New
#11
The disc was moved by a family member. And he doesn't remember where. I did a search from top to bottom and never found it. I did make a recovery disk, but on the night the error message started popping up.
The disc was moved by a family member. And he doesn't remember where. I did a search from top to bottom and never found it. I did make a recovery disk, but on the night the error message started popping up.
When I did CHKDSK at the very end of the scan, it said "Failed to transfer logged messages to the event log with status 50". The other command result was: "Windows Resource Protection could not perform the required operation".
My latest MGADiag result:
Code:Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0x8004FE21 Cached Online Validation Code: 0x0 Windows Product Key: *****-*****-VGV87-C7XPK-CGKHQ Windows Product Key Hash: sdEjrEJjW0FuXAhegYxl8GAkBYg= Windows Product ID: 00359-OEM-8992687-00016 Windows Product ID Type: 2 Windows License Type: OEM SLP Windows OS version: 6.1.7601.2.00010300.1.0.003 ID: {4531FCA7-C73E-476F-B837-DB6517CD0D70}(3) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: Windows 7 Home Premium Architecture: 0x00000009 Build lab: 7601.win7sp1_gdr.120503-2030 TTS Error: Validation Diagnostic: Resolution Status: N/A Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 109 N/A OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> File Mismatch: C:\Windows\system32\slc.dll[Hr = 0x800b0100] Other data--> Office Details: <GenuineResults><MachineData><UGUID>{4531FCA7-C73E-476F-B837-DB6517CD0D70}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-CGKHQ</PKey><PID>00359-OEM-8992687-00016</PID><PIDType>2</PIDType><SID>S-1-5-21-2453490050-1198088503-2290646754</SID><SYSTEM><Manufacturer>Sony Corporation</Manufacturer><Model>VPCEH34FX</Model></SYSTEM><BIOS><Manufacturer>INSYDE</Manufacturer><Version>R0200Z9</Version><SMBIOSVersion major="2" minor="7"/><Date>20120419000000.000000+000</Date></BIOS><HWID>8A253007018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>Sony</OEMID><OEMTableID>VAIO</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> Spsys.log Content: 0x80070002 Licensing Data--> Software licensing service version: 6.1.7601.17514 Name: Windows(R) 7, HomePremium edition Description: Windows Operating System - Windows(R) 7, OEM_SLP channel Activation ID: d2c04e90-c3dd-4260-b0f3-f845f5d27d64 Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f Extended PID: 00359-00178-926-800016-02-1033-7601.0000-3392011 Installation ID: 013272784732450471477180571903150511941416247532170771 Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338 Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339 Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341 Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340 Partial Product Key: CGKHQ License Status: Licensed Remaining Windows rearm count: 2 Trusted time: 9/27/2012 10:38:35 PM Windows Activation Technologies--> HrOffline: 0x8004FE21 HrOnline: N/A HealthStatus: 0x0000000000000100 Event Time Stamp: 9:26:2012 17:17 ActiveX: Registered, Version: 7.1.7600.16395 Admin Service: Registered, Version: 7.1.7600.16395 HealthStatus Bitmask Output: Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui HWID Data--> HWID Hash Current: PAAAAAIAAQABAAEAAQABAAAACAABAAEA6GFm+XBfFT8GCv4MoiJ39sJrHzl0D/w3QhYeOWh1lKlpdS5z OEM Activation 1.0 Data--> N/A OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes Windows marker version: 0x20001 OEMID and OEMTableID Consistent: yes BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC Sony VAIO FACP Sony VAIO HPET Sony VAIO BOOT Sony VAIO MCFG Sony VAIO WDAT Sony VAIO ASF! Sony VAIO SLIC Sony VAIO SSDT Sony VAIO ASPT Sony VAIO SSDT Sony VAIO SSDT Sony VAIO
The first error is normal with an offline SFC - the second one isn't!
I'm not sure what's going on here - but it's the second such case I've seen this week, and I've never seen a case before that I remember.
I suspect malware -
Please boot to Safe Mode with Networking, and only then, download and install Malwarebytes Anti-Malware (free version) from www.malwarebytes.org update it, and run a full System scan in your main account, and quick scans in any other accounts (still in Safe Mode).
Delete everything it finds!
Reboot to normal mode, and attempt another SFC /SCANNOW and upload the CBS.log again, and we'll take another look.
Found eight infections, but sfc still gives the same "Windows Resource Protection could not perform the required operation" type of message. Just got the "not genuine" message as I type this.
https://skydrive.live.com/redir?resi...NSTCdUAZgCj02o
The problems seems to lie in these four lines.....
I've never seen a 'cannot be checked' response in SFC before, so we need to look at the files concerned, while I do some research......Code:2012-09-27 11:56:17, Info CSI 00000038 [SR] Cannot repair member file [l:30{15}]"winload.exe.mui" of Microsoft-Windows-BootEnvironment-OS-Loader.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file cannot be checked 2012-09-27 11:56:17, Info CSI 00000039 [SR] Cannot repair member file [l:34{17}]"winresume.exe.mui" of Microsoft-Windows-BootEnvironment-OS-Loader.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file cannot be checked 2012-09-27 11:56:18, Info CSI 0000003a [SR] Cannot repair member file [l:22{11}]"winload.exe" of Microsoft-Windows-BootEnvironment-OS-Loader, Version = 6.1.7601.17556, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file cannot be checked 2012-09-27 11:56:18, Info CSI 0000003b [SR] Cannot repair member file [l:26{13}]"winresume.exe" of Microsoft-Windows-BootEnvironment-OS-Loader, Version = 6.1.7601.17556, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file cannot be checked
Let's concentrate on one, for the moment....
Code:DIR C:\Windows\winload.exe /S ICACLS C:\Windows\System32\winload.exe ICACLS C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17556_none_b923808583650cfb ICACLS C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17556_none_b923808583650cfb\*.*
Okay. So what's the next step?
Thank you so much for your help so far, by the way.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>DIR C:\Windows\winload.exe /S
Volume in drive C has no label.
Volume Serial Number is D0E7-0594
Directory of C:\Windows\System32
07/12/2011 09:20 PM 605,552 winload.exe
1 File(s) 605,552 bytes
Directory of C:\Windows\System32\Boot
07/12/2011 09:20 PM 605,552 winload.exe
1 File(s) 605,552 bytes
Directory of C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_3
1bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a
11/20/2010 11:24 PM 605,552 winload.exe
1 File(s) 605,552 bytes
Directory of C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_3
1bf3856ad364e35_6.1.7601.17556_none_c7355d7da388cacc
07/12/2011 09:20 PM 605,552 winload.exe
1 File(s) 605,552 bytes
Directory of C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_3
1bf3856ad364e35_6.1.7601.21655_none_c7bdf9febca7513f
07/12/2011 09:20 PM 605,552 winload.exe
1 File(s) 605,552 bytes
Directory of C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_3
1bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89
11/20/2010 11:24 PM 605,552 winload.exe
1 File(s) 605,552 bytes
Directory of C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_3
1bf3856ad364e35_6.1.7601.17556_none_b923808583650cfb
07/12/2011 09:20 PM 605,552 winload.exe
1 File(s) 605,552 bytes
Directory of C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_3
1bf3856ad364e35_6.1.7601.21655_none_b9ac1d069c83936e
07/12/2011 09:20 PM 605,552 winload.exe
1 File(s) 605,552 bytes
Total Files Listed:
8 File(s) 4,844,416 bytes
0 Dir(s) 524,480,593,920 bytes free
C:\Windows\system32>ICACLS C:\Windows\System32\winload.exe
C:\Windows\System32\winload.exe Panda-VAIO\PandaF)
Successfully processed 1 files; Failed processing 0 files
C:\Windows\system32>ICACLS C:\Windows\winsxs\amd64_microsoft-windows-b..vironmen
t-os-loader_31bf3856ad364e35_6.1.7601.17556_none_b923808583650cfb
C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e3
5_6.1.7601.17556_none_b923808583650cfb NT SERVICE\TrustedInstallerI)(OI)(CI)(F
)
BUILTIN\AdministratorsI)(OI)(CI)(RX)
NT AUTHORITY\SYSTEMI)(OI)(CI)(RX)
BUILTIN\UsersI)(OI)(CI)(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Windows\system32>ICACLS C:\Windows\winsxs\amd64_microsoft-windows-b..vironmen
t-os-loader_31bf3856ad364e35_6.1.7601.17556_none_b923808583650cfb\*.*
Interesting!
Your Panda account is the only thing with permissions on the file.
C:\Windows\system32>ICACLS C:\Windows\System32\winload.exe
C:\Windows\System32\winload.exe Panda-VAIO\Panda:(F)
We need to correct this.
Please run the following commands in an Elevated Command Prompt window
post the results, then reboot and run another MGADiag report.Code:Takeown /F C:\Windows\System32\winload.exe /A ICACLS C:\Windows\System32\winload.exe /grant Administrators:(F) ICACLS C:\Windows\System32\winload.exe /grant Users:(RX) ICACLS C:\Windows\System32\winload.exe /grant "NT SERVICE\TrustedInstaller":(F) ICACLS C:\Windows\System32\winload.exe /grant SYSTEM:(RX)
Then try running another SFC .SCANNOW, and post the new CBS.log file