[SOLVED] Windows Update Problem

I must admit I'm not at all surprised by those results - MGADiag tests all those files against the built-in database, for compliance, so I'd have been amazed if it hadn't reported any problems.
 
Unless Richard comes back with a better idea, I suggest resetting the CATROOT2 folder.


Please run the following commands in an Elevated Command Prompt

NET STOP CRYPTSVC
REN C:\WINDOWS\SYSTEM32\CATROOT2 CATROOT2OLD
NET START CRYPTSVC

once complete, leave the system alone for at least an hour to rebuild the database, then reboot, and run another MGADiag report.
Note that this may delete your Update History - but all updates will remain installed, and can be viewed in the Installed Updates listing.

Please zip and upload the CATROOT2OLD folder so we can take a look at it for forensics.
 
Many thanks for the data - now all I have to do is work out what it means! :r1:


Has it made any difference to the behaviour?
 
Hmmm- that's interesting - both subfolders of the renamed folder are empty, which means that something prevented the original build.

Can you confirm that the current Catroot2 subfolders have content?
 
Sorry about the delay, I haven't gotten a chance to run the scan or look at the catroot yet, but my son says that his microphone is working now. His internal mic didnt work so we got him a new headset. The mic didn't work, I think because our windows update wasn't working and the drivers didnt install. After resseting the catroot folder, the mic works, meaning that our windows update works. Ill check tomorrow, but pretty exciting news.
 
Hello. Looks like I spoke too soon, Windows update still doesnt work. Strangely enough the catroot2 folder is empty, but i saw a catroot2.old folder that had bunches of files in it. I did do the MGA though, so here it is:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->


Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-MJYD2-Q8BGH-HR9JG
Windows Product Key Hash: ag/5j45JAJrn5ej7stPb1WAv7o4=
Windows Product ID: 00359-OEM-9802027-46747
Windows Product ID Type: 8
Windows License Type: COA SLP
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {D40FA9BC-5446-4916-ABE8-CFBF8E5B3194}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_rtm.101119-1850
TTS Error:
Validation Diagnostic:
Resolution Status: N/A


Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002


Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002


OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002


OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
Microsoft Office Visio Professional 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3


Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed


File Scan Data-->
File Mismatch: C:\Windows\system32\wat\watadminsvc.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\npwatweb.dll[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watux.exe[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\wat\watweb.dll[Hr = 0x80070003]
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x80092003
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x80092003
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7600.16385], Hr = 0x80092003
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x80092003
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x80092003
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x80092003
File Mismatch: C:\Windows\system32\drivers\spldr.sys[6.1.7127.0], Hr = 0x80092003
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100


Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{D40FA9BC-5446-4916-ABE8-CFBF8E5B3194}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-HR9JG</PKey><PID>00359-OEM-9802027-46747</PID><PIDType>8</PIDType><SID>S-1-5-21-1906796394-2490610034-646354951</SID><SYSTEM><Manufacturer>Hewlett-Packard</Manufacturer><Model>HP G60 Notebook PC</Model></SYSTEM><BIOS><Manufacturer>Hewlett-Packard</Manufacturer><Version>F.53</Version><SMBIOSVersion major="2" minor="4"/><Date>20090911000000.000000+000</Date></BIOS><HWID>D08F3807018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>HPQOEM</OEMID><OEMTableID>SLIC-MPC</OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>3458ADA76A7B6D6</Val><Hash>SvrS5j9hRvt5tFP/BpkJmW7DugE=</Hash><Pid>81599-875-8777677-65292</Pid><PidType>1</PidType></Product><Product GUID="{91120000-0051-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Visio Professional 2007</Name><Ver>12</Ver><Val>B0C552E90DC6ECE</Val><Hash>AjE0n1yhNPgYca0ihw25dHGzQH0=</Hash><Pid>84890-871-4794155-63801</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="53" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>


Spsys.log Content: 0x80070002


Licensing Data-->
Software licensing service version: 6.1.7601.17514


Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_SLP channel
Activation ID: 5e017a8a-f3f9-4167-b1bd-ba3e236a4d8f
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00196-020-246747-02-1033-7601.0000-1902012
Installation ID: 004180734576623203789303820020607080385153270436915852
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: HR9JG
License Status: Licensed
Remaining Windows rearm count: 2
Trusted time: 3/29/2013 12:43:31 PM


Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 12:23:2012 12:23
ActiveX: Not Registered - 0x80040154
Admin Service: Not Registered - 0x80040154
HealthStatus Bitmask Output:




HWID Data-->
HWID Hash Current: MgAAAAEAAQABAAIAAAABAAAABAABAAEA6GE2+aaoQq1GAnZpnkZyEpycQknKE+hHRso=


OEM Activation 1.0 Data-->
N/A


OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC INSYDE
FACP HPQOEM SLIC-MPC
HPET INSYDE SLIC-MPC
BOOT INSYDE INSYDE
MCFG INSYDE
ASF! INTEL HCG
SLIC HPQOEM SLIC-MPC
SSDT INTEL SataAhci
SSDT INTEL SataAhci
 
I am sorry to say that that update didn't install properly. It says: "Installer encountered an error: 0x80080005 Server Execution failed". Can this problem have been a result of a malware attack, or a rogue software? Can it be that I installed a x86 piece of software when I was supposed to do x64? Also should I do a reset of the update components from here: How do I reset Windows Update components? ?
 
I have a windows 7 64 bit installation disk from another computer as well. If I run it on my laptop but then input my own key, will it work. Something is telling me it won't but it never hurts to ask.
 
I have aboslutely no files in my SoftwareDistribution/Datastore or Download or PostRebootEventCache or ScanFile folder. The only folders with files in them are AuthCabs, SelfUpdate,and WuRedir. It may be the cause of some of the errors.
 
The Server error would tend to indicate that BITS is disabled.

Please download the Farbar Service Scanner from

Farbar Service Scanner Download

Run it, and tick all the options, then click on the Scan button - copy and paste the report to your response.
 
Here you are:

Farbar Service Scanner Version: 03-03-2013
Ran by Homework (ATTENTION: The logged in user is not administrator) on 31-03-2013 at 14:58:15
Running from "C:\Users\Homework\Downloads"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************


Internet Services:
============


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.




Windows Firewall:
=============


Firewall Disabled Policy:
==================




System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.


VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.




System Restore Disabled Policy:
========================




Action Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.




Windows Autoupdate Disabled Policy:
============================




Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.




Other Services:
==============




File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2011-03-10 18:44] - [2010-11-20 02:23] - 0499712 ____A (Microsoft Corporation) D31DC7A16DEA4A9BAF179F3D6FBDB38C


C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2011-03-10 18:45] - [2010-11-20 06:33] - 1924480 ____A (Microsoft Corporation) 509383E505C973ED7534A06B3D19688D


C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit




**** End of log ****

Lol doesn't seem like too much.
 
Chuckle - it's not as bad as it might be - but worse than I was hoping.

I think the best way to attack this is probably the ESET service repair tool

Please download http://kb.eset-la.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe and save it to your desktop.

Double-click ServicesRepair.exe
If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
Once the tool has finished, you will be prompted to restart your computer.
Click Yes to restart.

Then run the FarBar scanner again and post the new results.
Post the results.


 
:( here you go:

Farbar Service Scanner Version: 03-03-2013
Ran by Homework (ATTENTION: The logged in user is not administrator) on 31-03-2013 at 16:22:36
Running from "C:\Users\Homework\Downloads"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************


Internet Services:
============


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.




Windows Firewall:
=============


Firewall Disabled Policy:
==================




System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.


VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.




System Restore Disabled Policy:
========================




Action Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.




Windows Autoupdate Disabled Policy:
============================




Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.




Other Services:
==============




File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys
[2011-03-10 18:44] - [2010-11-20 02:23] - 0499712 ____A (Microsoft Corporation) D31DC7A16DEA4A9BAF179F3D6FBDB38C


C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2011-03-10 18:45] - [2010-11-20 06:33] - 1924480 ____A (Microsoft Corporation) 509383E505C973ED7534A06B3D19688D


C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit




**** End of log ****

Quite the problem this is turning into. Can i just use an installation disk from a different pc and input my own windows key into it?
 
Had a hunch. Thank you for your help. l have to do a post as I misplaced my repair disk :-( . once I remove the malware from my computer I will come back to you correct? if so see you then :-) .
 
Fine - if you post a link to your thread, I'll follow it and jump in if I see anything relevant.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top