Okay, I've uninstalled Kingsoft and run a full system scan with Avast.
It did find some threats and moved them into the chest now, not sure how bad these viruses are, below are their names:
JS:Includer-AWP [Trj]
JS:ScriptXE-inf[Trj]
Win32: Dropper-gen [Drp]
Win32:Agent-AWWS[Trj}
Win32:Malware-gen
Win32:Evo-gen[Susp]
JS:ScriptXE-inf[Trj]
Win32:GenMaliciousA-HO[Trj]
JS:ScriptIP-inf[Trj]
I cannot claim to be any kind of malware expert!
What I do see there is a number of low-level threats which some AV's tend to avoid.
Please downloadand install Malwarebytes Anti-malware(free version) from http://www.malwarebytes.org/products/malwarebytes_free/- UNtick 'Enable free trial of MBAM Premium' at the end of the installation- and update it, then run a fullscan in your main account, and Quickscans in any other user accounts.
Quarantineeverything it finds
Ah ok, thanks Noel. :)
I have actually got Malwarebytes installed, and ran a couple of full system scans today. It did find some malwares which have been quarantined now. Not sure if it's fixed the problem, but I haven't seen the pop-up for a few hours now, which means 'progress', right? Although the pop-up does happen very randomly.
Spoke too soon, the error message has come back today right after I turned on the computer.
Hmm - I'll have to review this when I'm sober, and see what I can find.
Please post a new set of diagnostic files.
Haha no worries.
Please find the new MGADiag report below. Enjoy the weekend!
Code:Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0x8004FE22 Cached Online Validation Code: N/A, hr = 0xc004f012 Windows Product Key: *****-*****-XD3V4-QHXT4-PQ926 Windows Product Key Hash: vD4yA91c8xY786Blb/rnQX0zq7U= Windows Product ID: 00359-OEM-8703827-54272 Windows Product ID Type: 3 Windows License Type: OEM System Builder Windows OS version: 6.1.7601.2.00010300.1.0.003 ID: {10C5DBFB-4737-4FDD-BA4F-5CAEACBCCB73}(3) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: Windows 7 Home Premium Architecture: 0x00000009 Build lab: 7601.win7sp1_gdr.150525-0603 TTS Error: Validation Diagnostic: Resolution Status: N/A Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 109 N/A OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{10C5DBFB-4737-4FDD-BA4F-5CAEACBCCB73}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-PQ926</PKey><PID>00359-OEM-8703827-54272</PID><PIDType>3</PIDType><SID>S-1-5-21-306632682-3253932108-1278027814</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>4001</Version><SMBIOSVersion major="2" minor="6"/><Date>20120420000000.000000+000</Date></BIOS><HWID>4B6A3A07018400FE</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> Spsys.log Content: 0x80070002 Licensing Data--> Software licensing service version: 6.1.7601.17514 Name: Windows(R) 7, HomePremium edition Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel Activation ID: 586bc076-c93d-429a-afe5-a69fbc644e88 Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f Extended PID: 00359-00174-038-254272-02-2052-7601.0000-1712015 Installation ID: 019405491393123205102430545475614764092626140035191214 Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338 Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339 Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341 Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340 Partial Product Key: PQ926 License Status: Licensed Remaining Windows rearm count: 2 Trusted time: 27/06/2015 12:35:36 Windows Activation Technologies--> HrOffline: 0x8004FE22 HrOnline: N/A HealthStatus: 0x0002000000000000 Event Time Stamp: 6:21:2015 17:16 ActiveX: Registered, Version: 7.1.7600.16395 Admin Service: Registered, Version: 7.1.7600.16395 HealthStatus Bitmask Output: Tampered Service: sppuinotify HWID Data--> HWID Hash Current: NAAAAAIABAABAAEAAAACAAAAAQABAAEAln0uBHcW4i1iNErd4NvqAhgZVoWygnPYMKmWYw== OEM Activation 1.0 Data--> N/A OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes, but no SLIC table Windows marker version: N/A OEMID and OEMTableID Consistent: N/A BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC ALASKA A M I FACP ALASKA A M I HPET ALASKA A M I MCFG ALASKA A M I SSDT IdeRef IdeTable SSDT IdeRef IdeTable SSDT IdeRef IdeTable BGRT ALASKA A M I
OK - back to first principles - let's have a look at the SPPUINOTIFY registry Key and see if there are any anomalies there...
Open an Elevated Command Prompt, and run the following command
REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\sppuinotify
post the results.
Here are the results,
Code:Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\sppuinotify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sppuinotify DisplayName REG_SZ @%SystemRoot%\system32\sppuinotify.dll,-103 ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k LocalServ ice Description REG_SZ @%SystemRoot%\system32\sppuinotify.dll,-102 ObjectName REG_SZ NT AUTHORITY\LocalService ErrorControl REG_DWORD 0x1 Start REG_DWORD 0x3 Type REG_DWORD 0x20 DependOnService REG_MULTI_SZ EventSystem ServiceSidType REG_DWORD 0x1 RequiredPrivileges REG_MULTI_SZ SeChangeNotifyPrivilege\0SeImpersonate Privilege FailureActions REG_BINARY 80510100000000000000000003000000140000000100 0000E093040001000000E09304000000000000000000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sppuinotify\Security C:\Windows\system32>
It looks to me as if you may be missing part of the key - the vital Parameters subkey.
I've uploaded a file - jpcaa.zip - to my OneDrive at Noel's OneDrive
Please download and save it to your desktop.
Right-click on the saved file and select Extract all...
Save it to the default location
This should create a file jpcaa.reg
right-click on the file, and select Merge
Accept the warnings, - you should then get a 'Success' message.
Close all windows, and reboot.
Run another MGADiag report, and post the results.
Thank you very much, Noel.
I did everything as instructed above, and below is the MGADiag report. I see the 'Tampered Service' line has gone!!!OMG, does this mean the problem is fixed?
P.S I just moved house, so the PC is not connected to internet yet. Currently, I can only get the PC online through the hotspot from my phone. Hope this won't anyhow affect the MGADiag results.
Code:Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0 Cached Online Validation Code: N/A, hr = 0xc004f012 Windows Product Key: *****-*****-XD3V4-QHXT4-PQ926 Windows Product Key Hash: vD4yA91c8xY786Blb/rnQX0zq7U= Windows Product ID: 00359-OEM-8703827-54272 Windows Product ID Type: 3 Windows License Type: OEM System Builder Windows OS version: 6.1.7601.2.00010300.1.0.003 ID: {10C5DBFB-4737-4FDD-BA4F-5CAEACBCCB73}(3) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: Windows 7 Home Premium Architecture: 0x00000009 Build lab: 7601.win7sp1_gdr.150525-0603 TTS Error: Validation Diagnostic: Resolution Status: N/A Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 109 N/A OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{10C5DBFB-4737-4FDD-BA4F-5CAEACBCCB73}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-PQ926</PKey><PID>00359-OEM-8703827-54272</PID><PIDType>3</PIDType><SID>S-1-5-21-306632682-3253932108-1278027814</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>4001</Version><SMBIOSVersion major="2" minor="6"/><Date>20120420000000.000000+000</Date></BIOS><HWID>4B6A3A07018400FE</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> Spsys.log Content: 0x80070002 Licensing Data--> Software licensing service version: 6.1.7601.17514 Name: Windows(R) 7, HomePremium edition Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel Activation ID: 586bc076-c93d-429a-afe5-a69fbc644e88 Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f Extended PID: 00359-00174-038-254272-02-2052-7601.0000-1712015 Installation ID: 019405491393123205102430545475614764092626140035191214 Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338 Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339 Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341 Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340 Partial Product Key: PQ926 License Status: Licensed Remaining Windows rearm count: 2 Trusted time: 01/07/2015 17:24:45 Windows Activation Technologies--> HrOffline: 0x00000000 HrOnline: 0x00000000 HealthStatus: 0x0000000000000000 Event Time Stamp: 6:28:2015 18:35 ActiveX: Registered, Version: 7.1.7600.16395 Admin Service: Registered, Version: 7.1.7600.16395 HealthStatus Bitmask Output: HWID Data--> HWID Hash Current: NgAAAAIABAABAAEAAAACAAAAAgABAAEAln0uBHcW4i1iNErd4NvqAhgZVoWygnPYMKnLSpZj OEM Activation 1.0 Data--> N/A OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes, but no SLIC table Windows marker version: N/A OEMID and OEMTableID Consistent: N/A BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC ALASKA A M I FACP ALASKA A M I HPET ALASKA A M I MCFG ALASKA A M I SSDT IdeRef IdeTable SSDT IdeRef IdeTable SSDT IdeRef IdeTable BGRT ALASKA A M I
Quote