New
#41
After the MGAdiag has been posted, open an elevated command prompt and issue the following commands:
net start sppsvc
sc qc sppsvc
sc queryex sppsvc
sc qprivs sppsvc
sc qsidtype sppsvc
sc sdshow sppsvc
Post the output - thanks
After the MGAdiag has been posted, open an elevated command prompt and issue the following commands:
net start sppsvc
sc qc sppsvc
sc queryex sppsvc
sc qprivs sppsvc
sc qsidtype sppsvc
sc sdshow sppsvc
Post the output - thanks
Code:[Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0x8004FE22 Cached Online Validation Code: 0x0 Windows Product Key: *****-*****-9CBQQ-CBRDX-4VBW4 Windows Product Key Hash: 4o79yMzf+5/lHKmwIiotxng2nPc= Windows Product ID: 00371-OEM-9045181-41077 Windows Product ID Type: 3 Windows License Type: OEM System Builder Windows OS version: 6.1.7601.2.00010100.1.0.048 ID: {88569B0E-21CB-4760-A2CC-9595DA52037D}(3) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: Registered, 1.9.42.0 Signed By: Microsoft Product Name: Windows 7 Professional Architecture: 0x00000009 Build lab: 7601.win7sp1_gdr.140303-2144 TTS Error: Validation Diagnostic: Resolution Status: N/A Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 100 Genuine Microsoft Office Professional 2007 - 100 Genuine OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 77F760FE-153-80070002_7E90FEE8-175-80070002_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-b01a_E2AD56EA-766-0_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files\Internet Explorer\iexplore.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003 Other data--> Office Details: <GenuineResults><MachineData><UGUID>{88569B0E-21CB-4760-A2CC-9595DA52037D}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-4VBW4</PKey><PID>00371-OEM-9045181-41077</PID><PIDType>3</PIDType><SID>S-1-5-21-764048772-141219837-185285450</SID><SYSTEM><Manufacturer>INTEL_</Manufacturer><Model>DX58SO__</Model></SYSTEM><BIOS><Manufacturer>Intel Corp.</Manufacturer><Version>SOX5810J.86A.5600.2013.0729.2250</Version><SMBIOSVersion major="2" minor="5"/><Date>20130729000000.000000+000</Date></BIOS><HWID>92ED3407018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0014-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional 2007</Name><Ver>12</Ver><Val>1B16FCA35E8C714</Val><Hash>Ox0izo7MjcnLKUdV4ul5G/4OhBY=</Hash><Pid>81605-906-5273533-65430</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> Spsys.log Content: 0x80070002 Licensing Data--> Software licensing service version: 6.1.7601.17514 Name: Windows(R) 7, Professional edition Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel Activation ID: e120e868-3df2-464a-95a0-b52fa5ada4bf Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f Extended PID: 00371-00180-451-841077-02-1033-7601.0000-2132014 Installation ID: 021892549173720063162803583281194772514004932426885526 Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338 Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339 Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341 Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340 Partial Product Key: 4VBW4 License Status: Licensed Remaining Windows rearm count: 3 Trusted time: 01-Aug-14 18:34:34 Windows Activation Technologies--> HrOffline: 0x8004FE22 HrOnline: N/A HealthStatus: 0x0000000000000800 Event Time Stamp: 8:1:2014 11:47 ActiveX: Registered, Version: 7.1.7600.16395 Admin Service: Registered, Version: 7.1.7600.16395 HealthStatus Bitmask Output: Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration HWID Data--> HWID Hash Current: MAAAAAMAAAABAAEAAQACAAAAAQABAAEACrYw0tpjQ0ZsQ7K6xFcOLJyfvSCmnuqC OEM Activation 1.0 Data--> N/A OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes, but no SLIC table Windows marker version: N/A OEMID and OEMTableID Consistent: N/A BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC INTEL DX58SO FACP INTEL DX58SO HPET INTEL DX58SO MCFG INTEL DX58SO WDDT INTEL DX58SO ASF! INTEL DX58SO SSDT INTEL SSDT PM DMAR INTEL DX58SO WDTT INTEL DX58SO ASPT INTEL PerfTune
Code:Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>net start sppsvc The Software Protection service is starting. The Software Protection service was started successfully. C:\Windows\system32>sc qc sppsvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: sppsvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START (DELAYED) ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Windows\system32\sppsvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Software Protection DEPENDENCIES : RpcSs SERVICE_START_NAME : NT AUTHORITY\NetworkService C:\Windows\system32>sc queryex sppsvc SERVICE_NAME: sppsvc TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 9856 FLAGS : C:\Windows\system32>sc qprivs sppsvc [SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: sppsvc PRIVILEGES : SeAuditPrivilege : SeChangeNotifyPrivilege : SeCreateGlobalPrivilege : SeImpersonatePrivilege C:\Windows\system32>sc qsidtype sppsvc [SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: sppsvc SERVICE_SID_TYPE: UNRESTRICTED C:\Windows\system32>sc sdshow sppsvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO CRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;LCRP;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD) C:\Windows\system32>
Thanks,
I didn't see the output from Adwcleaner, perhaps my request got buried (I bury a lot posts including my own)
Please run AdwCleaner, which will detect and clean if anything is found. It's fairly quick and very efficient for certain types of malware.
Download,
Scan,
Clean
Follow the above steps on: How to use AdwCleaner version 3.x
Post the logs here on SevenForums - not on the General Changelog Team (GCT) site.
Then download and install the Win7 x64 version of: Description of the update for Windows Activation Technologies. You might end up back on the MS support site, so I want to make sure there's no hint of malware.
Code:# AdwCleaner v3.302 - Report created 01/08/2014 at 19:31:30 # Updated 30/07/2014 by Xplode # Operating System : Windows 7 Professional Service Pack 1 (64 bits) # Username : TJG - DESKTOPVA # Running from : C:\Users\TJG\Desktop\adwcleaner_3.302.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\Users\TJG\AppData\LocalLow\Conduit Folder Deleted : C:\Users\TJG\AppData\Roaming\YourFileDownloader ***** [ Scheduled Tasks ] ***** [x] Not Deleted : SUPERAntiSpyware Scheduled Task 548d58d4-cf1c-4a16-96ff-c83f07f24f7c ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKCU\Software\1ClickDownload Key Deleted : HKLM\Software\Freeze.com Key Deleted : HKLM\Software\Solvusoft ***** [ Browsers ] ***** -\\ Internet Explorer v11.0.9600.17207 ************************* AdwCleaner[R0].txt - [1902 octets] - [01/08/2014 19:29:13] AdwCleaner[S0].txt - [1699 octets] - [01/08/2014 19:31:30] ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1759 octets] ##########Update for Windows 7 for x64-based Systems (KB971033)Code:# AdwCleaner v3.302 - Report created 01/08/2014 at 20:22:32 # Updated 30/07/2014 by Xplode # Operating System : Windows 7 Professional Service Pack 1 (64 bits) # Username : TJG - DESKTOPVA # Running from : C:\Users\TJG\Desktop\adwcleaner_3.302.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Scheduled Tasks ] ***** Task Deleted : SUPERAntiSpyware Scheduled Task 548d58d4-cf1c-4a16-96ff-c83f07f24f7c ***** [ Shortcuts ] ***** ***** [ Registry ] ***** ***** [ Browsers ] ***** -\\ Internet Explorer v11.0.9600.17207 ************************* AdwCleaner[R0].txt - [1902 octets] - [01/08/2014 19:29:13] AdwCleaner[R1].txt - [879 octets] - [01/08/2014 20:21:54] AdwCleaner[S0].txt - [1839 octets] - [01/08/2014 19:31:30] AdwCleaner[S1].txt - [803 octets] - [01/08/2014 20:22:32] ########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [862 octets] ##########
KB971033 installed without any issues.
Last edited by tjg79; 01 Aug 2014 at 19:28.
Code:Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>sfc /scannow Beginning system scan. This process will take some time. Beginning verification phase of system scan. Verification 100% complete. Windows Resource Protection found corrupt files but was unable to fix some of th em. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log C:\Windows\system32>
Ok, I'm a bit stuck on the slui issue.
I'm going to bow out on that and defer to NoelDP when he gets a chance. He has the experience and tools to guide you best. It might take Noel a while since he's working through an issue on his own machine. Please be patient.
While you're waiting for Noel, you can clean up any additional remnants or dormant malware.
Restart your machine and then run two additional malware scanners
- Junkware Removal Tool (JRT)
Junkware Removal Tool Download
JRT is fairly quick
- Download and run as administrator.
Restart your machine then run one more scanner.
- ESEST Online scanner
This takes the longest to scan and clean. It could take a few hours, but it does a thorough job
You'll need to run this scanner in IE
Read the help, then press the Run ESET Online Scanner button
The scanner runs in a pop-up window - if you close the window, you close the scanner.
Select the options shown below and press the start button
When the scan finishes, review any detected malware to determine if they are knwo to you or are unknow. If they are unknow, they are most likely malweare and can be deleted.
If you're not sure, do not close the scanner window. Attach the ESET log and a member will assist you.
ESET Online Scanner FAQs
ESET Online Scanner FAQs said:
Please upload the entire CBS folder so I can see the logs -
Have you been using a Registry Cleaner of any kind?
To confirm that the problem is what I think it is, please run the following commands in an Elevated Command Prompt window and post the results.
REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5AA} /S
Here are some instructions to make life easier :)
1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.
2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.
Code:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.1.4 (04.06.2014:1) OS: Windows 7 Professional x64 Ran by TJG on 02-Aug-14 at 7:59:05.09 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{84224BAC-B89F-44A5-9A9B-E2AC268DD10B} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A9C215B4-A028-4BAC-91C0-C2B61BB4C838} ~~~ Files ~~~ Folders ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on 02-Aug-14 at 8:03:30.47 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
My C:\Windows\Logs\CBS folder has nine items which are attached below in compressed format.
Attachment 327814
Attachment 327815
Attachment 327817
Attachment 327818
Attachment 327819
Attachment 327820
CheckSUR.persist.zip
CheckSUR.zip
DeepClean.zip
I regularly use CCleaner's registery cleaner.Code:Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\TJG>REG QUERY HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077- 4AD6-8658-327C2C86C5AA} /S HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658 -327C2C86C5AA}\1.0 (Default) REG_SZ SPPUI 1.0 Type Library HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658 -327C2C86C5AA}\1.0\0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658 -327C2C86C5AA}\1.0\0\win32 (Default) REG_EXPAND_SZ %SystemRoot%\System32\slui.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{EE574957-4077-4AD6-8658 -327C2C86C5AA}\1.0\FLAGS (Default) REG_SZ 0 C:\Users\TJG>REG QUERY HKLM\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-32 7C2C86C5AA} /S HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A A}\1.0 (Default) REG_SZ SPPUI 1.0 Type Library HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A A}\1.0\0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A A}\1.0\0\win32 (Default) REG_EXPAND_SZ %SystemRoot%\System32\slui.exe HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EE574957-4077-4AD6-8658-327C2C86C5A A}\1.0\FLAGS (Default) REG_SZ 0 C:\Users\TJG>REG QUERY HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077- 4AD6-8658-327C2C86C5AA} /S HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658 -327C2C86C5AA}\1.0 (Default) REG_SZ SPPUI 1.0 Type Library HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658 -327C2C86C5AA}\1.0\0 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658 -327C2C86C5AA}\1.0\0\win32 (Default) REG_EXPAND_SZ %SystemRoot%\System32\slui.exe HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{EE574957-4077-4AD6-8658 -327C2C86C5AA}\1.0\FLAGS (Default) REG_SZ 0 C:\Users\TJG> C:\Users\TJG>
Thanks for the assistance.
Regards