sfc /scannow always find corrupt file and repaired it after 3~

SolidLove · 09 Sep 2015

I do disable my Internet Explorer through registry If I'm not mistaken. Few minutes googling will let you know how.
Maybe that's why the three IE files is there?

NoelDP · 09 Sep 2015

I think the first step is to stop the attempt to replace the files at every boot, which appears to be happening here...

This is the command to run when booted offline at a recovery command prompt

Reboot the computer, and tap the F8 key until you get the advanced boot menu up - one option should be 'Repair your computer'. Pick that one.

Log into your normal account.
You'll get a set of options - pick the Command Prompt one.
run the following command:

dism.exe /image:C:\ /cleanup-image /revertpendingactions

This is supposed to revert all pended updates, (note - you may need to change the driver letter to get it to work!)

once complete, boot back to normal mode Windows.

NoelDP · 09 Sep 2015

From the look of the windowsupdate.log file, it seems that
1) you have Windows Update turned off completely
2) your system is being restored at every boot.

It's the second one that worries me - as it probably indicates fairly massive corruption.

Let's have a look at the event logs...

Open Event Viewer
click on the Windows logs entry in the left pane to expand it.
Now click on the Application entry - wait while it loads.
Click on 'File' in the menu bar and select Save...
Save the file as Appevt.evtx
Repeat for the System log
then zip both, and upload them.

SolidLove · 09 Sep 2015

Yeah I do turn off windows update completely.

I'm not yet do the recovery command prompt thing because I'm not sure what do yo mean by changing my drive letter,
is it changing the letter C in the command?
Is it changing my drive letter C after executing the command and boot normally? If so is it permanently from that point forward my system drive should not be letter C again?

Thanks for your help here is the evtx files app and system

NoelDP · 09 Sep 2015

Hmm - you never mentioned that you are in fact also getting a non-genuine notification? (or, at least, you should be!)

Please post an MGADiag report...

I need to see a full copy of the report produced by the MGADiag tool
(download and save to desktop - http://go.microsoft.com/fwlink/?linkid=52012 )
Once saved, run the tool.
Click on the Continue button, which will produce the report.
To copy the report to your response, click on the Copy button in the tool (ignore any error messages at this point), and then paste (using either r-click/Paste, or Ctrl+V ) into your response.x

Please also state the Version and Edition of Windows quoted on your COA sticker (if you have one) on the case of your machine (or inside the battery compartment), but do NOT quote the Key on the sticker!
How to tell - Hardware

SolidLove · 09 Sep 2015

First I'm sorry to be honest with you I have been trying to avoid saying this because I am afraid you or people will refuse to help me. I am really sorry for this.
I need you to understand that I live in country where 90% more of the computer here using that kind of windows OS well you know. It's basically not because we like something like this, but the economic is hard on most of the people here.
I don't think I have that sticker but I'm using windows 7 Ultimate 64bits.

Code:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-GJY49-VJBQ7-HYRR2
Windows Product Key Hash: W5/6nm6F2UPXrCkY5xUhXb/+21g=
Windows Product ID: 00426-OEM-8992662-00006
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {598CDBE5-ADE3-40FB-BBFE-EF100DBBBAF1}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Ultimate
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110408-1631
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\npwatweb.dll[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watux.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watweb.dll[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{598CDBE5-ADE3-40FB-BBFE-EF100DBBBAF1}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-HYRR2</PKey><PID>00426-OEM-8992662-00006</PID><PIDType>2</PIDType><SID>S-1-5-21-1459575376-3320744764-2411850529</SID><SYSTEM><Manufacturer>Acer</Manufacturer><Model>Aspire E1-451G</Model></SYSTEM><BIOS><Manufacturer>Insyde Corp.</Manufacturer><Version>V2.14</Version><SMBIOSVersion major="2" minor="7"/><Date>20130422000000.000000+000</Date></BIOS><HWID>DC363407018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>SE Asia Standard Time(GMT+07:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00178-926-600006-02-1033-7600.0000-2172013
Installation ID: 019384288016670160413061073025573851729156598441037160
Processor Certificate URL: SpcService Web Service
Machine Certificate URL: RacService Web Service
Use License URL: UseLicenseService Web Service
Product Key Certificate URL: PkcService Web Service
Partial Product Key: HYRR2
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 9/10/2015 6:47:54 AM

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Not Registered - 0x80040154
Admin Service: Not Registered - 0x80040154
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: OgAAAAEAAQABAAIAAQACAAAABgABAAEA6GGGSTUyngeKhrxljteN74qbIu4sdA6gcL7y3xqWBgiw3g==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information: 
  ACPI Table Name    OEMID Value    OEMTableID Value
  APIC            ACRSYS        ACRPRDCT
  FACP            ACRSYS        ACRPRDCT
  HPET            ACRSYS        ACRPRDCT
  BOOT            ACRSYS        ACRPRDCT
  MCFG            ACRSYS        ACRPRDCT
  WDAT            ACRSYS        ACRPRDCT
  UEFI            ACRSYS        ACRPRDCT
  ASF!            ACRSYS        ACRPRDCT
  WDRT            ACRSYS        ACRPRDCT
  FPDT            ACRSYS        ACRPRDCT
  SSDT            ACRSYS        ACRPRDCT
  SSDT            ACRSYS        ACRPRDCT

NoelDP · 10 Sep 2015

The install shows signs of having been hacked using RemoveWAT.

Best way to fix it now (since we don't know which version of RemoveWAT was used) is to run WATFix....

Download WATFix - make sure that you UNTICK the box for the 'download manager, and click on the link on the left of the page, not the big shiny button on the right (which is an ad for the download manager!!) - and use that - extract the .exe file, and run it, then reboot.

Post back with another MGADiag report, and we'll then see what we can do.

SolidLove · 10 Sep 2015

From the searching using google.com, this what comes on the top
ww*.windows7activator.org/wat-fix.html

There is no box for download manager like you mentioned
Trying to download it from the text link on the article but my avast AV block it. Is it false positive?

Okay so I disabled my AV and download it anyway, but then it's kind of weird it's rar inside of rar I got to extract it 2 times to get the exe and tried to executing it with my internet off, but then I got an error that basically tell me I need internet connection. I don't want to take the risk. So please tell me is it the real thing and I do need internet connection to use it?

NoelDP · 10 Sep 2015

Sorry - the link got lost (so you may not have the proper file)... Download WAT Fix.zip
If the file being downloaded is named 'WAT Fix.zip' then yes, it's a false-positive.

The extracted .exe file should have an MDA5 hash of C478EDED04A9991CC55A34AE81037518

SolidLove · 10 Sep 2015

Lucky me the file I downloaded must be another malware the MD5 dash is not the same.

Ok so I used the WAT fix you gave me.
But seems like I forgot disable AV while I run the program is it okay?
Should I run it once more with my AV service disabled?
Again thanks for your help.

The program auto restart after it finished so this report is after reboot.
but from the 2 report looks like only ID and trusted time the different.

Here is the MGDiag report:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-GJY49-VJBQ7-HYRR2
Windows Product Key Hash: W5/6nm6F2UPXrCkY5xUhXb/+21g=
Windows Product ID: 00426-OEM-8992662-00006
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {598CDBE5-ADE3-40FB-BBFE-EF100DBBBAF1}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Ultimate
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110408-1631
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\npwatweb.dll[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watux.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watweb.dll[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{598CDBE5-ADE3-40FB-BBFE-EF100DBBBAF1}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-HYRR2</PKey><PID>00426-OEM-8992662-00006</PID><PIDType>2</PIDType><SID>S-1-5-21-1459575376-3320744764-2411850529</SID><SYSTEM><Manufacturer>Acer</Manufacturer><Model>Aspire E1-451G</Model></SYSTEM><BIOS><Manufacturer>Insyde Corp.</Manufacturer><Version>V2.14</Version><SMBIOSVersion major="2" minor="7"/><Date>20130422000000.000000+000</Date></BIOS><HWID>DC363407018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>SE Asia Standard Time(GMT+07:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00178-926-600006-02-1033-7600.0000-2172013
Installation ID: 019384288016670160413061073025573851729156598441037160
Processor Certificate URL: SpcService Web Service
Machine Certificate URL: RacService Web Service
Use License URL: UseLicenseService Web Service
Product Key Certificate URL: PkcService Web Service
Partial Product Key: HYRR2
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 9/10/2015 4:10:51 PM

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Not Registered - 0x80040154
Admin Service: Not Registered - 0x80040154
HealthStatus Bitmask Output:

HWID Data-->
HWID Hash Current: OgAAAAEAAQABAAIAAQACAAAABgABAAEA6GGGSTUyngeKhrxljteN74qbIu4sdA6gcL7y3xqWBgiw3g==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC ACRSYS ACRPRDCT
FACP ACRSYS ACRPRDCT
HPET ACRSYS ACRPRDCT
BOOT ACRSYS ACRPRDCT
MCFG ACRSYS ACRPRDCT
WDAT ACRSYS ACRPRDCT
UEFI ACRSYS ACRPRDCT
ASF! ACRSYS ACRPRDCT
WDRT ACRSYS ACRPRDCT
FPDT ACRSYS ACRPRDCT
SSDT ACRSYS ACRPRDCT
SSDT ACRSYS ACRPRDCT