Windows 7 Build 7601 Not Genuine - SFC Error

[Triton46]

Hi All,

I have been following directions in several threads here to fix the "Windows 7 Build 7601 This copy of Windows is not genuine" error. Background: This is a licensed copy of Windows on my 1.5 year old Asus EB1503. This just popped up within the last 2 days (noticed it today).

Problems: Normal login: Very slow, hard to type or bring up applications (services.msc, cmd.exe, etc). These can take upward of 5 min. Explorer takes a very long time to come up. Safe Mode: Everything is back to normal performance wise.

CHKDSK c:/ r - Reports disk has no issues. Comes back very fast after reboot.

SFC SCANNOW and SFC /scannow /offbootdir=e:\ /offwindir=e:\windows both fail. The former stops at 32% of verification and reports: "Windows Resource Protection could not start the repair service". The Windows Modules Installer is set to MANUAL.

Attached is my CBS.txt file. View attachment 339819

Is my disk hosed?

 

[Triton46]

I ran it again, this time starting the Windows Module Installer service as well. This time I get a different error:

"Windows Resource Protection could not perform the requested operation"


2014-11-08 20:52:55, Error CSI 0000011c (F) c0000185 [Error,Facility=(system),Code=389 (0x0185)] #2510043# from Windows::Rtl::SystemImplementation:irectFileSystemProvider::SysReadFile(h = a10 ("\Device\HarddiskVolume3\Windows\winsxs\amd64_microsoft-windows-ime-korean-hwresource_31bf3856ad364e35_6.1.7600.16385_none_ac4a6957c5dbd4bb\mshwkorrIME.dll"), evt = 0, apcr = NULL, apcc = NULL, iosb = @0x84cbb0, data = {l:0 b:}, byteoffset = 458752 (0x0000000000070000), key = (null))
[gle=0xd0000185]
2014-11-08 20:52:55, Error CSI 0000011d@2014/11/9:01:52:55.756 (F) d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(2155): Error c0000185 [Error,Facility=(system),Code=389 (0x0185)] originated in function Windows::Rtl::SystemImplementation:irectFileSystemProvider::SysReadFile expression: (null)
[gle=0x80004005]
2014-11-08 20:52:58, Error CSI 0000011e (F) c0000185 [Error,Facility=(system),Code=389 (0x0185)] #2510042# from Windows::Rtl::SystemImplementation::CFile_IRtlFileTearoff::ReadFile(Flags = 3, Buffer = {l:0 ml:65536 b:}, Offset = 458752 (0x0000000000070000), Disposition = 0)[gle=0xd0000185]

 

[NoelDP]

Let's have the MGADiag report please.

Please followthis tutorial and post an MGADiag report - then we can see what the problem is.



http://www.sevenforums.com/windows-updates-activation/234159-windows-genuine-activation-issue-posting-instructions.html



Ignore errors produced when clicking on theCopy button - they simply mean that the tool could not create the backup filesfor some reason. The data is still copied to the clipboard for pasting to yourresponse.



Please also statethe Version and Edition of Windows quoted on your COA sticker (if you have one)on the case of your machine (or inside the battery compartment), but do NOTquote the Key on the sticker!

http://www.microsoft.com/en-us/howtotell/Hardware.aspx

 

[NoelDP]

Your SFC scan crashed with the following error...

2014-11-08 15:25:24, Error                 CSI    00000232 (F) c0000185 [Error,Facility=(system),Code=389 (0x0185)] #5016923# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysReadFile(h = 8b0 ("\Device\HarddiskVolume3\Windows\winsxs\amd64_microsoft-windows-ime-korean-hwresource_31bf3856ad364e35_6.1.7600.16385_none_ac4a6957c5dbd4bb\mshwkorrIME.dll"), evt = 0, apcr = NULL, apcc = NULL, iosb = @0xa3cd20, data = {l:0 b:}, byteoffset = 458752 (0x0000000000070000), key = (null))
[gle=0xd0000185]
2014-11-08 15:25:24, Error                 CSI    00000233@2014/11/8:20:25:24.305 (F) d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(2155): Error c0000185 [Error,Facility=(system),Code=389 (0x0185)] originated in function Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysReadFile expression: (null)
[gle=0x80004005]
2014-11-08 15:25:24, Error                 CSI    00000234 (F) c0000185 [Error,Facility=(system),Code=389 (0x0185)] #5016922# from Windows::Rtl::SystemImplementation::CFile_IRtlFileTearoff::ReadFile(Flags = 3, Buffer = {l:0 ml:65536 b:}, Offset = 458752 (0x0000000000070000), Disposition = 0)[gle=0xd0000185]
2014-11-08 15:35:25, Info                  CBS    Reboot mark refs incremented to: 1
2014-11-08 15:35:25, Info                  CBS    Scavenge: Starts

You say that you ran CHKDSK - please post the log files...

Open Event Viewer

click on theWindows logs entry in the left pane to expand it.

Now click on the Application entry - wait while it loads.

Click on 'File' in the menu bar and select Save...

Save the file as Appevt.evtx

Repeat for the System log

then zip both, and upload them.

 

[Triton46]

I replaced that file: mshwkorrIME.dll and the sfc scannow is progressing. I'll gather the other logs and upload.

Non-safemode is still very slow...15 min for explorer to come up. Shutdown took 30 min.

Also, I tried creating a new profile...no luck...still get the same "not genuine" screen and slowness with the new profile.

 

[Triton46]

OK, I got the sfc scan to complete:

c:\Windows\System32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

View attachment 339865 Attached Event logs. Working on diagnosis.

 

[Triton46]

MGADiag

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 50
Cached Online Validation Code: N/A, hr = 0x8007043c
Windows Product Key: *****-*****-BJD6C-K3YVH-DVQJG
Windows Product Key Hash: WFqPPaNJ0hrc3E/8MgITJa2Xf0M=
Windows Product ID: 00359-OEM-8992687-00118
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {A75E65D6-7D3B-4C4C-A69D-AE006962FF9A}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.140303-2144
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{A75E65D6-7D3B-4C4C-A69D-AE006962FF9A}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-DVQJG</PKey><PID>00359-OEM-8992687-00118</PID><PIDType>2</PIDType><SID>S-1-5-21-612552391-2311362538-1607580098</SID><SYSTEM><Manufacturer>ASUSTeK Computer INC.</Manufacturer><Model>EB1503</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>0502</Version><SMBIOSVersion major="2" minor="7"/><Date>20120523000000.000000+000</Date></BIOS><HWID>F9613807018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>_ASUS_</OEMID><OEMTableID>Notebook</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x8007043C' to display the error text.
Error: 0x8007043C 

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 10:1:2014 21:36
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Not Registered - 0x8007043c
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: LAAAAAIAAQABAAEAAAAAAAAAAgABAAEA6GHOoBa2TSbIYyDPEN0edhSHBBo=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name    OEMID Value    OEMTableID Value
  APIC            ALASKA        A M I
  FACP            ALASKA        A M I
  HPET            ALASKA        A M I
  MCFG            ALASKA        A M I
  RTCF            A1234        RTCONFIG
  IFEU            ALASKA        A M I
  SLIC            _ASUS_        Notebook

 

[NoelDP]

I fond myself wondering about the machine's history here....
The report you posted is from a Safe Mode boot - and not terribly reliable.

The installed Product Key is for Home Premium - but the machine appears to me to have been shipped only with Home Basic or Starter (but I could be way off base!).

If I'm right (no guarantees!) then that would explain your problems, since the SLIC table would almost certainly not allow the 'upgrade'.

Please check your machine's case - is there a COA sticker on the case?? If so, for which version and edition is it valid?

 

[Triton46]

The machine was purchased on Amazon (from Asus) on 04/2013 as brand new. It's an Eeebox (EB1503). It has ran flawlessly (24/7) as a media pc/server until this issue.

The sticker on the side states:
Windows 7 Home Premium OA

The MGADiag will not run in normal mode. 30 min for Explorer.exe to come up, MGADiag took 1 hour to come up after clicking on it, and then it ran for another 1hour before Explorer was frozen. I kept getting popups for Explorer (Would you like to stop the process?). Ctrl-Alt-Del in normal mode no longer functions, I get a pop up telling me to press the power button.

Safe Mode with networking is about all I have at this point.

I'm currently running Spybot/Teatimer, MalwareBytes, and CheckSur to investigate further.

Also, I removed AVG (clean uninstall and then ran the remover program).

 

[NoelDP]

we need to see afull copy of the report produced by the MGADiag tool

(download andsave to desktop - http://go.microsoft.com/fwlink/?linkid=52012)

Once saved, run the tool.

Click on theContinue button, which will produce the report.

To copy the report to your response, click onthe Copy button in the tool (ignore any error messages at this point), and thenpaste (using either r-click/Paste, or Ctrl+V ) into your response.

- in your own thread, please



Please also statethe Version and Edition of Windows quoted on your COA sticker (if you have one)on the case of your machine (or inside the battery compartment), but do NOTquote the Key on the sticker!

http://www.microsoft.com/en-us/howtotell/Hardware.aspx

 

[Triton46]

Is there a way to run MGADiag via CLI? As I said, it takes 2 hours to get this kicked off and running in normal mode.

The sticker says "Windows 7 Home Prem OA". Under that is the barcode (Asus) and the product key. Is there something else?

Is there anything in the log pointing to a service or file that can be fixed to return performance to normal mode? I don't know that MGADiag will complete in normal mode. It ran for 2 hours last time before normal mode locked.

 

[Triton46]

After 3 hours, MGADiag had not even popped up on the screen. I went back to safemode and disabled all services that were not running then went back to normal mode. I can now run things...it's still a bit herky-jerky...there are delays when clicking on files, folders or executables.

Here is the output:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: N/A, hr = 0x80070422
Windows Product Key: *****-*****-BJD6C-K3YVH-DVQJG
Windows Product Key Hash: WFqPPaNJ0hrc3E/8MgITJa2Xf0M=
Windows Product ID: 00359-OEM-8992687-00118
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {A75E65D6-7D3B-4C4C-A69D-AE006962FF9A}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.140303-2144
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{A75E65D6-7D3B-4C4C-A69D-AE006962FF9A}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-DVQJG</PKey><PID>00359-OEM-8992687-00118</PID><PIDType>2</PIDType><SID>S-1-5-21-612552391-2311362538-1607580098</SID><SYSTEM><Manufacturer>ASUSTeK Computer INC.</Manufacturer><Model>EB1503</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>0502</Version><SMBIOSVersion major="2" minor="7"/><Date>20120523000000.000000+000</Date></BIOS><HWID>F9613807018400FA</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>_ASUS_</OEMID><OEMTableID>Notebook</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
On a computer running Microsoft Windows non-core edition, run 'slui.exe 0x2a 0x80070422' to display the error text.
Error: 0x80070422 

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x0001000000000000
Event Time Stamp: 10:1:2014 21:36
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered Service: sppsvc


HWID Data-->
HWID Hash Current: LgAAAAEAAQABAAEAAAACAAAAAgABAAEA6GHOoBa2yGMgzxDd/KtGTB52FIcEGg==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			ALASKA		A M I
  FACP			ALASKA		A M I
  HPET			ALASKA		A M I
  MCFG			ALASKA		A M I
  RTCF			A1234		RTCONFIG
  IFEU			ALASKA		A M I
  SLIC			_ASUS_		Notebook

 

[Triton46]

I went back to run these:

net start sppsvc
sc qc sppsvc
sc queryex sppsvc
sc qprivs sppsvc
sc qsidtype sppsvc
sc sdshow sppsvc

C:\Windows\system32>net start sppsvc
The Software Protection service is starting.
The Software Protection service was started successfully.


C:\Windows\system32>sc qc sppsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: sppsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\sppsvc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Software Protection
        DEPENDENCIES       : RpcSs
        SERVICE_START_NAME : NT AUTHORITY\NetworkService

C:\Windows\system32>sc queryex sppsvc

SERVICE_NAME: sppsvc
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1772
        FLAGS              :

C:\Windows\system32>sc qprivs sppsvc
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: sppsvc
        PRIVILEGES       : SeAuditPrivilege
                         : SeChangeNotifyPrivilege
                         : SeCreateGlobalPrivilege
                         : SeImpersonatePrivilege

C:\Windows\system32>sc qsidtype sppsvc
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: sppsvc
SERVICE_SID_TYPE:  UNRESTRICTED

C:\Windows\system32>sc sdshow sppsvc

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO
CRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;LCRP;;;AU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;WD)

C:\Windows\system32>

As soon as I start sppsvc, everything locks up. I try to stop it, but cannot stop it...have to go back to Safe Mode and disable it.

 

[NoelDP]

Odd.
While in Safe Mode with Networking, run SFC /SCANNOW - copy the CBS.log file to the desktop, and compress the copy before uploading it to your reply.

 

[Triton46]

Last night: I went back and found in the Event Log that the crash was either due to Server service or COM+ service not running. I restarted those and the computer seems stable...still a bit slow but working. I received a notice to download a Windows Authentication program and run it. After it completes, you have to go to a MS website to validate. The website restarts sppsvc and sppuinotify even though both were disabled.

That ran for about 30 min before I left it and went to bed.

This morning: the website is not responding so I don't know if it completed or not. I'll send the CBS log when I get off work.

 

[Triton46]

I restarted the PC in normal mode to see if the update completed. It is back to where I was when I first opened this thread...very slow, cannot click on anything, 30 min to shutdown. I powered it off and went to Safe Mode with Networking and ran sfc /scannow.


The logs show the same error again on the Korean dll file (I replaced it yesterday and got a clean scannow). Something is corrupting it.

2014-11-08 15:21:12, Error                 CSI    0000011c (F) c0000185 [Error,Facility=(system),Code=389 (0x0185)] #2511023# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysReadFile(h = a10 ("\Device\HarddiskVolume3\Windows\winsxs\amd64_microsoft-windows-ime-korean-hwresource_31bf3856ad364e35_6.1.7600.16385_none_ac4a6957c5dbd4bb\mshwkorrIME.dll"), evt = 0, apcr = NULL, apcc = NULL, iosb = @0xa3cd20, data = {l:0 b:}, byteoffset = 458752 (0x0000000000070000), key = (null))
[gle=0xd0000185]
2014-11-08 15:21:12, Error                 CSI    0000011d@2014/11/8:20:21:12.162 (F) d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(2155): Error c0000185 [Error,Facility=(system),Code=389 (0x0185)] originated in function Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysReadFile expression: (null)
[gle=0x80004005]
2014-11-08 15:21:17, Error                 CSI    0000011e (F) c0000185 [Error,Facility=(system),Code=389 (0x0185)] #2511022# from Windows::Rtl::SystemImplementation::CFile_IRtlFileTearoff::ReadFile(Flags = 3, Buffer = {l:0 ml:65536 b:}, Offset = 458752 (0x0000000000070000), Disposition = 0)[gle=0xd0000185]
...
2014-11-10 07:48:26, Error                 CSI    0000011c (F) c0000185 [Error,Facility=(system),Code=389 (0x0185)] #2510259# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysReadFile(h = a10 ("\Device\HarddiskVolume3\Windows\winsxs\amd64_microsoft-windows-ime-korean-hwresource_31bf3856ad364e35_6.1.7600.16385_none_ac4a6957c5dbd4bb\mshwkorrIME.dll"), evt = 0, apcr = NULL, apcc = NULL, iosb = @0x95d1c0, data = {l:0 b:}, byteoffset = 1310720 (0x0000000000140000), key = (null))
[gle=0xd0000185]
2014-11-10 07:48:26, Error                 CSI    0000011d@2014/11/10:12:48:26.316 (F) d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(2155): Error c0000185 [Error,Facility=(system),Code=389 (0x0185)] originated in function Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysReadFile expression: (null)
[gle=0x80004005]
2014-11-10 07:48:28, Error                 CSI    0000011e (F) c0000185 [Error,Facility=(system),Code=389 (0x0185)] #2510258# from Windows::Rtl::SystemImplementation::CFile_IRtlFileTearoff::ReadFile(Flags = 3, Buffer = {l:0 ml:65536 b:}, Offset = 1310720 (0x0000000000140000), Disposition = 0)[gle=0xd0000185]

View attachment 339977

 

[NoelDP]

This type of thing sounds more like enemy action than anything else..
In Safe Mode with Networking...

Please downloadand install Malwarebytes Anti-malware(free version) from http://www.malwarebytes.org/products/malwarebytes_free/- UNtick 'Enable free trial of MBAM Premium' at the end of the installation- and update it, then run a fullscan in your main account, and Quickscans in any other user accounts.



Quarantineeverything it finds

 

[Triton46]

This type of thing sounds more like enemy action than anything else..
In Safe Mode with Networking...

Please downloadand install Malwarebytes Anti-malware(free version) from http://www.malwarebytes.org/products/malwarebytes_free/- UNtick 'Enable free trial of MBAM Premium' at the end of the installation- and update it, then run a fullscan in your main account, and Quickscans in any other user accounts.



Quarantineeverything it finds

Hi NoelDP,

First off, I appreciate all the help you are giving! Thank you!

I downloaded Malwarebyte AM yesterday and did a full scan (prior to my post #15). It found 15 issues and all were quarantined. I will run it again when I get home.

 

[NoelDP]

Make sure that you enable the check for Rootkits as well - it never hurts!

 

[Triton46]

Houston, we have a problem. I replaced the bad dll and ran sfc /scannow, success.

I started Malwarebytes and it got all the way to the end and froze, on a directory that no longer exists. I tried to stop it but Safe Mode was frozen. Power off, back on and I cleaned the registry and restarted Malwarebytes, this time it got to the windows update token file (tokens.dat).

At this point I am getting worried that the disk is bad. I already backed up all my media files, but I have been getting timeouts on the files in my partition for the OS. I started moving all the Program Files and got two errors:

Semaphore Timeout - Error 0x80070079
IO Device Error - Error 0x80070450

It's frozen again in Safe Mode just moving 2GB of data from Program Files.

How can I conclusively rule which part is the problem?