Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 10 has wupdate corrupted


  • This topic is locked This topic is locked
19 replies to this topic

#1 dacorsa

dacorsa

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 17 December 2015 - 10:39 AM

hi guys,

 

i have problem on my win10, sfc/scannow says is impossible to repair files, Windows update doesn't works...

 

here is log attached

 

thanks in advance for help me

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 17 December 2015 - 11:41 AM

Hi dacorsa :)

My name is Aura and I'll be assisting you with your issue :) Give me a few hours to review your logs, and I'll post back when I'm ready.

Thank you!

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 dacorsa

dacorsa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 17 December 2015 - 12:19 PM

Thanks Aura, i'm very happy that you will help me !!!! :) :) :)

 

 

see you soon!

 

ugo



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 17 December 2015 - 05:29 PM

Hi dacorsa :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • Finally, in the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • Since I'm still a trainee, all my posts have to be reviewed by my instructor prior to be posted to make sure that you receive the best assistance possible. Sorry for the inconvenience;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

warning.gifPresence of Pirated Software

There's indications on your system that you are using counterfeit (pirated) software. In your case, it appears to be Windows, Microsoft Office, Acronis and Dreamstream. BleepingComputer doesn't condone the use of pirated software, therefore I'll have to ask you to uninstall and remove any pirated software and/or activation method you are using if you want to receive assistance from me.

Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

Your logs shows the presence of policies on Internet Explorer (managed settings and rules).
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-839720605-1981831675-3749965822-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
From your logs, I can see that your system is quite tweaked, are these your doing?

Lastly, FRST didn't return anything that let us think that malware is involved in your SFC and Windows Update issues, therefore I would like you to run SFC and provide me the CBS.log so I can see which files cannot be repaired.

EndqYRa.pngSystem File Checker (SFC)
Follow the instructions below to run a SFC scan on your system and to provide the CBS log in your next reply;
  • On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Spcusrh.pngRun as Administrator
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the command below and press on Enter;
    sfc /scannow
    Note: There's a space between "sfc" and "/scannow";
  • Once the scan is complete, enter the command below and press on Enter
    copy %windir%\logs\cbs\cbs.log "%userprofile%\Desktop\cbs.txt"
  • A file called cbs.txt will have appeared on your Desktop. Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;
Note: Please note that the CBS.log is volatile, which means that if you don't upload it after the SFC scan is completed, it won't have the information from the scan anymore. So archive it and upload it as soon as you can.

Your next reply should contain:
  • Wether or not you uninstalled the pirated software and illegal activation method you were using;
  • Your decision on uTorrent (uninstall it, or not use it during the clean-up);
  • If you are aware of the policies set on Internet Explorer and if they are your doing;
  • Download URL to your CBS.log after running a SFC scan;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 dacorsa

dacorsa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 17 December 2015 - 05:37 PM

Good evening Aura,

 

i'm sorry but sfc /scannow like i have already say in my 1 post, doesn't work, so i can not scan anything....

 

at 49% it says impossible to repair...

 

how can i do?

 

ok i will not use utorrent until repair win, and i don't make any policies...so it's a virus, in fact win update doesn't works .... 

 

thanks for all



#6 dacorsa

dacorsa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 17 December 2015 - 05:51 PM

i give you log of sfc until 49%:

 

https://www.dropbox.com/s/fvanv2lg8rig22r/CBS.log?dl=0

 

thanks

 

ugo



#7 dacorsa

dacorsa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 19 December 2015 - 04:02 AM

up :)



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 19 December 2015 - 11:22 AM

and i don't make any policies...so it's a virus, in fact win update doesn't works ....


Your Windows Update issue have more chances to be caused by the corrupt files SFC can't repair rather than a malware if you ask me, since there's no real indications that your system is infected at the moment. As for the Internet Explorer policies, we can simply remove them with FRST :)

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    Hosts:
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-839720605-1981831675-3749965822-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste that log in your next reply;
It looks like your SFC scan is hanging on a manifest file, let's see if DISM can provide more information.

EndqYRa.pngDISM - Fixing Component Store Corruption
Follow the instructions below to run a DISM operation on your system.
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the command below and press on Enter;
    DISM /Online /Cleanup-Image /RestoreHealth
  • Let the scan run until the end (100%). Depending on your system, it can take some time;
  • Copy the C:\Windows\Logs\DISM folder and C:\Windows\Logs\CBS\CBS.log file on your Desktop, then right-click on it, go to Send to... and select Compressed .zip archive;
  • Upload the file on Dropbox, Google Drive or OneDrive and post the download URL for it here;
Note: Please note that the CBS.log is volatile, which means that if you don't upload it after the DISM scan is completed, it won't contains the information from the scan anymore. So archive it and upload it as soon as you can.

Your next reply should include:
  • Copy/pasted content of the FRST fix log;
  • Download URL to the CBS.log and DISM.log after a DISM scan;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 dacorsa

dacorsa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 19 December 2015 - 12:55 PM

Hi Aura, i'm happy to see you :)

 

here is the fixlog:

 

https://www.dropbox.com/s/h7xrasv7j1x3gtj/Fixlog.txt?dl=0

 

here 2 file log of dism:

 

https://www.dropbox.com/s/sbnj36x8857205h/log.zip?dl=0

 

dism stop it and say:

 

C:\Windows\System32>DISM /Online /Cleanup-Image /RestoreHealth

Strumento Gestione e manutenzione immagini distribuzione
Versione: 10.0.10240.16384

Versione immagine: 10.0.10240.16384

[==========================100.0%==========================]

Errore: 0x800f081f

Impossibile trovare i file di origine.
Utilizzare l'opzione "Source" per specificare il percorso dei file necessari per ripristinare la funzionalità. Per ulteriori informazioni su come specificare il percorso di origine, vedere http://go.microsoft.com/fwlink/?LinkId=243077.

Il file di registro di Gestione e manutenzione immagini
distribuzione è disponibile in C:\Windows\Logs\DISM\dism.log

C:\Windows\System32>

 

impossible found file of source

 

 

how can i solve??

 

see you soon



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 19 December 2015 - 05:20 PM

here is the fixlog:

https://www.dropbox.com/s/h7xrasv7j1x3gtj/Fixlog.txt?dl=0


The FRST fix worked, which is good news :)
 

here 2 file log of dism:

https://www.dropbox.com/s/sbnj36x8857205h/log.zip?dl=0


On the other end, this is what your CBS.log shows after running DISM.
Summary:
Operation: Detect and Repair 
Operation result: 0x800f081f
Last Successful Step: Entire operation completes.
Total Detected Corruption:	166
	CBS Manifest Corruption:	0
	CBS Metadata Corruption:	0
	CSI Manifest Corruption:	1
	CSI Metadata Corruption:	0
	CSI Payload Corruption:	165
Total Repaired Corruption:	3
	CBS Manifest Repaired:	0
	CSI Manifest Repaired:	1
	CSI Payload Repaired:	2
	CSI Store Metadata refreshed:	True

Total Operation Time: 1011 seconds.
This is quite bad. One solution I could see to that issue is to download the Windows 10 Media Creation Tool, and use it to upgrade to Windows 10 TH2. This should replace all the corrupt payloads that are from Windows 10 RTM by the ones of Windows 10 TH2 and solve that issue. We could also run SFC and DISM again after the upgrade to see if there's anything left.

https://www.microsoft.com/en-ca/software-download/windows10

Are you comfortable with doing that?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 dacorsa

dacorsa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 19 December 2015 - 05:21 PM

i have try with dvd and usb key with win iso installed in it... but nothing why??

 

i have in cmd version 10.0.10240.16384 but in "C:\Windows\Servicing\Version" i have version 10.0.10240.16565

 

also in the regedit , "HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\Version" i read version 10.0.10240.16565

 

how solve?



#12 dacorsa

dacorsa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 19 December 2015 - 05:38 PM

i try to upgrade as u said.... will tell you if works but i think not works....see u later i tell u

 

thanks



#13 dacorsa

dacorsa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 19 December 2015 - 06:14 PM

no, not works, as i said, media creation tool crashed and go out of the installation....so i can't solve in that way....now what we can do?

 

thanks for all Aura

 

see u soon



#14 dacorsa

dacorsa
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 21 December 2015 - 07:22 AM

can u tell me where are these files??:

 

Summary: Operation: Detect and Repair Operation result: 0x800f081f Last Successful Step: Entire operation completes. Total Detected Corruption: 166 CBS Manifest Corruption: 0 CBS Metadata Corruption: 0 CSI Manifest Corruption: 1 CSI Metadata Corruption: 0 CSI Payload Corruption: 165 Total Repaired Corruption: 3 CBS Manifest Repaired: 0 CSI Manifest Repaired: 1 CSI Payload Repaired: 2 CSI Store Metadata refreshed: True Total Operation Time: 1011 seconds.

 

 

i can overwrite with other win installation??

 

i can't format Windows too many big app installed....

 

thanks



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:46 PM

Posted 21 December 2015 - 11:13 AM

Sadly, unless you are able to put your hand on a Windows 10 RTM x64 .iso to run a Repair Install of your current Windows installation, you won't be able to solve the corrupt payload issues. In your case, a clean installation of Windows 10 is the best and fastest solution you have. I know this is probably not what you want to hear, but your issue isn't related to malware at all here.

Also the way you got activated your copy of Windows (illegally) is most likely the cause of all this. I would keep that in mind for the future :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users