPurlASXdEkw=
    Windows Product ID: 89578-OEM-7332157-00204
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6001.2.00010300.1.0.003
    ID: {334E8EB2-1904-44B6-B1A5-52D83FCCE6CC}(3)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: N/A, hr = 0x80070002
    Signed By: N/A, hr = 0x80070002
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6001.vistasp1_gdr.090302-1506
    TTS Error: K:20090803223727356-M:20090812164134678-
    Validation Diagnostic:
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: 6.0.6002.16398

    WGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    OGAExec.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Small Business 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{334E8EB2-1904-44B6-B1A5-52D83FCCE6CC}</UGUID><Version>1.9.0011.0</Version><OS>6.0.6001.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-B9HD2</PKey><PID>89578-OEM-7332157-00204</PID><PIDType>2</PIDType><SID>S-1-5-21-3662842368-2857913425-4230340598</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Studio 540      </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>1.0.6</Version><SMBIOSVersion major="2" minor="5"/><Date>20081103000000.000000+000</Date></BIOS><HWID>46300500018400FA</HWID><UserLCID>0416</UserLCID><SystemLCID>0416</SystemLCID><TimeZone>Hora oficial do Brasil(GMT-03:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>AS09   </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-00CA-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Small Business 2007</Name><Ver>12</Ver><Val>675E44823A60DC0</Val><Hash>z/AAy4ShnkpX21UtSuC+RS724R0=</Hash><Pid>81606-OEM-6473611-44804</Pid><PidType>4</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAAEo1AAAAAAAAYWECAASQ2YfMF5ldgxTKARhy9171jCizkdIEkQaJZ66S04sedZfmw16fl0tWdFv+VJYpMzXfB5+8+mPwUJ42eRQjdPDwDinTfkQXASERseFS8XBNIjjUi0VN8knxKCa9k/oA/SfEX6ot/bnNmgLA1vu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxUFe/CarAhO73oJwYTKgykpsbJiscvAYWgzyFZ0z79y2BX7mQ2Q7393z5XQ50VXv9mhrKhq4UIi+PwtGQfjOGIjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeuVCbiYzIcrfAsqbNbIG4lYzkGyEZ1ceXONKbzcFfoOrMUI3Tw8A4p035EFwEhEbHhmdL575H1y4hmz1NA+BnqrJP6AP0nxF+qLf25zZoCwNb7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cVBXvwmqwITu96CcGEyoMpKbGyYrHLwGFoM8hWdM+/ctgV+5kNkO9/d8+V0OdFV7/ZoayoauFCIvj8LRkH4zhiIzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrvf+276TJAp8WqJELvPINDLUri6CGjw9UAyD1YxpjPcWFCN08PAOKdN+RBcBIRGx4UB0MnMOztgpLVnBAjCfAKKT+gD9J8Rfqi39uc2aAsDW+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFQV78JqsCE7vegnBhMqDKSmxsmKxy8BhaDPIVnTPv3LYFfuZDZDvf3fPldDnRVe/2aGsqGrhQiL4/C0ZB+M4YiM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDBhy9171jCizkdIEkQaJZ65GQxVcDwEhfjiZSkgVVrtIm1yaE9hiYPFI4FAMQEdPsRQjdPDwDinTfkQXASERseFEgvDZO2j8WdbneiLQidCRk/oA/SfEX6ot/bnNmgLA1vu1UvB7bxiIfUEtgIRGphkOSa+EGUYcOX5/UvkAHnVxUFe/CarAhO73oJwYTKgykpsbJiscvAYWgzyFZ0z79y2BX7mQ2Q7393z5XQ50VXv9mhrKhq4UIi+PwtGQfjOGIjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwYcvde9Ywos5HSBJEGiWeu/mvF4iAYle7eelJ+ZJCTB2yyEBBnrG54OgBCFgjCpjoUI3Tw8A4p035EFwEhEbHhVtCmgTF9hWbs65SF5bI6+ZP6AP0nxF+qLf25zZoCwNb7tVLwe28YiH1BLYCERqYZDkmvhBlGHDl+f1L5AB51cVBXvwmqwITu96CcGEyoMpKbGyYrHLwGFoM8hWdM+/ctgV+5kNkO9/d8+V0OdFV7/ZoayoauFCIvj8LRkH4zhiIzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMGHL3XvWMKLOR0gSRBolnrmE+c3F3bwZhrpkBqUD7hpJxcPna3PxCE4b19clPC9jJFCN08PAOKdN+RBcBIRGx4Xd4BQM2+kmFL31SZ1YJyhaT+gD9J8Rfqi39uc2aAsDW+7VS8HtvGIh9QS2AhEamGQ5Jr4QZRhw5fn9S+QAedXFQV78JqsCE7vegnBhMqDKSmxsmKxy8BhaDPIVnTPv3LYFfuZDZDvf3fPldDnRVe/2aGsqGrhQiL4/C0ZB+M4YiM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDA==

    Licensing Data-->
    C:\Windows\system32\slmgr.vbs(1634, 5) (null): 0xC004D401

    HWID Data-->
    HWID Hash Current: NgAAAAAABAABAAEAAQACAAAAAwABAAEAeqhGunSU0AuENEa8ut/WlvL0Guwm2NrarFYHtswx

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20000
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name    OEMID Value    OEMTableID Value
      APIC            110308        APIC1749
      FACP            110308        FACP1749
      HPET            110308        OEMHPET
      MCFG            110308        OEMMCFG
      SLIC            DELL          AS09  
      OEMB            110308        OEMB1749
      GSCI            110308        GMCHSCI
      SSDT            DpgPmm        CpuPm




    I also figured it would be useful to send all the running process. Here's a log by task security manager:

    Nome     Nível de Risco     PID     CPU     Memória     Activo     Ficheiro     Tipo     Início     Título, Descrição     Fabricante : produto

    DockLogin.exe    52%    1532        3,4 MB            Serviço    12:48:59 durante o arranque do sistema         Stardock Corporation : Dock Login Service
    AVG Resident Shield Starter    48%                    C:\Windows\system32\avgrsstx.dll    DLL             AVG Technologies : AVG Internet Security
    Java(TM) Platform SE binary    48%                    C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll    Internet    No Arranque do Internet Explorer     SSVHelper Class (Extensões do Internet Explorer)    Sun Microsystems, Inc. : Java(TM) Platform SE 6 U7
    AVG Security Toolbar    48%                    C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll    Internet    No Arranque do Internet Explorer     AVG Security Toolbar BHO (Extensões do Internet Explorer)    AVG Technologies : AVG Security Toolbar
    CTSVCCDA.EXE    46%    1712        2,4 MB            Serviço    12:49:15 durante o arranque do sistema         Creative Technology Ltd : Creative Service for CDROM Access
    Assistente de Conexão do Windows Live ID    46%                    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll    Internet    No Arranque do Internet Explorer     Microsoft® Windows Live ID Login Helper - Auxiliar de Conexão do Windows Live ID (Extensões do Internet Explorer)    Microsoft Corporation : Microsoft® Windows Live ID
    CreativeLicensing.exe    42%    1756        2,4 MB            Serviço    12:49:15 durante o arranque do sistema         Creative Labs : Creative Labs Licensing Service
    Browser Address Error Redirector    39%                    C:\Program Files\Dell\BAE\BAE.dll    Internet    No Arranque do Internet Explorer     BAE.dll - Browser Address Error Redirector · BAE.BrowserHelperObject.1 (Extensões do Internet Explorer)    Dell Inc. : Browser Address Error Redirector
    BcmSqlStartupSvc.exe    36%    1972        3,1 MB            Serviço    12:49:14 durante o arranque do sistema         Microsoft Corporation : Microsoft Office Outlook 2007 with Business Contact Manager
    Safe Search for Internet Explorer    35%                    C:\Program Files\AVG\AVG8\avgssie.dll    Internet    No Arranque do Internet Explorer     WormRadar.com IESiteBlocker.NavFilter · LinkScannerIE.NavFilter.1 (Extensões do Internet Explorer)    AVG Technologies : AVG Internet Security
    Adobe Reader 8.1.6 - Português    32%                    C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll    Internet    No Arranque do Internet Explorer     Adobe PDF Helper for Internet Explorer - AcroIEHelper.AcroIEHlprObj.1 (Extensões do Internet Explorer)    Adobe Systems, Incorporated : AcroIEHelper Library
    CyberLink PowerDVD Resident Program    30%    2980        7,5 MB        C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe    Programa    12:49:40 No Arranque do Windows, Registry: Machine\Run     PDVDDX service    CyberLink : Cyberlink PowerDVD
    IS360srv.exe    28%    2428        5,7 MB            Serviço    12:49:18 durante o arranque do sistema         IObit Information Technology : IObit Security 360
    ccc-core-static    27%    3332        4,8 MB        C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe    Programa    12:49:42     Catalyst Control Center: Monitoring program - MOM Exe Startup Application for CCC - .NET-BroadcastEventWindow.2.0.0.0.33c0d9d.0    Advanced Micro Devices Inc. : Catalyst Control Centre
    GOEC62~1.DLL,avgrsstx.dll    26%                    C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL,avgrsstx.dll    Programa      No Arranque do Windows, Registry: Machine\AppInit_DLLs      (Inactivo)    -
    AVG Resident Shield Service    23%    2180        16,7 MB    4:40    C:\Program Files\AVG\AVG8\avgrsx.exe    Programa    12:49:18  from AVG Free8 WatchDog        AVG Technologies : AVG Internet Security
    AVG Network scanner Service    23%    2212        0,4 MB    0:02    C:\Program Files\AVG\AVG8\avgnsx.exe    Programa    12:49:18  from AVG Free8 WatchDog        AVG Technologies : AVG Internet Security
    Advanced SystemCare 3    23%    2740        29,4 MB    0:02    C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe    Programa    12:49:19     Advanced SystemCare V3    IObit Information Technology : Advanced SystemCare 3
    AAWService.exe    22%    1764        18,6 MB    0:28        Serviço    12:49:00 durante o arranque do sistema  after RpcSS        Lavasoft AB : Ad-Aware Service Application
    avgwdsvc.exe    22%    268        0,5 MB    0:02        Serviço    12:49:14 durante o arranque do sistema         AVG Technologies : AVG Internet Security
    Creative UpdReg    21%                    C:\Windows\UpdReg.EXE    Programa      No Arranque do Windows, Registry: Machine\Run     Creative Registry Update (Inactivo)    Creative Technology Ltd. : Creative Updreg
    Assistente de Conexão do Windows Live ID    21%    3824        2,8 MB        C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE    Programa    12:49:32  from Windows Live ID Sign-in Assistant    Microsoft® Windows Live ID Service Monitor    Microsoft Corporation : Microsoft® Windows Live ID
    Windows Live Communications Platform    21%    5688        28,7 MB    0:03    C:\Program Files\Windows Live\Contacts\wlcomm.exe    Programa    12:53:13         Microsoft Corporation : Windows Live Communications Platform
    sqlbrowser.exe    20%    3212        3,6 MB            Serviço    12:49:23 durante o arranque do sistema         Microsoft Corporation : Microsoft SQL Server
    sqlwriter.exe    20%    3256        6,8 MB            Serviço    12:49:23 durante o arranque do sistema         Microsoft Corporation : Microsoft SQL Server
    WLIDSVC.EXE    20%    3376        11,0 MB    0:03        Serviço    12:49:25 durante o arranque do sistema         Microsoft Corporation : Microsoft® Windows Live ID
    Dell Support Center (Software de Suporte)    20%    3164        0,6 MB    0:01    C:\Program Files\Dell Support Center\bin\sprtcmd.exe    Programa    12:49:41 No Arranque do Windows, Registry: Machine\Run     Dell Support Center    Dell Inc. : SupportSoft sprtcmd
    ATI External Event Utility EXE Module    17%    1776        6,1 MB        C:\Windows\System32\Ati2evxx.exe    Programa    12:49:00  from Ati External Event Utility    ATI video bios poller client    ATI Technologies Inc. : ATI External Event Utility for Windows
    Ati2evxx.exe    16%    1176        4,2 MB            Serviço    12:48:57 durante o arranque do sistema         ATI Technologies Inc. : ATI External Event Utility for Windows
    AERTSrv.exe    16%    1772        1,6 MB            Serviço    12:49:14 durante o arranque do sistema         Andrea Electronics Corporation : APO Access Service (32-bit)
    iTunes    15%    3504        10,6 MB        C:\Program Files\iTunes\iTunesHelper.exe    Programa    12:49:45 No Arranque do Windows, Registry: Machine\Run     iTunesHelper Module - HelperMsgListenerWnd    Apple Inc. : iTunes
    Air Mouse Server    11%    4084        22,9 MB        C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe    Programa    12:49:50 No Arranque do Windows, Registry: Machine\Common Startup     AirMouse - .NET-BroadcastEventWindow.2.0.0.0.378734a.0, Air Mouse Settings     : AirMouse
    TRENDnet TEW-424UB Wireless USB 2.0 Adapter Vista Driver and Utility    11%    1024        11,0 MB        C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe    Taskicon    12:49:51 No Arranque do Windows, Registry: Machine\Common Startup     WlanCU MFC Application - Select Card, Signal Strength : Good     : WlanCU Application
    AppleMobileDeviceService.exe    8%    1872        4,3 MB            Serviço    12:49:14 durante o arranque do sistema  after Tcpip        Apple Inc. : Apple Mobile Device Service
    mDNSResponder.exe    8%    512        4,8 MB            Serviço    12:49:15 durante o arranque do sistema  after Tcpip        Apple Inc. : Bonjour
    iPodService.exe    8%    4432        5,5 MB            Serviço    12:50:58 manual  after RpcSs        Apple Inc. : iTunes
    sprtsvc.exe    8%    5812        1,8 MB            Serviço    12:51:37 durante o arranque do sistema         Dell Inc. : SupportSoft sprtsvc
    ccc-core-static    6%                    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe    Programa      No Arranque do Windows, Registry: Machine\Run     Catalyst® Control Center Launcher - StartCCC (Inactivo)    Advanced Micro Devices, Inc. : Catalyst® Control Center
    QuickTime    6%                    C:\Program Files\QuickTime\QTTask.exe    Programa      No Arranque do Windows, Registry: Machine\Run     QuickTime Task (Inactivo)    Apple Inc. : QuickTime
    ccc-core-static    1%    4704        12,1 MB    0:03    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe    Taskicon    12:51:02  from ccc-core-static    Catalyst Control Centre: Host application - CCC application for all ACE Components - GDI+ Window, Cor:32 Bpp, 1680 x 1050, 0°    ATI Technologies Inc. : Catalyst Control Centre
    avgldx86.sys     0%                        Controlador     durante o início do sistema         -
    avgmfx86.sys     0%                        Controlador     durante o início do sistema         -
    avgtdix.sys     0%                        Controlador     durante o início do sistema         -
    libusb0.sys     0%                        Controlador     manual         -
    PxHelp20.sys     0%                        Controlador     durante o boot         -
    RTL8187B.sys     0%                        Controlador     manual         -
    Adobe SVG Viewer 3.0    0%    5280        154,2 MB    1:05    C:\Program Files\Mozilla Firefox\firefox.exe    Programa    12:51:22  from Windows Explorer    Firefox - Start a New Question or Discussion - Mozilla Firefox    Mozilla Corporation : Firefox
    Google Desktop    0%    3016        6,7 MB    0:10    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe    Taskicon    12:49:40 No Arranque do Windows, Registry: Machine\Run     _GD_Crawl, Google Desktop    Google Inc : Google Desktop
    AVG Tray Monitor    0%    2916        4,1 MB        C:\Program Files\AVG\AVG8\avgtray.exe    Taskicon    12:49:43 No Arranque do Windows, Registry: Machine\Run     Avg8TrayMainWnd, AVG Anti-Virus Free    AVG Technologies : AVG Internet Security
    Ad-Aware Tray Application    0%    3492        1,3 MB        C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe    Taskicon    12:49:44 No Arranque do Windows, Registry: Machine\Run     Ad-Aware Tray Application, Ad-Aware    Lavasoft AB : Ad-Aware Tray Application
    Windows Live Messenger    0%    5408        29,6 MB    2:01    C:\Program Files\Windows Live\Messenger\msnmsgr.exe    Taskicon    12:52:56  from Windows Explorer    DDE Server Window, Windows Live Messenger (Disponível)    Microsoft Corporation : Windows Live Messenger
    Adobe Reader 8.1.6 - Português    0%                    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe    Programa      No Arranque do Windows, Registry: Machine\Run     Adobe Acrobat SpeedLauncher - Adobe Reader Speed Launcher (Inactivo)    Adobe Systems, Incorporated : Adobe Acrobat
    Security Task Manager    0%    2568            0:03    C:\Program Files\Security Task Manager\TaskMan.exe    Programa    13:29:10  from Windows Explorer    Security Task Manager    A. & M. Neuber Software : Security Task Manager
    Windows Explorer    0%    2732        55,0 MB    0:22    C:\Windows\explorer.exe    Programa    12:49:19     Segurança e ferramentas, Remover hardware com segurança    Microsoft Corporation : Sistema operacional Microsoft® Windows®
    Barra Lateral do Windows    0%    1328            0:03    C:\Program Files\Windows Sidebar\sidebar.exe    Programa    13:13:53  from Windows Explorer    SidebarBroadcastWatcher, Barra Lateral do Windows    Microsoft Corporation : Sistema operacional Microsoft® Windows®
    HD Audio Control Panel    0%    3756        15,9 MB        C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe    Taskicon    12:49:47 No Arranque do Windows, Registry: Machine\Run     GDI+ Window, Gerenciador de áudio HD Realtek    Realtek Semiconductor Corp : HD Audio Control Panel


    I'm sorry for the english mistakes, but i'm not done yet with my english classes.
    Any help would be apreciated, thanks already
    Wednesday, August 12, 2009 7:51 PM

Answers

  • Hi nietzscheo,

      I saw no mistakes, your English is great.

      It looks like you have researched this issue and have tried a few things to fix it already.   Unfortunatly, the issue your are experiencing is not usually easy to fix and I can't do much to help but provide you information.  Below is a detaled description of what the problem is and how best to figure out the root cause and remove it.  You have already tried some of the suggestions I give below, you may want to try them again, just to be sure.

    Vista is in, what we call a 'Mod-Auth' Tamper state.  There are 2 types of Mod-Auth tampers.

    1)    A critical system file was modified On Disk - What this means is that the file, located on the hard drive, was modified in some way. This can be caused by a malicious program (spyware, malware, virus) or by manual file modification (by a user of the system). There is also a very small chance that an Update may fail in mid-update and cause this type of issue. As a safety mechanism, Updates are made so that if they fail, they roll back any updating that was done before the failure, but there is an off-chance that the roll back did not occur.

     

    2)    A critical system file was modified In Memory - What this means is the file itself (on the hard drive) is un-modified, but the code, from that file, running in the system, was modified in some way and is caused by a running program that is incompatible with Vista.

     

      Because there is No Mismatched files listed under the "File Scan Data-->" line of your Diagnostic Report, we know that your issue is an In Memory Mod-Auth and therefore caused by an incompatible program or Malware. This means there is a program install and Running that is trying to access parts of the OS that Vista does not allow, either by accident (like an incompatible Program) or on purpose (like Malware).

    NOTE: We have seen an increase in this type of issue and we believe it is unlikely that software writers are still making programs that are incompatible with Vista. Instead, we believe that a majority of the issues are being caused by Malware.

     
    In addition to why a Mod-Auth occurs, it's also important to understand how Vista detects a Mod-Auth event. There is a Service that runs in Vista that detects a Tamper to a Critical System file. But this Service runs randomly, so if you were to install an incompatible program and run it, Vista (most likely) would not immediately enter a Mod-Auth  State and it could take some time for the Mod-Auth to be detected. The important point to note is that the moment Vista detects the Mod-Auth, you know that the program that is causing the Mod-Auth, is currently running.

     

       Below I have provided a number of steps to help you identify the program that is causing the tamper:
     
      First, go to
    http://support.microsoft.com/kb/931699/ and confirm that you do not have any of the programs known to cause this type of issue.
     
      Second, in your Diagnostic report above, you can see the line that starts with 'TTS Error:' followed by a bunch numbers: M:xxxxxxxxxxxxxxxxx- This is the Tamper Time Stamp and it breaks down like this:

        (year)  (month) (day) (time in 24format) (millisecond)
    M:
    2009      08        12            1641                  34678-

     
    Note: I also see a "K" type Tamper Time Stamp. The “K“ stands for Kernel Mode tamper. Once you remove the program that is causing the In Memory Mod-Auth tamper, the Kernel Mode tamper may be resolved as well. But a Kernel Mode Tamper can sometime indicate a Malware infection. To be on the safe side, we strongly suggest scanning your system with the Anti-Virus program of your choice as well as with the OneCare Safety Scanner for Vista (http://onecare.live.com/site/en-us/center/whatsnew.htm)


    Now that you know the time of the tamper, you can now try to connect that time with a program.

    1)    Login to Vista and select the option that launches an Internet Browser

    2)    Type into the browser address bar: %windir%\system32\perfmon.msc and hit Enter

    3)    When asked if you want to Open or Save this file, select Open

    4)     In the left hand panel, click Reliability Monitor

    5)    Click on the “System Stability Chart” above the date 08/12 

    6)    Below the chart, in the “System Stability Report” section look at the report titled "Software (Un)Installs for 08/12/2009 "

    7)    Look for any program that shows "Application Install" in the 'Activity' column.

    8)    Since the process that detects Tampers runs randomly, it can take up to 3 days for the process to detect the tamper and set Vista to a Tamper State. Because of this, please repeat steps 5) thru 7) for the dates 08/11/2009, 08/10/2009 and 08/09/2009  (or around the date the issue first occurred)

      This could tell you what programs were installed on or around the Tamper date and should help you narrow down the possible programs that could be causing the issue. Unfortunately, if you installed the program at some time in the past, but didn’t run it till now, this process may not be helpful.  The removal of any application you may have installed recently could go a long way to troubleshooting this issues.

     

    Note: Since everyone has different programs installed on their computer, it is extremely hard for support to figure out what program is causing the problem, but if you still need assistance in identifying the Incompatible Program, please create a no cost support request at http://go.microsoft.com/fwlink/?linkid=52029

    Also Note: it has been found that Malware, such as Viruses and Trojans, can also be incompatible with Vista and can cause an In Memory Mod-Auth. A number of users (that were experiencing your same issue) have confirmed that a Malware infection was the cause. If you follow the above steps and cannot find a program that is causing the Mod-Auth, you may want to investigate if a Virus, Worm or Trojan may be to blame. You can contact PC Safety, which is a Microsoft group, which provides free assistance with Malware infections. I encourage you to use the ‘Windows Live Safety Scan for Windows Vista’ (http://onecare.live.com/site/en-us/center/whatsnew.htm) before contacting PC Safety.

    PC Safety:

    http://www.microsoft.com/protect/support/default.mspx

    http://onecare.live.com/site/en-us/center/whatsnew.htm

    Thank you,
    Darin MS
    • Marked as answer by Darin Smith MS Wednesday, August 12, 2009 8:53 PM
    Wednesday, August 12, 2009 8:52 PM

All replies

  • Hi nietzscheo,

      I saw no mistakes, your English is great.

      It looks like you have researched this issue and have tried a few things to fix it already.   Unfortunatly, the issue your are experiencing is not usually easy to fix and I can't do much to help but provide you information.  Below is a detaled description of what the problem is and how best to figure out the root cause and remove it.  You have already tried some of the suggestions I give below, you may want to try them again, just to be sure.

    Vista is in, what we call a 'Mod-Auth' Tamper state.  There are 2 types of Mod-Auth tampers.

    1)    A critical system file was modified On Disk - What this means is that the file, located on the hard drive, was modified in some way. This can be caused by a malicious program (spyware, malware, virus) or by manual file modification (by a user of the system). There is also a very small chance that an Update may fail in mid-update and cause this type of issue. As a safety mechanism, Updates are made so that if they fail, they roll back any updating that was done before the failure, but there is an off-chance that the roll back did not occur.

     

    2)    A critical system file was modified In Memory - What this means is the file itself (on the hard drive) is un-modified, but the code, from that file, running in the system, was modified in some way and is caused by a running program that is incompatible with Vista.

     

      Because there is No Mismatched files listed under the "File Scan Data-->" line of your Diagnostic Report, we know that your issue is an In Memory Mod-Auth and therefore caused by an incompatible program or Malware. This means there is a program install and Running that is trying to access parts of the OS that Vista does not allow, either by accident (like an incompatible Program) or on purpose (like Malware).

    NOTE: We have seen an increase in this type of issue and we believe it is unlikely that software writers are still making programs that are incompatible with Vista. Instead, we believe that a majority of the issues are being caused by Malware.

     
    In addition to why a Mod-Auth occurs, it's also important to understand how Vista detects a Mod-Auth event. There is a Service that runs in Vista that detects a Tamper to a Critical System file. But this Service runs randomly, so if you were to install an incompatible program and run it, Vista (most likely) would not immediately enter a Mod-Auth  State and it could take some time for the Mod-Auth to be detected. The important point to note is that the moment Vista detects the Mod-Auth, you know that the program that is causing the Mod-Auth, is currently running.

     

       Below I have provided a number of steps to help you identify the program that is causing the tamper:
     
      First, go to
    http://support.microsoft.com/kb/931699/ and confirm that you do not have any of the programs known to cause this type of issue.
     
      Second, in your Diagnostic report above, you can see the line that starts with 'TTS Error:' followed by a bunch numbers: M:xxxxxxxxxxxxxxxxx- This is the Tamper Time Stamp and it breaks down like this:

        (year)  (month) (day) (time in 24format) (millisecond)
    M:
    2009      08        12            1641                  34678-

     
    Note: I also see a "K" type Tamper Time Stamp. The “K“ stands for Kernel Mode tamper. Once you remove the program that is causing the In Memory Mod-Auth tamper, the Kernel Mode tamper may be resolved as well. But a Kernel Mode Tamper can sometime indicate a Malware infection. To be on the safe side, we strongly suggest scanning your system with the Anti-Virus program of your choice as well as with the OneCare Safety Scanner for Vista (http://onecare.live.com/site/en-us/center/whatsnew.htm)


    Now that you know the time of the tamper, you can now try to connect that time with a program.

    1)    Login to Vista and select the option that launches an Internet Browser

    2)    Type into the browser address bar: %windir%\system32\perfmon.msc and hit Enter

    3)    When asked if you want to Open or Save this file, select Open

    4)     In the left hand panel, click Reliability Monitor

    5)    Click on the “System Stability Chart” above the date 08/12 

    6)    Below the chart, in the “System Stability Report” section look at the report titled "Software (Un)Installs for 08/12/2009 "

    7)    Look for any program that shows "Application Install" in the 'Activity' column.

    8)    Since the process that detects Tampers runs randomly, it can take up to 3 days for the process to detect the tamper and set Vista to a Tamper State. Because of this, please repeat steps 5) thru 7) for the dates 08/11/2009, 08/10/2009 and 08/09/2009  (or around the date the issue first occurred)

      This could tell you what programs were installed on or around the Tamper date and should help you narrow down the possible programs that could be causing the issue. Unfortunately, if you installed the program at some time in the past, but didn’t run it till now, this process may not be helpful.  The removal of any application you may have installed recently could go a long way to troubleshooting this issues.

     

    Note: Since everyone has different programs installed on their computer, it is extremely hard for support to figure out what program is causing the problem, but if you still need assistance in identifying the Incompatible Program, please create a no cost support request at http://go.microsoft.com/fwlink/?linkid=52029

    Also Note: it has been found that Malware, such as Viruses and Trojans, can also be incompatible with Vista and can cause an In Memory Mod-Auth. A number of users (that were experiencing your same issue) have confirmed that a Malware infection was the cause. If you follow the above steps and cannot find a program that is causing the Mod-Auth, you may want to investigate if a Virus, Worm or Trojan may be to blame. You can contact PC Safety, which is a Microsoft group, which provides free assistance with Malware infections. I encourage you to use the ‘Windows Live Safety Scan for Windows Vista’ (http://onecare.live.com/site/en-us/center/whatsnew.htm) before contacting PC Safety.

    PC Safety:

    http://www.microsoft.com/protect/support/default.mspx

    http://onecare.live.com/site/en-us/center/whatsnew.htm

    Thank you,
    Darin MS
    • Marked as answer by Darin Smith MS Wednesday, August 12, 2009 8:53 PM
    Wednesday, August 12, 2009 8:52 PM

  •  
      First, go to
    http://support.microsoft.com/kb/931699/ and confirm that you do not have any of the programs known to cause this type of issue. S

    Well, i don't have any of the programs listed there, but when I saw the english version of that page, i realized that my Wifi antenna's brand is TrendNet. Does it have anything to do with Trend Micro PC-cillin Internet Security or Trend Micro OfficeScan? I'm not sure the antenna will work without it's software, so if I unnistall it bye bye internet.
    Thursday, August 13, 2009 12:21 AM
  • The onecare scan detected a trojan in my pc, but against my hopes it wasn't what it was all about, wgadiag and windows validation site still lead to the "unauthorized change"  notice.

    One more thing, I turn my PC off cause he said there were some updates to be installed. When I turned it on again he installed them. Or at least he tried, because the installation was unsuccessful, and he had to undo all things he'd done and try to install them again. This is the second time it happens to me, and those are the same updates.

    I've been able to install them with the machine on, justr restarting the PC later. And now i've installed SP2, by request of Microsoft Update. All of it went well, but sfc /scannow still accuses corrupted files.

    I'll keep scanning with One Care and all the others.

    Any other suggestions?
    Thursday, August 13, 2009 12:48 AM
  • Hi nietzscheo,

      I recommend that you ensure that the TrendNet software is up to date and Vista Compatible. I use TrendNet gear to Network my Printer and they seems to be good about updating their software. 

      Between the Non-Genuine issue, being unable to Update and especally having the 'sfc /scannow' show corrupt files that it can't repair, I suspect that your Vista has suffered damage in some way. Possibly by that trojan or maybe by something else. I can't tell.  But there are too many things going wrong for it to be just a Non-Genuine issue.  If you are unable to resolve the issue, yourself, I can only recommend either contacting Vista Support at http://support.microsoft.com or reinstalling Vista.  I don't like recommending reinstall, but if /Scannow can't repair the damage, I'm not sure what can besides a reinstall.

    Sorry I couldn't be more help,
    Darin MS

     
    Friday, August 14, 2009 5:42 PM