New
#11
That's clear - so we're left with the 'tamper' that MGADiag sees.
Just to make certain, please run another MGADiag report, and post the results.
That's clear - so we're left with the 'tamper' that MGADiag sees.
Just to make certain, please run another MGADiag report, and post the results.
Here's a new MGADiag.
Code:Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0x8004FE22 Cached Online Validation Code: N/A, hr = 0x80070005 Windows Product Key: *****-*****-VQQKT-QGGGP-RQ62D Windows Product Key Hash: B1oWRG44kq4hE5pxicwjPOx3L+M= Windows Product ID: 00426-437-6655695-85858 Windows Product ID Type: 5 Windows License Type: Retail Windows OS version: 6.1.7600.2.00010100.0.0.001 ID: {80409215-9A94-4664-BBCA-49BFB01EB123}(3) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: Windows 7 Ultimate Architecture: 0x00000009 Build lab: 7600.win7_gdr.120830-0334 TTS Error: Validation Diagnostic: Resolution Status: N/A Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 109 N/A OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{80409215-9A94-4664-BBCA-49BFB01EB123}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7600.2.00010100.0.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-RQ62D</PKey><PID>00426-437-6655695-85858</PID><PIDType>5</PIDType><SID>S-1-5-21-3463364969-3535792361-3485682137</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>GA-970A-UD3</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>F6</Version><SMBIOSVersion major="2" minor="4"/><Date>20120530000000.000000+000</Date></BIOS><HWID>9BB83607018400FC</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> Spsys.log Content: 0x80070002 Licensing Data--> On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x46' to display the error text. Error: 0x46 Windows Activation Technologies--> HrOffline: 0x8004FE22 HrOnline: N/A HealthStatus: 0x0000000000004000 Event Time Stamp: 11:19:2012 08:01 ActiveX: Registered, Version: 7.1.7600.16395 Admin Service: Registered, Version: 7.1.7600.16395 HealthStatus Bitmask Output: Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui HWID Data--> HWID Hash Current: NgAAAAIABAABAAEAAAACAAAAAgABAAEAln0go3cW/IgQM9zf3BVU8gbDDDdiPc6arh2v/yAh OEM Activation 1.0 Data--> N/A OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes, but no SLIC table Windows marker version: N/A OEMID and OEMTableID Consistent: N/A BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC GBT GBTUACPI FACP GBT GBTUACPI HPET GBT GBTUACPI MCFG GBT GBTUACPI MSDM GBT GBTUACPI EUDS GBT MATS GBT TAMG GBT GBT B0 MATS GBT SSDT AMD POWERNOW
That's an interesting result....
Please run the following command from an Elevated Command Prompt window(1)
Copy and paste set of commands below into the window – once completed, hit the Enter Key to ensure that the last command has run (2)
REG QUERY HKU
REG QUERY HKU\S-1-5-20
REG QUERY HKU\S-1-5-20\Environment
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20"
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
Copy the whole output to your response(3)
Here are some instructions to make life easier :)
1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.
2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.
Here's the result of Command Prompt. Also, thanks for the guide!
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>REG QUERY HKU
HKEY_USERS\.DEFAULT
HKEY_USERS\S-1-5-19
HKEY_USERS\S-1-5-21-3463364969-3535792361-3485682137-1000
HKEY_USERS\S-1-5-21-3463364969-3535792361-3485682137-1000_Classes
HKEY_USERS\S-1-5-18
C:\Windows\system32>REG QUERY HKU\S-1-5-20
ERROR: The system was unable to find the specified registry key or value.
C:\Windows\system32>REG QUERY HKU\S-1-5-20\Environment
ERROR: The system was unable to find the specified registry key or value.
C:\Windows\system32>REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\ProfileList\S-1-5-20"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-20
ProfileImagePath REG_EXPAND_SZ C:\Windows\ServiceProfiles\NetworkServi
ce
Flags REG_DWORD 0x0
State REG_DWORD 0x0
C:\Windows\system32>REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\ProfileList"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Users
Default REG_EXPAND_SZ %SystemDrive%\Users\Default
Public REG_EXPAND_SZ %SystemDrive%\Users\Public
ProgramData REG_EXPAND_SZ %SystemDrive%\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-19
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-20
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-21-3463364969-3535792361-3485682137-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-
5-21-3463364969-3535792361-3485682137-500
C:\Windows\system32>
Well... That doesn't sound very good...
Anyway, thanks for the work yesterday.
The problem appears to be that your NetworkService registry hive is either corrupt or unavailable - let's have a look at a few things....
Open an Elevated Command Prompt, and run the following commands
ICACLS C:\Windows\ServiceProfiles\NetworkService
DIR C:\Windows\ServiceProfiles\NetworkService
DIR C:\Windows\ServiceProfiles\NetworkService /AH
post the results
Here's the result of Command Prompt.
(Why is it automatically changing the : ( to 'frown' emoticon? How do I change it?)
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\NetworkService
C:\Windows\ServiceProfiles\NetworkService NT AUTHORITY\SYSTEMOI)(CI)(F)
BUILTIN\AdministratorsOI)(CI)(F)
NT AUTHORITY\NETWORK SERVICEOI)(CI)(
F)
Successfully processed 1 files; Failed processing 0 files
C:\Windows\system32>DIR C:\Windows\ServiceProfiles\NetworkService
Volume in drive C has no label.
Volume Serial Number is 3AD9-BE71
Directory of C:\Windows\ServiceProfiles\NetworkService
11/18/2012 08:54 AM <DIR> .
11/18/2012 08:54 AM <DIR> ..
07/13/2009 11:45 PM <DIR> Desktop
07/13/2009 11:45 PM <DIR> Documents
07/13/2009 11:45 PM <DIR> Downloads
07/13/2009 11:45 PM <DIR> Favorites
07/13/2009 11:45 PM <DIR> Links
07/13/2009 11:45 PM <DIR> Music
07/13/2009 11:45 PM <DIR> Pictures
07/13/2009 11:45 PM <DIR> Saved Games
07/13/2009 11:45 PM <DIR> Videos
0 File(s) 0 bytes
11 Dir(s) 53,854,347,264 bytes free
C:\Windows\system32>DIR C:\Windows\ServiceProfiles\NetworkService /AH
Volume in drive C has no label.
Volume Serial Number is 3AD9-BE71
Directory of C:\Windows\ServiceProfiles\NetworkService
07/13/2009 11:45 PM <DIR> AppData
11/19/2012 09:51 PM 262,144 NTUSER.DAT
07/14/2009 02:12 AM 1,024 NTUSER.DAT.LOG
11/19/2012 09:51 PM 226,304 NTUSER.DAT.LOG1
07/13/2009 11:45 PM 0 NTUSER.DAT.LOG2
07/14/2009 12:01 AM 65,536 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0b
cde3ec}.TM.blf
07/14/2009 12:01 AM 524,288 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0b
cde3ec}.TMContainer00000000000000000001.regtrans-ms
07/14/2009 12:01 AM 524,288 NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0b
cde3ec}.TMContainer00000000000000000002.regtrans-ms
11/18/2012 05:29 PM 65,536 NTUSER.DAT{48a7e2a9-3187-11e2-b348-806e6f
6e6963}.TM.blf
11/18/2012 05:29 PM 524,288 NTUSER.DAT{48a7e2a9-3187-11e2-b348-806e6f
6e6963}.TMContainer00000000000000000001.regtrans-ms
11/18/2012 05:29 PM 524,288 NTUSER.DAT{48a7e2a9-3187-11e2-b348-806e6f
6e6963}.TMContainer00000000000000000002.regtrans-ms
11/18/2012 08:37 AM 65,536 NTUSER.DAT{ed2b25fd-3184-11e2-8d89-806e6f
6e6963}.TM.blf
11/18/2012 08:37 AM 524,288 NTUSER.DAT{ed2b25fd-3184-11e2-8d89-806e6f
6e6963}.TMContainer00000000000000000001.regtrans-ms
11/18/2012 08:37 AM 524,288 NTUSER.DAT{ed2b25fd-3184-11e2-8d89-806e6f
6e6963}.TMContainer00000000000000000002.regtrans-ms
13 File(s) 3,831,808 bytes
1 Dir(s) 53,854,347,264 bytes free
C:\Windows\system32>
The NTUSER.DAT file appears to be 'stuck' - it should be updated at least at every boot
The question is whether that's a cause, or an effect?
Please run the following commands an post the results.
REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\RpcSs
REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\hivelist
REG QUERY HKLM\SYSTEM\CurrentControlSet\services\sppsvc
Here's the result.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
DisplayName REG_SZ @oleres.dll,-5010
Group REG_SZ COM Infrastructure
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k rpcss
Description REG_SZ @oleres.dll,-5011
ObjectName REG_SZ NT AUTHORITY\NetworkService
ErrorControl REG_DWORD 0x1
Start REG_DWORD 0x2
Type REG_DWORD 0x20
DependOnService REG_MULTI_SZ RpcEptMapper\0DcomLaunch
FailureActions REG_BINARY 00000000000000000000000001000000000000000200
000060EA0000
RequiredPrivileges REG_MULTI_SZ SeChangeNotifyPrivilege\0SeCreateGloba
lPrivilege\0SeImpersonatePrivilege
ServiceSidType REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security
C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Control\hivelist
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist
\REGISTRY\MACHINE\HARDWARE REG_SZ
\REGISTRY\MACHINE\SYSTEM REG_SZ \Device\HarddiskVolume4\Windows\System
32\config\SYSTEM
\REGISTRY\USER\.DEFAULT REG_SZ \Device\HarddiskVolume4\Windows\System3
2\config\DEFAULT
\REGISTRY\MACHINE\SAM REG_SZ \Device\HarddiskVolume4\Windows\System32\
config\SAM
\REGISTRY\MACHINE\SECURITY REG_SZ \Device\HarddiskVolume4\Windows\Syst
em32\config\SECURITY
\REGISTRY\MACHINE\SOFTWARE REG_SZ \Device\HarddiskVolume4\Windows\Syst
em32\config\SOFTWARE
\REGISTRY\MACHINE\BCD00000000 REG_SZ \Device\HarddiskVolume1\Boot\BCD
\REGISTRY\USER\S-1-5-19 REG_SZ \Device\HarddiskVolume4\Windows\Service
Profiles\LocalService\NTUSER.DAT
\Registry\User\S-1-5-21-3463364969-3535792361-3485682137-1000 REG_SZ \
Device\HarddiskVolume4\Users\SKIIPA\NTUSER.DAT
\Registry\User\S-1-5-21-3463364969-3535792361-3485682137-1000_Classes REG
_SZ \Device\HarddiskVolume4\Users\SKIIPA\AppData\Local\Microsoft\Windows\UsrC
lass.dat
C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\services\sppsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sppsvc
DisplayName REG_SZ @%SystemRoot%\system32\sppsvc.exe,-101
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\sppsvc.exe
Description REG_SZ @%SystemRoot%\system32\sppsvc.exe,-100
ObjectName REG_SZ NT AUTHORITY\NetworkService
ErrorControl REG_DWORD 0x1
Start REG_DWORD 0x2
DelayedAutoStart REG_DWORD 0x1
Type REG_DWORD 0x10
DependOnService REG_MULTI_SZ RpcSs
ServiceSidType REG_DWORD 0x1
RequiredPrivileges REG_MULTI_SZ SeAuditPrivilege\0SeChangeNotifyPrivil
ege\0SeCreateGlobalPrivilege\0SeImpersonatePrivilege
FailureActions REG_BINARY 80510100000000000000000003000000140000000100
0000C0D4010001000000E09304000000000000000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sppsvc\Security
C:\Windows\system32>