locked
Malware changed slsvc.exe service file - help! RRS feed

  • Question

  • I just removed a pesky bug from vista, and now this happens:

    Diagnostic Report (1.9.0006.1):
    -----------------------------------------
    WGA Data-->
    Validation Status: Genuine
    Validation Code: 0
    Online Validation Code: 0x80070426
    Cached Validation Code: N/A, hr = 0x80070426
    Windows Product Key: *****-*****-F4GJK-KG77H-B9HD2
    Windows Product Key Hash: iJAth4TbScMi8HdcPurlASXdEkw=
    Windows Product ID: 89578-OEM-7332157-00204
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6001.2.00010300.1.0.003
    ID: {1A1236E4-8CFB-4CB7-8138-3E66CC7E0705}(3)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered, 1.9.9.1
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6001.vistasp1_gdr.080917-1612
    TTS Error: K:20090305231158768-M:20090307030320615-
    Validation Diagnostic:
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: 6.0.6002.16398

    WGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    WGATray.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Visio Professional 2003 - 100 Genuine
    Microsoft Office Enterprise 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\Slsvc.exe[6.0.6001.18000]

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{1A1236E4-8CFB-4CB7-8138-3E66CC7E0705}</UGUID><Version>1.9.0006.1</Version><OS>6.0.6001.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-B9HD2</PKey><PID>89578-OEM-7332157-00204</PID><PIDType>2</PIDType><SID>S-1-5-21-286792259-1337539881-1614287161</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1720                   </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A09</Version><SMBIOSVersion major="2" minor="4"/><Date>20080711000000.000000+000</Date></BIOS><HWID>CB303507018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell</name><model>Inspiron 1720</model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>M08    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90510409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Visio Professional 2003</Name><Ver>11</Ver><Val>5EA9C3672EB0500</Val><Hash>GZD+9sfb5ecL3RxyV4F75a86u2M=</Hash><Pid>72085-640-0000106-55535</Pid><PidType>14</PidType></Product><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>E999B94B331586</Val><Hash>yuINa6lOS87gNYjpLkAhJwuTmlw=</Hash><Pid>89388-707-0574577-65911</Pid><PidType>14</PidType></Product></Products><Applications><App Id="51" Version="11" Result="100"/><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAAAJcMwAAAAAAYWECAATwEIngSv8zEJ7JAdArSr9MLECc5R83cvYPeMxaBYMgsIfgH1YUuq6lAazZicbjzJGp2iuOsqHNmuFk7RzlbKaVHBjD6SE/4CKjeOtIkL/6H9WY8HC1PsaSRvbA27OKLWTN3/xFyngmD3afWQd5BWut+vD3FqOkH5qwY3od9jcNC5hgurdmLBaaxCOvP9KSju/t9vu9LXUgneZO8JuQnPomGb9VupAJaZo25SIJxGN5hPlYXq2AFDshBm86M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAzQK0q/TCxAnOUfN3L2D3jMwLw/oYPDtWAGAKueW29p8MwA2Iexz9jgcq3hoKfslbkc5WymlRwYw+khP+Aio3jrSJC/+h/VmPBwtT7Gkkb2wNuzii1kzd/8Rcp4Jg92n1kHeQVrrfrw9xajpB+asGN6HfY3DQuYYLq3ZiwWmsQjrz/Sko7v7fb7vS11IJ3mTvCbkJz6Jhm/VbqQCWmaNuUiCcRjeYT5WF6tgBQ7IQZvOjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM0CtKv0wsQJzlHzdy9g94zJEEkWqwXkD5KXeFBIYRSViF1MWxxPVPRGPxLSXm7RRpHOVsppUcGMPpIT/gIqN460iQv/of1ZjwcLU+xpJG9sDbs4otZM3f/EXKeCYPdp9ZB3kFa6368PcWo6QfmrBjeh32Nw0LmGC6t2YsFprEI68/0pKO7+32+70tdSCd5k7wm5Cc+iYZv1W6kAlpmjblIgnEY3mE+VherYAUOyEGbzozkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDA==

    Licensing Data-->
    Software Licensing service is not running.

    HWID Data-->
    HWID Hash Current: OgAAAAEABgABAAEAAQAAAAAABAABAAEA6GF003wMPIfqxnb/SEWicEaDfEJEF/L0FghaBaxWeL0qhQ==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20000
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   DELL    M08   
      FACP   DELL    M08   
      HPET   DELL    M08   
      BOOT   DELL    M08   
      MCFG   DELL    M08   
      SLIC   DELL    M08   
      SSDT   PmRef  CpuPm


     What update can I use to replace it. I have System Restore disabled because bugs were restoring themselves, and I don't know where else to get it from. I can replace it manualy from Recovery Console if necesary.

    Sunday, March 8, 2009 11:58 PM

Answers

  • You may want to try to open a command prompt and use the Windows Resource Checker like this:

    sfc /scannow

    Let us know how this works.

    -Tony Mann
    Windows Client IT Pro Audience Manager for Web Forums
    • Marked as answer by Anthony_Mann Tuesday, May 12, 2009 2:19 AM
    Friday, March 20, 2009 2:06 PM

All replies

  • Tried uninstalling SP1, but it won't uninstall, say's there is an error.  Tried manually uninstalling with sandbox method, still no success. I can't uninstall, and I can't reinstall SP1, and also cannot install SP2 because it says SP1 is not installed yet.
    Monday, March 9, 2009 3:42 PM
  • Tried to replace slsvc.exe with backup made from SP1, but it still errors out.
    Monday, March 9, 2009 3:44 PM
  • You may want to try to open a command prompt and use the Windows Resource Checker like this:

    sfc /scannow

    Let us know how this works.

    -Tony Mann
    Windows Client IT Pro Audience Manager for Web Forums
    • Marked as answer by Anthony_Mann Tuesday, May 12, 2009 2:19 AM
    Friday, March 20, 2009 2:06 PM
  • FireBertNinja,

    Did your issue get resolved? If we don't hear back from you, we will mark this as resolved. Thanks.
    Windows Client IT Pro Audience Manager for Web Forums, Windows Client Forum Owner
    Monday, May 11, 2009 3:16 AM
  • I just removed a pesky bug from vista, and now this happens:

    Diagnostic Report (1.9.0006.1):
    -----------------------------------------
    WGA Data-->
    Validation Status: Genuine
    Validation Code: 0
    Online Validation Code: 0x80070426
    Cached Validation Code: N/A, hr = 0x80070426
    Windows Product Key: *****-*****-F4GJK-KG77H-B9HD2
    Windows Product Key Hash: iJAth4TbScMi8HdcPurlASXdEkw=
    Windows Product ID: 89578-OEM-7332157-00204
    Windows Product ID Type: 2
    Windows License Type: OEM SLP
    Windows OS version: 6.0.6001.2.00010300.1.0.003
    ID: {1A1236E4-8CFB-4CB7-8138-3E66CC7E0705}(3)
    Is Admin: Yes
    TestCab: 0x0
    WGA Version: Registered, 1.9.9.1
    Signed By: Microsoft
    Product Name: Windows Vista (TM) Home Premium
    Architecture: 0x00000000
    Build lab: 6001.vistasp1_gdr.080917-1612
    TTS Error: K:20090305231158768-M:20090307030320615-
    Validation Diagnostic:
    Resolution Status: N/A

    WgaER Data-->
    ThreatID(s): N/A, hr = 0x80070002
    Version: 6.0.6002.16398

    WGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    File Exists: No
    Version: N/A, hr = 0x80070002
    WgaTray.exe Signed By: N/A, hr = 0x80070002
    WgaLogon.dll Signed By: N/A, hr = 0x80070002

    OGA Notifications Data-->
    Cached Result: N/A, hr = 0x80070002
    Version: N/A, hr = 0x80070002
    WGATray.exe Signed By: N/A, hr = 0x80070002
    OGAAddin.dll Signed By: N/A, hr = 0x80070002

    OGA Data-->
    Office Status: 100 Genuine
    Microsoft Office Visio Professional 2003 - 100 Genuine
    Microsoft Office Enterprise 2007 - 100 Genuine
    OGA Version: N/A, 0x80070002
    Signed By: N/A, hr = 0x80070002
    Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

    Browser Data-->
    Proxy settings: N/A
    User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
    Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
    Download signed ActiveX controls: Prompt
    Download unsigned ActiveX controls: Disabled
    Run ActiveX controls and plug-ins: Allowed
    Initialize and script ActiveX controls not marked as safe: Disabled
    Allow scripting of Internet Explorer Webbrowser control: Disabled
    Active scripting: Allowed
    Script ActiveX controls marked as safe for scripting: Allowed

    File Scan Data-->
    File Mismatch: C:\Windows\system32\Slsvc.exe[6.0.6001.18000]

    Other data-->
    Office Details: <GenuineResults><MachineData><UGUID>{1A1236E4-8CFB-4CB7-8138-3E66CC7E0705}</UGUID><Version>1.9.0006.1</Version><OS>6.0.6001.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-B9HD2</PKey><PID>89578-OEM-7332157-00204</PID><PIDType>2</PIDType><SID>S-1-5-21-286792259-1337539881-1614287161</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Inspiron 1720                   </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A09</Version><SMBIOSVersion major="2" minor="4"/><Date>20080711000000.000000+000</Date></BIOS><HWID>CB303507018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>Dell</name><model>Inspiron 1720</model></SBID><OEM><OEMID>DELL  </OEMID><OEMTableID>M08    </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90510409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Visio Professional 2003</Name><Ver>11</Ver><Val>5EA9C3672EB0500</Val><Hash>GZD+9sfb5ecL3RxyV4F75a86u2M=</Hash><Pid>72085-640-0000106-55535</Pid><PidType>14</PidType></Product><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>E999B94B331586</Val><Hash>yuINa6lOS87gNYjpLkAhJwuTmlw=</Hash><Pid>89388-707-0574577-65911</Pid><PidType>14</PidType></Product></Products><Applications><App Id="51" Version="11" Result="100"/><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults> 

    Spsys.log Content: U1BMRwEAAAAAAQAABAAAAAJcMwAAAAAAYWECAATwEIngSv8zEJ7JAdArSr9MLECc5R83cvYPeMxaBYMgsIfgH1YUuq6lAazZicbjzJGp2iuOsqHNmuFk7RzlbKaVHBjD6SE/4CKjeOtIkL/6H9WY8HC1PsaSRvbA27OKLWTN3/xFyngmD3afWQd5BWut+vD3FqOkH5qwY3od9jcNC5hgurdmLBaaxCOvP9KSju/t9vu9LXUgneZO8JuQnPomGb9VupAJaZo25SIJxGN5hPlYXq2AFDshBm86M5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAzQK0q/TCxAnOUfN3L2D3jMwLw/oYPDtWAGAKueW29p8MwA2Iexz9jgcq3hoKfslbkc5WymlRwYw+khP+Aio3jrSJC/+h/VmPBwtT7Gkkb2wNuzii1kzd/8Rcp4Jg92n1kHeQVrrfrw9xajpB+asGN6HfY3DQuYYLq3ZiwWmsQjrz/Sko7v7fb7vS11IJ3mTvCbkJz6Jhm/VbqQCWmaNuUiCcRjeYT5WF6tgBQ7IQZvOjOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM0CtKv0wsQJzlHzdy9g94zJEEkWqwXkD5KXeFBIYRSViF1MWxxPVPRGPxLSXm7RRpHOVsppUcGMPpIT/gIqN460iQv/of1ZjwcLU+xpJG9sDbs4otZM3f/EXKeCYPdp9ZB3kFa6368PcWo6QfmrBjeh32Nw0LmGC6t2YsFprEI68/0pKO7+32+70tdSCd5k7wm5Cc+iYZv1W6kAlpmjblIgnEY3mE+VherYAUOyEGbzozkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDA==

    Licensing Data-->
    Software Licensing service is not running.

    HWID Data-->
    HWID Hash Current: OgAAAAEABgABAAEAAQAAAAAABAABAAEA6GF003wMPIfqxnb/SEWicEaDfEJEF/L0FghaBaxWeL0qhQ==

    OEM Activation 1.0 Data-->
    N/A

    OEM Activation 2.0 Data-->
    BIOS valid for OA 2.0: yes
    Windows marker version: 0x20000
    OEMID and OEMTableID Consistent: yes
    BIOS Information:
      ACPI Table Name OEMID Value OEMTableID Value
      APIC   DELL    M08   
      FACP   DELL    M08   
      HPET   DELL    M08   
      BOOT   DELL    M08   
      MCFG   DELL    M08   
      SLIC   DELL    M08   
      SSDT   PmRef  CpuPm


     What update can I use to replace it. I have System Restore disabled because bugs were restoring themselves, and I don't know where else to get it from. I can replace it manualy from Recovery Console if necesary.


    Wednesday, January 13, 2010 4:44 AM