Solved No Win Update, cannot download KB981028

[paramaibo]

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>ICACLS C:\Windows\System32\catroot2
C:\Windows\System32\catroot2 NT SERVICE\CryptSvc:(OI)(CI)(F)
                             NT SERVICE\TrustedInstaller:(I)(F)
                             NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                             BUILTIN\Administrators:(I)(F)
                             CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                             BUILTIN\Administrators:(I)(OI)(IO)(F)
                             BUILTIN\Administrators:(I)(CI)(IO)(F)
                             NT AUTHORITY\SYSTEM:(I)(OI)(IO)(F)
                             NT AUTHORITY\SYSTEM:(I)(CI)(F)
                             Everyone:(I)(OI)(IO)(F)
                             Everyone:(I)(CI)(F)
                             BUILTIN\Users:(I)(OI)(IO)(F)
                             BUILTIN\Users:(I)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\System32
C:\Windows\System32 NT SERVICE\TrustedInstaller:(F)
                    NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                    CREATOR OWNER:(OI)(CI)(IO)(F)
                    BUILTIN\Administrators:(OI)(IO)(F)
                    BUILTIN\Administrators:(CI)(F)
                    NT AUTHORITY\SYSTEM:(OI)(IO)(F)
                    NT AUTHORITY\SYSTEM:(CI)(F)
                    Everyone:(OI)(IO)(F)
                    Everyone:(CI)(F)
                    BUILTIN\Users:(OI)(IO)(F)
                    BUILTIN\Users:(CI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ATTRIB C:\Windows\System32\catroot2\*.*
A       I    C:\Windows\System32\catroot2\dberr.txt

C:\Windows\system32>SC QC Cryptsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Cryptsvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k NetworkService
        LOAD_ORDER_GROUP   : TruPrevent
        TAG                : 0
        DISPLAY_NAME       : Cryptographic Services
        DEPENDENCIES       : RpcSs
        SERVICE_START_NAME : NT Authority\NetworkService

C:\Windows\system32>SC QUERYEX Cryptsvc

SERVICE_NAME: Cryptsvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1196
        FLAGS              :

C:\Windows\system32>

 

[NoelDP]

Have you been using some kind of system repair tool, such as the Tweaking.com WIndows Repair tool?
You have some very strange permissions there which will significantly lower your machine's security.

Please run the following commands and post the results...

SC QC APPID
SC QUERYEX APPID

There is an unusual entry in the LAOD_ORDER_GROUP entry above, which is from Panda, and appears to have been superceded in 2010 by another technology.

What exact version of Panda in actually installed?

 

[paramaibo]

I used Tweaking.com when this issue first arose.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>SC QC APPID
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: APPID
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : \SystemRoot\system32\drivers\appid.sys
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : AppID Driver
        DEPENDENCIES       : FltMgr
                           : DisCache
        SERVICE_START_NAME :

C:\Windows\system32>SC QUERYEX APPID

SERVICE_NAME: APPID
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

C:\Windows\system32>

Currently I have Panda Antivirus Pro 2014 13.01.00. I have no idea why the load order has changed, and certainly not why Panda initiated it. However, I have had rare cases of malware infestation a couple of years ago that required other Panda tools (assuming they would leave the same signature).

As regards permissions etc., I had connected a hdd to the wlan this time last year, and have been plagued by pemissions and sodding errors telling me that I'm not entitled to fiddle as I wish. In the end, I have managed to get the hdd working to my liking. Would these changes have any bearing on what you are referring to?

 

[NoelDP]

It may be normal for a Panda install - we don't see many here, and I suspect that it may depend also on which version is installed.
It's quite common for AV's to slip themselves into the startup axis, so that they get loaded early in the boot process and get the chance to prevent startup malware.
It can however make troubleshooting more difficult, as it introduces an extra layer into the complexities of booting.

Perhaps I should explain what I'm looking for...
Your system is showing problems with the cryptography associated with all the monitored files for the Software Protection Service.
These problems are usually (about80% of the time) corrected by re/installing the IRST drivers, and where that doesn't work, most systems will respond to the CATROOT2 rename - sometimes it fails, as in your case.

The problem then is one of working out where the disconnect is - it's probably in the registry, but that is a rather large database that changes on a daily basis, so it's like looking for size 12 needle in a bin of size 13s that being continually stirred and refilled.

All we can see is the effects, as a rule, unless we know where to start. Up until now, we don't really have much of a clue, except that it's definitely something to do with the CATROOT2 folder.
This is controlled (at least partly) by the Windows Management Instrumentation Service - but so far, no machine we've checked has shown any problems with the service itself.

Let's check that, and a few other things as well, anyhow..

Run the following commands, and post the results.

SC QC WINMGMT
SC QUERYEX WINMGMT


also, please follow the http://www.sevenforums.com/bsod-help-support/96879-blue-screen-death-bsod-posting-instructions.html and post the results - it'll give us a lot of information that may prod me into spotting something relevant.

 

[paramaibo]

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>SC QC WINMGMT
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WINMGMT
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Windows Management Instrumentation
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : localSystem

C:\Windows\system32>SC QUERYEX WINMGMT

SERVICE_NAME: WINMGMT
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1964
        FLAGS              :

C:\Windows\system32>

What would behaviour/actions would typically tamper/corrupt the cryptographic services. I ask in order to prompt my memory of any relevant events that may hasten your search. I confess that up until now I had been unaware of the existence of cryptographic services and Windows manifests, but you have probably guessed that.

 

[paramaibo]

I've just thought of something.

Would it be any help to you if I reinsert my old OS hdd which may still yield underlying corruptions, though these have not been further stirred up by more recent interferences/incompatibilities?

 

[paramaibo]

I also have a couple of practical observations that have occurred recently.

The last command that you asked me to run has improved the boot time, however, the file transfer speed over WLAN has just about halved over the last few days. Incidentally, I experienced a significant improvement in transfer speed after tweaking.com repairs to repair WU.

Funny ol' world.

This morning I've also been receiving a spate of "This copy of Windows is not genuine" - which has also added to my my good cheer.

 

[NoelDP]

the 'not genuine' messages are interesting - next time one appears, please post the results of an MGADiag scan before attempting any fixes.

To properly analyse and solve problems with Activation and Validation, we need to see a full copy of the report produced by the MGADiag tool
(download and save to desktop - http://go.microsoft.com/fwlink/?linkid=52012 )
Once saved, run the tool.

Click on the Continue button, which will produce the report.
To copy the report to your response, click on the Copy button in the tool (ignore any error messages at this point), and then paste (using either r-click/Paste, or Ctrl+V ) into your response.

 

[paramaibo]

I don't understand, I already have the MGADiag tool and have posted loads of these scans.

I was rather hoping that you may have found anything interesting as a result of #24/25 from last night.

Here are the MGAD scan results:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-24FM6-626F6-2X46Y
Windows Product Key Hash: aVSvaN08Cpfya6UCZ7EqSoPkgu0=
Windows Product ID: 00426-OEM-9179745-04135
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {8E5EB5B9-4D07-4C2F-9401-3615F8138954}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: Windows 7 Ultimate
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.130828-1532
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Plus 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Maxthon3\Bin\Maxthon.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{8E5EB5B9-4D07-4C2F-9401-3615F8138954}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2X46Y</PKey><PID>00426-OEM-9179745-04135</PID><PIDType>3</PIDType><SID>S-1-5-21-575296468-2180832810-2140896998</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>Qosmio G50</Model></SYSTEM><BIOS><Manufacturer>TOSHIBA</Manufacturer><Version>Version 2.30</Version><SMBIOSVersion major="2" minor="5"/><Date>20090828000000.000000+000</Date></BIOS><HWID>39BB3C07018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GTB Standard Time(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>TOSHIB</OEMID><OEMTableID>A0060   </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65598</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: cfb3e52c-d707-4861-af51-11b27ee6169c
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00182-797-404135-02-2057-7601.0000-2402013
Installation ID: 017280694241765211214676292446964325955474601770711190
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 2X46Y
License Status: Licensed
Remaining Windows rearm count: 5
Trusted time: 17/03/2014 19:39:36

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: 3:16:2014 16:59
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys


HWID Data-->
HWID Hash Current: OAAAAAEABAABAAEAAAACAAAABAABAAEAeqjmUe715I1c+viHEB6GGQa2nmJcPz64hm0Uz4ztRso=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			TOSHIB		A0060   
  FACP			TOSHIB		A0060   
  DBGP			TOSHIB		A0060   
  HPET			TOSHIB		A0060   
  MCFG			TOSHIB		A0060   
  SSDT			TOSHIB		A0060   
  TCPA			TOSHIB		A0060   
  SLIC			TOSHIB		A0060   
  SSDT			TOSHIB		A0060

 

[NoelDP]

Sorry - I was in a hurry (posting at work behind the boss's back) so only looked at the thread title and the last post

I'll review the thread at leisure today, and post back later.

 

[paramaibo]

I just received another notice & ran MGADiag straight afterwards:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-24FM6-626F6-2X46Y
Windows Product Key Hash: aVSvaN08Cpfya6UCZ7EqSoPkgu0=
Windows Product ID: 00426-OEM-9179745-04135
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {8E5EB5B9-4D07-4C2F-9401-3615F8138954}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: Windows 7 Ultimate
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.130828-1532
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Plus 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Maxthon3\Bin\Maxthon.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{8E5EB5B9-4D07-4C2F-9401-3615F8138954}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2X46Y</PKey><PID>00426-OEM-9179745-04135</PID><PIDType>3</PIDType><SID>S-1-5-21-575296468-2180832810-2140896998</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>Qosmio G50</Model></SYSTEM><BIOS><Manufacturer>TOSHIBA</Manufacturer><Version>Version 2.30</Version><SMBIOSVersion major="2" minor="5"/><Date>20090828000000.000000+000</Date></BIOS><HWID>39BB3C07018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GTB Standard Time(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>TOSHIB</OEMID><OEMTableID>A0060   </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65598</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: cfb3e52c-d707-4861-af51-11b27ee6169c
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00182-797-404135-02-2057-7601.0000-2402013
Installation ID: 017280694241765211214676292446964325955474601770711190
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 2X46Y
License Status: Licensed
Remaining Windows rearm count: 5
Trusted time: 18/03/2014 12:14:10

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: 3:18:2014 06:06
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys


HWID Data-->
HWID Hash Current: OAAAAAEABAABAAEAAAACAAAABAABAAEAeqjmUe715I1c+viHEB6GGQa2nmJcPz64hm0Uz4ztRso=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			TOSHIB		A0060   
  FACP			TOSHIB		A0060   
  DBGP			TOSHIB		A0060   
  HPET			TOSHIB		A0060   
  MCFG			TOSHIB		A0060   
  SSDT			TOSHIB		A0060   
  TCPA			TOSHIB		A0060   
  SLIC			TOSHIB		A0060   
  SSDT			TOSHIB		A0060

 

[paramaibo]

I have had several annoying WAT messages



leading to this



when I try to resolve it. The order is obviously reversed.

 

[paramaibo]

No Win Update, MDAG, CBS log, DM log

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-24FM6-626F6-2X46Y
Windows Product Key Hash: aVSvaN08Cpfya6UCZ7EqSoPkgu0=
Windows Product ID: 00426-OEM-9179745-04135
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {8E5EB5B9-4D07-4C2F-9401-3615F8138954}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: Windows 7 Ultimate
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.130828-1532
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Plus 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Maxthon3\Bin\Maxthon.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{8E5EB5B9-4D07-4C2F-9401-3615F8138954}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2X46Y</PKey><PID>00426-OEM-9179745-04135</PID><PIDType>3</PIDType><SID>S-1-5-21-575296468-2180832810-2140896998</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>Qosmio G50</Model></SYSTEM><BIOS><Manufacturer>TOSHIBA</Manufacturer><Version>Version 2.30</Version><SMBIOSVersion major="2" minor="5"/><Date>20090828000000.000000+000</Date></BIOS><HWID>394F3507018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GTB Standard Time(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>TOSHIB</OEMID><OEMTableID>A0060   </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65598</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: cfb3e52c-d707-4861-af51-11b27ee6169c
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00182-797-404135-02-2057-7601.0000-2402013
Installation ID: 017280694241765211214676292446964325955474601770711190
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 2X46Y
License Status: Licensed
Remaining Windows rearm count: 5
Trusted time: 21/03/2014 20:25:37

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: 3:18:2014 06:06
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys


HWID Data-->
HWID Hash Current: OAAAAAEABAABAAEAAAACAAAABAABAAEAeqjmUe715I1c+viHEB6GGQa2nmJcPz64hm0Uz4ztRso=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			TOSHIB		A0060   
  FACP			TOSHIB		A0060   
  DBGP			TOSHIB		A0060   
  HPET			TOSHIB		A0060   
  MCFG			TOSHIB		A0060   
  SSDT			TOSHIB		A0060   
  TCPA			TOSHIB		A0060   
  SLIC			TOSHIB		A0060   
  SSDT			TOSHIB		A0060

 

[NoelDP]

Hello again
(I'm going to ask for this thread to be merged with your other one - sorry I didn't get back to you earlier, but please stick with the same thread!)

Your eventlog file shows some interesting problems...

Line 659227: The attempt by user ROGUESTATE-PC\Roguestate to restart/shutdown computer ROGUESTATE-PC failed
 Line 660842: The TuneUp Theme Extension service failed to start due to the following error: 
 Line 661972: The SQL Server Browser service failed to start due to the following error: 
 Line 662263: The Diagnostic System Host service failed to start due to the following error: 
 Line 662580: The HomeGroup Listener service failed to start due to the following error: 
 Line 662656: The following boot-start or system-start driver(s) failed to load:

...especially as you said you have Panda AV installed, and the full error from the last one above reads...

  Description: 
The following boot-start or system-start driver(s) failed to load: 
avgtp

Download the AVG Remover from here
http://www.avg.com/us-en/utilities
Follow the instructions for running it, and then reboot the machine (whether it asks for it or not, and whether the program rebooted already or not).

then run another MGADiag report, and post that.

 

[paramaibo]

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-24FM6-626F6-2X46Y
Windows Product Key Hash: aVSvaN08Cpfya6UCZ7EqSoPkgu0=
Windows Product ID: 00426-OEM-9179745-04135
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {8E5EB5B9-4D07-4C2F-9401-3615F8138954}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: Windows 7 Ultimate
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.130828-1532
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Plus 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Maxthon3\Bin\Maxthon.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{8E5EB5B9-4D07-4C2F-9401-3615F8138954}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2X46Y</PKey><PID>00426-OEM-9179745-04135</PID><PIDType>3</PIDType><SID>S-1-5-21-575296468-2180832810-2140896998</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>Qosmio G50</Model></SYSTEM><BIOS><Manufacturer>TOSHIBA</Manufacturer><Version>Version 2.30</Version><SMBIOSVersion major="2" minor="5"/><Date>20090828000000.000000+000</Date></BIOS><HWID>39BB3107018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GTB Standard Time(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>TOSHIB</OEMID><OEMTableID>A0060   </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65598</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: cfb3e52c-d707-4861-af51-11b27ee6169c
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00182-797-404135-02-2057-7601.0000-2402013
Installation ID: 017280694241765211214676292446964325955474601770711190
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 2X46Y
License Status: Licensed
Remaining Windows rearm count: 5
Trusted time: 22/03/2014 00:50:22

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: 3:18:2014 06:06
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys


HWID Data-->
HWID Hash Current: OgAAAAEABAABAAEAAAADAAAABAABAAEAeqjmUe715I1c+viHEB6GGQa2nmJcP0vuPriGbRTPjO1Gyg==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			TOSHIB		A0060   
  FACP			TOSHIB		A0060   
  DBGP			TOSHIB		A0060   
  HPET			TOSHIB		A0060   
  MCFG			TOSHIB		A0060   
  SSDT			TOSHIB		A0060   
  TCPA			TOSHIB		A0060   
  SLIC			TOSHIB		A0060   
  SSDT			TOSHIB		A0060

The remover froze twice while it was running, and then I ran it in Safe Mode & it completed.

Then there's this (avgtpx86.sys) in the driver folder, how does it get removed/uninstalled?

 

[NoelDP]

All references to it in the registry should have been removed, (do a search in regedit to check) - if not, run the tool again and see if it completes in normal mode this time.

What other Anti-Virus programs have ever been installed on this machine?

 

[paramaibo]

Done, but the uninstaller always freezes at the same point: "Cloudcare not installed on this computer". It then has to shut down by task manager. It's tricky using regedit, because AVG also brings up "average" entries, eg. in perflib.

Machine came with 30 days Norton but I got rid of that straight away, otherwise it has only been Panda, Malwarebytes and Panda Cloud Cleaner.

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-24FM6-626F6-2X46Y
Windows Product Key Hash: aVSvaN08Cpfya6UCZ7EqSoPkgu0=
Windows Product ID: 00426-OEM-9179745-04135
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {8E5EB5B9-4D07-4C2F-9401-3615F8138954}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: Windows 7 Ultimate
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.130828-1532
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Plus 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Maxthon3\Bin\Maxthon.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{8E5EB5B9-4D07-4C2F-9401-3615F8138954}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2X46Y</PKey><PID>00426-OEM-9179745-04135</PID><PIDType>3</PIDType><SID>S-1-5-21-575296468-2180832810-2140896998</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>Qosmio G50</Model></SYSTEM><BIOS><Manufacturer>TOSHIBA</Manufacturer><Version>Version 2.30</Version><SMBIOSVersion major="2" minor="5"/><Date>20090828000000.000000+000</Date></BIOS><HWID>39BF3D07018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GTB Standard Time(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>TOSHIB</OEMID><OEMTableID>A0060   </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65598</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: cfb3e52c-d707-4861-af51-11b27ee6169c
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00182-797-404135-02-2057-7601.0000-2402013
Installation ID: 017280694241765211214676292446964325955474601770711190
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 2X46Y
License Status: Licensed
Remaining Windows rearm count: 5
Trusted time: 22/03/2014 17:24:17

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 3:18:2014 06:06
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: OAAAAAEABAABAAEAAAACAAAABAABAAEAeqjmUe715I1c+viHEB6GGQa2nmJcPz64hm0Uz4ztRso=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			TOSHIB		A0060   
  FACP			TOSHIB		A0060   
  DBGP			TOSHIB		A0060   
  HPET			TOSHIB		A0060   
  MCFG			TOSHIB		A0060   
  SSDT			TOSHIB		A0060   
  TCPA			TOSHIB		A0060   
  SLIC			TOSHIB		A0060   
  SSDT			TOSHIB		A0060

 

[NoelDP]

Odd - I just ran both x64 uninstallers on my machine and never a mention of Cloudcare anywhere....

Which uninstaller did you download?

It should have been one of these...

avg_remover_stf_x86_2014_4116.exe
avg_remover_stf_x64_2014_4116.exe
avg_remover_stf_x86_2013_3341.exe
avg_remover_stf_x64_2013_3341.exe
avg_remover_stf_x64_2012_2125.exe
avg_remover_stf_x86_2012_2125.exe


When you uninstalled Norton, did you also run their removal tool?

Download the Norton Removal Tool from here https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?lg=english&ct=united+states&docid=20080710133834EN&product=home&version=1&pvid=f-home

Close all other programs, then run the tool. When it's complete, reboot the machine whether it asks for it or not.

After the reboot, open an Elevated Command Prompt, and run the following command

NETSH WINSOCK RESET

You'll be advised to reboot - do so.
then post another MGADiag report.

 

[paramaibo]

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-24FM6-626F6-2X46Y
Windows Product Key Hash: aVSvaN08Cpfya6UCZ7EqSoPkgu0=
Windows Product ID: 00426-OEM-9179745-04135
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {8E5EB5B9-4D07-4C2F-9401-3615F8138954}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: Windows 7 Ultimate
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.130828-1532
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Plus 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Maxthon3\Bin\Maxthon.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{8E5EB5B9-4D07-4C2F-9401-3615F8138954}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2X46Y</PKey><PID>00426-OEM-9179745-04135</PID><PIDType>3</PIDType><SID>S-1-5-21-575296468-2180832810-2140896998</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>Qosmio G50</Model></SYSTEM><BIOS><Manufacturer>TOSHIBA</Manufacturer><Version>Version 2.30</Version><SMBIOSVersion major="2" minor="5"/><Date>20090828000000.000000+000</Date></BIOS><HWID>395B3507018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GTB Standard Time(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>TOSHIB</OEMID><OEMTableID>A0060   </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65598</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: cfb3e52c-d707-4861-af51-11b27ee6169c
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00182-797-404135-02-2057-7601.0000-2402013
Installation ID: 017280694241765211214676292446964325955474601770711190
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 2X46Y
License Status: Licensed
Remaining Windows rearm count: 5
Trusted time: 22/03/2014 18:42:45

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: 3:18:2014 06:06
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys


HWID Data-->
HWID Hash Current: OAAAAAEABAABAAEAAAACAAAABAABAAEAeqjmUe715I1c+viHEB6GGQa2nmJcPz64hm0Uz4ztRso=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			TOSHIB		A0060   
  FACP			TOSHIB		A0060   
  DBGP			TOSHIB		A0060   
  HPET			TOSHIB		A0060   
  MCFG			TOSHIB		A0060   
  SSDT			TOSHIB		A0060   
  TCPA			TOSHIB		A0060   
  SLIC			TOSHIB		A0060   
  SSDT			TOSHIB		A0060

I ran avg_remover_stf_x86_2014_4116.exe.

Norton - check

Winsock - check

 

[NoelDP]

Still the same - I thought we had almost got there after the AVG cleanup. (note the first line of the report output)

OK now we'll have to remove Panda - its install may have been partially corrupted by the dregs of the other AVs

Depending on the version of Panda you're using, you'll need to run one of these after using the normal Windows one...


Panda http://www.pandasecurity.com/resources/sop/UNINSTALLER.exe
Panda Cloud Internet Protection http://www.pandasecurity.com/resources/sop/Cloud_AV_Uninstaller.exe

Temporarily, then install MSE and run a full system scan. Microsoft Security Essentials | Protect against viruses, spyware, and other malware

reboot, and post another MGADiag report.