New
#11
I do disable my Internet Explorer through registry If I'm not mistaken. Few minutes googling will let you know how.
Maybe that's why the three IE files is there?
I do disable my Internet Explorer through registry If I'm not mistaken. Few minutes googling will let you know how.
Maybe that's why the three IE files is there?
I think the first step is to stop the attempt to replace the files at every boot, which appears to be happening here...
This is the command to run when booted offline at a recovery command prompt
Reboot the computer, and tap the F8 key until you get the advanced boot menu up - one option should be 'Repair your computer'. Pick that one.
Log into your normal account.
You'll get a set of options - pick the Command Prompt one.
run the following command:
dism.exe /image:C:\ /cleanup-image /revertpendingactions
This is supposed to revert all pended updates, (note - you may need to change the driver letter to get it to work!)
once complete, boot back to normal mode Windows.
From the look of the windowsupdate.log file, it seems that
1) you have Windows Update turned off completely
2) your system is being restored at every boot.
It's the second one that worries me - as it probably indicates fairly massive corruption.
Let's have a look at the event logs...
Open Event Viewer
click on the Windows logs entry in the left pane to expand it.
Now click on the Application entry - wait while it loads.
Click on 'File' in the menu bar and select Save...
Save the file as Appevt.evtx
Repeat for the System log
then zip both, and upload them.
Yeah I do turn off windows update completely.
I'm not yet do the recovery command prompt thing because I'm not sure what do yo mean by changing my drive letter,
is it changing the letter C in the command?
Is it changing my drive letter C after executing the command and boot normally? If so is it permanently from that point forward my system drive should not be letter C again?
Thanks for your help here is the evtx files app and system
Hmm - you never mentioned that you are in fact also getting a non-genuine notification? (or, at least, you should be!)
Please post an MGADiag report...
I need to see a full copy of the report produced by the MGADiag tool
(download and save to desktop - http://go.microsoft.com/fwlink/?linkid=52012 )
Once saved, run the tool.
Click on the Continue button, which will produce the report.
To copy the report to your response, click on the Copy button in the tool (ignore any error messages at this point), and then paste (using either r-click/Paste, or Ctrl+V ) into your response.x
Please also state the Version and Edition of Windows quoted on your COA sticker (if you have one) on the case of your machine (or inside the battery compartment), but do NOT quote the Key on the sticker!
How to tell - Hardware
First I'm sorry to be honest with you I have been trying to avoid saying this because I am afraid you or people will refuse to help me. I am really sorry for this.
I need you to understand that I live in country where 90% more of the computer here using that kind of windows OS well you know. It's basically not because we like something like this, but the economic is hard on most of the people here.
I don't think I have that sticker but I'm using windows 7 Ultimate 64bits.
Code:Diagnostic Report (1.9.0027.0): ----------------------------------------- Windows Validation Data--> Validation Code: 0 Cached Online Validation Code: N/A, hr = 0xc004f012 Windows Product Key: *****-*****-GJY49-VJBQ7-HYRR2 Windows Product Key Hash: W5/6nm6F2UPXrCkY5xUhXb/+21g= Windows Product ID: 00426-OEM-8992662-00006 Windows Product ID Type: 2 Windows License Type: OEM SLP Windows OS version: 6.1.7601.2.00010100.1.0.001 ID: {598CDBE5-ADE3-40FB-BBFE-EF100DBBBAF1}(1) Is Admin: Yes TestCab: 0x0 LegitcheckControl ActiveX: N/A, hr = 0x80070002 Signed By: N/A, hr = 0x80070002 Product Name: Windows 7 Ultimate Architecture: 0x00000009 Build lab: 7601.win7sp1_gdr.110408-1631 TTS Error: Validation Diagnostic: Resolution Status: N/A Vista WgaER Data--> ThreatID(s): N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 Windows XP Notifications Data--> Cached Result: N/A, hr = 0x80070002 File Exists: No Version: N/A, hr = 0x80070002 WgaTray.exe Signed By: N/A, hr = 0x80070002 WgaLogon.dll Signed By: N/A, hr = 0x80070002 OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 109 N/A OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[Hr = 0x80070003] File Mismatch: C:\Windows\system32\wat\npwatweb.dll[Hr = 0x80070003] File Mismatch: C:\Windows\system32\wat\watux.exe[Hr = 0x80070003] File Mismatch: C:\Windows\system32\wat\watweb.dll[Hr = 0x80070003] File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100 File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100 Other data--> Office Details: <GenuineResults><MachineData><UGUID>{598CDBE5-ADE3-40FB-BBFE-EF100DBBBAF1}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-HYRR2</PKey><PID>00426-OEM-8992662-00006</PID><PIDType>2</PIDType><SID>S-1-5-21-1459575376-3320744764-2411850529</SID><SYSTEM><Manufacturer>Acer</Manufacturer><Model>Aspire E1-451G</Model></SYSTEM><BIOS><Manufacturer>Insyde Corp.</Manufacturer><Version>V2.14</Version><SMBIOSVersion major="2" minor="7"/><Date>20130422000000.000000+000</Date></BIOS><HWID>DC363407018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>SE Asia Standard Time(GMT+07:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults> Spsys.log Content: 0x80070002 Licensing Data--> Software licensing service version: 6.1.7601.17514 Name: Windows(R) 7, Ultimate edition Description: Windows Operating System - Windows(R) 7, OEM_SLP channel Activation ID: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8 Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f Extended PID: 00426-00178-926-600006-02-1033-7600.0000-2172013 Installation ID: 019384288016670160413061073025573851729156598441037160 Processor Certificate URL: SpcService Web Service Machine Certificate URL: RacService Web Service Use License URL: UseLicenseService Web Service Product Key Certificate URL: PkcService Web Service Partial Product Key: HYRR2 License Status: Licensed Remaining Windows rearm count: 4 Trusted time: 9/10/2015 6:47:54 AM Windows Activation Technologies--> HrOffline: 0x00000000 HrOnline: N/A HealthStatus: 0x0000000000000000 Event Time Stamp: N/A ActiveX: Not Registered - 0x80040154 Admin Service: Not Registered - 0x80040154 HealthStatus Bitmask Output: HWID Data--> HWID Hash Current: OgAAAAEAAQABAAIAAQACAAAABgABAAEA6GGGSTUyngeKhrxljteN74qbIu4sdA6gcL7y3xqWBgiw3g== OEM Activation 1.0 Data--> N/A OEM Activation 2.0 Data--> BIOS valid for OA 2.0: yes, but no SLIC table Windows marker version: N/A OEMID and OEMTableID Consistent: N/A BIOS Information: ACPI Table Name OEMID Value OEMTableID Value APIC ACRSYS ACRPRDCT FACP ACRSYS ACRPRDCT HPET ACRSYS ACRPRDCT BOOT ACRSYS ACRPRDCT MCFG ACRSYS ACRPRDCT WDAT ACRSYS ACRPRDCT UEFI ACRSYS ACRPRDCT ASF! ACRSYS ACRPRDCT WDRT ACRSYS ACRPRDCT FPDT ACRSYS ACRPRDCT SSDT ACRSYS ACRPRDCT SSDT ACRSYS ACRPRDCT
The install shows signs of having been hacked using RemoveWAT.
Best way to fix it now (since we don't know which version of RemoveWAT was used) is to run WATFix....
Download WATFix - make sure that you UNTICK the box for the 'download manager, and click on the link on the left of the page, not the big shiny button on the right (which is an ad for the download manager!!) - and use that - extract the .exe file, and run it, then reboot.
Post back with another MGADiag report, and we'll then see what we can do.
From the searching using google.com, this what comes on the top
ww*.windows7activator.org/wat-fix.html
There is no box for download manager like you mentioned
Trying to download it from the text link on the article but my avast AV block it. Is it false positive?
Okay so I disabled my AV and download it anyway, but then it's kind of weird it's rar inside of rar I got to extract it 2 times to get the exe and tried to executing it with my internet off, but then I got an error that basically tell me I need internet connection. I don't want to take the risk. So please tell me is it the real thing and I do need internet connection to use it?
Last edited by SolidLove; 10 Sep 2015 at 02:40.
Sorry - the link got lost (so you may not have the proper file)... Download WAT Fix.zip
If the file being downloaded is named 'WAT Fix.zip' then yes, it's a false-positive.
The extracted .exe file should have an MDA5 hash of C478EDED04A9991CC55A34AE81037518
Last edited by NoelDP; 10 Sep 2015 at 02:32. Reason: add Hash value
Lucky me the file I downloaded must be another malware the MD5 dash is not the same.
Ok so I used the WAT fix you gave me.
But seems like I forgot disable AV while I run the program is it okay?
Should I run it once more with my AV service disabled?
Again thanks for your help.
The program auto restart after it finished so this report is after reboot.
but from the 2 report looks like only ID and trusted time the different.
Here is the MGDiag report:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Code: 0
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-GJY49-VJBQ7-HYRR2
Windows Product Key Hash: W5/6nm6F2UPXrCkY5xUhXb/+21g=
Windows Product ID: 00426-OEM-8992662-00006
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {598CDBE5-ADE3-40FB-BBFE-EF100DBBBAF1}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Ultimate
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.110408-1631
TTS Error:
Validation Diagnostic:
Resolution Status: N/A
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002
OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
File Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\npwatweb.dll[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watux.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watweb.dll[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{598CDBE5-ADE3-40FB-BBFE-EF100DBBBAF1}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-HYRR2</PKey><PID>00426-OEM-8992662-00006</PID><PIDType>2</PIDType><SID>S-1-5-21-1459575376-3320744764-2411850529</SID><SYSTEM><Manufacturer>Acer</Manufacturer><Model>Aspire E1-451G</Model></SYSTEM><BIOS><Manufacturer>Insyde Corp.</Manufacturer><Version>V2.14</Version><SMBIOSVersion major="2" minor="7"/><Date>20130422000000.000000+000</Date></BIOS><HWID>DC363407018400F2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>SE Asia Standard Time(GMT+07:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
Spsys.log Content: 0x80070002
Licensing Data-->
Software licensing service version: 6.1.7601.17514
Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00178-926-600006-02-1033-7600.0000-2172013
Installation ID: 019384288016670160413061073025573851729156598441037160
Processor Certificate URL: SpcService Web Service
Machine Certificate URL: RacService Web Service
Use License URL: UseLicenseService Web Service
Product Key Certificate URL: PkcService Web Service
Partial Product Key: HYRR2
License Status: Licensed
Remaining Windows rearm count: 4
Trusted time: 9/10/2015 4:10:51 PM
Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Not Registered - 0x80040154
Admin Service: Not Registered - 0x80040154
HealthStatus Bitmask Output:
HWID Data-->
HWID Hash Current: OgAAAAEAAQABAAIAAQACAAAABgABAAEA6GGGSTUyngeKhrxljteN74qbIu4sdA6gcL7y3xqWBgiw3g==
OEM Activation 1.0 Data-->
N/A
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC ACRSYS ACRPRDCT
FACP ACRSYS ACRPRDCT
HPET ACRSYS ACRPRDCT
BOOT ACRSYS ACRPRDCT
MCFG ACRSYS ACRPRDCT
WDAT ACRSYS ACRPRDCT
UEFI ACRSYS ACRPRDCT
ASF! ACRSYS ACRPRDCT
WDRT ACRSYS ACRPRDCT
FPDT ACRSYS ACRPRDCT
SSDT ACRSYS ACRPRDCT
SSDT ACRSYS ACRPRDCT