Re: Windows update failing

Mow

I have achieved a resolution, but by drastic means!!! Anyway, here is the
update:

1/ McAfee cleanup ran, but did not achieve any progress
2/ Disabled all add ins in IE - same symptoms....
3/ Stepped through the AU Check in all modes, restarting after each - 3 x
logs available at:

https://rcpt.yousendit.com/626462121/d7a1655c94d727f52d1e9371463a718c

https://rcpt.yousendit.com/626457073/8fd3bb5a7b89e33e46326bb2d565e070 and

https://rcpt.yousendit.com/626456625/0f40146b5b702774eaaad2b0062f4e89

(files will be available for 7 days)

- still unable to WU, similar symptoms.

4/ sfc/scannow still reported qmgr.dll as corrupt - since Windows would not
allow me to install SP1 again, I took drastic steps and installed Windows
Ultimate, using the "retain existing settings and programmes" option. Worked
like a dream!!! I deselected certain packs and cycled through several WU, to
ensure no recurrence
5/ Before installation, ran HijackThis again, and Kaspersky and Symantec
remote scans - nothing unpleasant reported

Either the issue arose as a result of being unable to correct corrupt files,
as the BITS repairer did not work, or as a result of malware. But I guess
the reinstall will have overwritten all important Windows files and given me
a solid build.

Thanks for all your help, let me know if you need any further info for the KB.

Best wishes

Chris






"MowGreen [MVP]" wrote:

The updating service can't function

2008-11-15 14:21:29:093 2232 1554 WUApp WARNING: Cannot load updates
because AU service is not available, hr=80010108

Because of the RPC failure

0X800706BE RPC_S_CALL_FAILED
The remote procedure call failed.
0x80010108 RPC_E_DISCONNECTED
The object invoked has disconnected from its clients.

Then, there's this Permissions issue

2008-11-15 14:22:07:329 2232 1554 WUApp WARNING: Error displaying Opted
In Service summary: 80070005

Either malware is causing this, there's interference with the update
servers and RPC due to a 3rd party add-on, or the entire issue was
caused by Trend OR leftover files from McAfee.

If running the McAfee cleanup tool results in no joy, then suggest you
disable all 3rd party IE add-ons. Open Internet Options in the Control
Panel and click the Programs tab. Then click the Manage add-ons button.
Disable all non-Microsoft add-ons and see if the system can update now.

The WU.log shows the latest version of the Windows Update Agent has
installed properly. So, that's a positive step.
What you can do, IF malware is *not* detected, is to boot to Safe Mode
with Networking and run AU Check once more.
Restart the system to SM w/networking and see if the system can update
from within that mode.

I'll be leaving early tomorrow AM and probably won't be able to check
this thread until Wednesday at the earliest, Chris. Hang in there.

MowGreen [MVP 2003-2009]
===============
*-343-* FDNY
Never Forgotten
===============




Chris Lucas wrote:

Thanks Mow and PA.... Using the McAfee removal tool now and will post the
Hijack this log, as suggested.

Reference the BITS files, are versions OK? And what can I do about the
corrupt qmgr.dll? Can I download a BITS installer and overright?

Thanks.

Chris




"MowGreen [MVP]" wrote:


Was Trend actively monitoring the system during the application of SP1
and when was it applied ?
That *may* account for the file mismatch in WinSxS.
Before doing any of the below, check the WindowsUpdate.log located in
WINDOWS [ Click Start > Start Search > type in windowsupdate.log > click
Search ]
Look to see if the updates were downloaded or if there are any FATAL or
WARNING entries with accompanying error codes:

How to read the Windowsupdate.log file
http://support.microsoft.com/kb/902093

AU Check should have replaced all BITS related files when it was run.
It created an AULOGS folder on the root drive. The logs are stored in
..cab files that can be extracted as .zip files are.
After you decompress the data.CAB and progress.CAB, drill down in the to
the data subfolder and open the Fileversions.txt.
Under BITS / WinHTTP File versions: check to see which versions were
installed, or supposedly, installed.

Also, check the progress.log located in the progress subfolder.
Check the ' ---Enumerating files used by BITS--- ' section to see if any
errors are present.

I don't think you can move system files from one Vista system to another
as in previous Windows OS' due to security descriptors. AFAIK, the
bits-related files should be at a much higher V. then what is showing in
WinSxS, Chris.

Hold on a sec ... has this update been offered or installed yet ? -
Update for Windows Vista (KB956774)
http://www.microsoft.com/downloads/details.aspx?FamilyId=E8D89C80-3D82-4C7B-B63E-BFAF77DC394F&displaylang=en


MowGreen [MVP 2003-2009]
===============
*-343-* FDNY
Never Forgotten
================



Chris Lucas wrote:


Mow

1/ Thanks - did all of this. The good news is that Aero has come back.
The bad news is that although Windows Update managed to identify the required
updates, it then failed to install, error code 800706BA. Error is
consistent, I have retried.

At the end of this, there were 17 instances of svchost.exe shown as running,
and a dialogue box appeared saying:

"Host Process for Windows Services stopped working and was closed.

A problem caused the application to stop working correctly. Windows will
notify you if a solution is available"

2/ I think I mentioned that I tried to do a BITS repair and that the repair
tool advised that BITS repair was not required - sfc/scannow returns:

"Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Chris Lucas>cd\

C:\>sfc/scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection found corrupt files but was unable to fix some
of th
em.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
C:\Windows\Logs\CBS\CBS.log

C:\>"

The tail of the log file indicates a corrupt qmgr.dll - it appears that both
the "live" file, and the source are corrupt (see tail below) - could this be
the root of the problem? If so, I can copy a qmgr.dll (identical version and
size) from another Vista machine available to me - just not sure how to copy
the file across, given that qmgr.dll will be open. Is there a safe download
for this file from Microsoft? Tail follows:

"POQ 63 ends.
2008-11-15 14:33:38, Info CSI 00000162 [SR] Verify
complete
2008-11-15 14:33:38, Info CSI 00000163 [SR] Repairing 1
components
2008-11-15 14:33:38, Info CSI 00000164 [SR] Beginning
Verify and Repair transaction
2008-11-15 14:33:38, Info CSI 00000165 Hashes for file
member
\SystemRoot\WinSxS\x86_microsoft-windows-bits-client_31bf3856ad364e35_6.0.6001.18000_none_2390c4ecf9720b8c\qmgr.dll
do not match actual file [l:16{8}]"qmgr.dll" :
Found: {l:32 b:ScKp+5jFLhLGBnC2rsI7ZVgLr8fL0Aaqv5OCHa9uJjo=} Expected:
{l:32 b:DfzQPLln0amA1WEkYD81PcHYAOOl5Dbu6Vxl/eFzmM8=}
2008-11-15 14:33:38, Info CSI 00000166 [SR] Cannot
repair member file [l:16{8}]"qmgr.dll" of Microsoft-Windows-Bits-Client,
Version = 6.0.6001.18000, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture
neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35},
Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2008-11-15 14:33:38, Info CSI 00000167 Hashes for file
member
\SystemRoot\WinSxS\x86_microsoft-windows-bits-client_31bf3856ad364e35_6.0.6001.18000_none_2390c4ecf9720b8c\qmgr.dll
do not match actual file [l:16{8}]"qmgr.dll" :
Found: {l:32 b:ScKp+5jFLhLGBnC2rsI7ZVgLr8fL0Aaqv5OCHa9uJjo=} Expected:
{l:32 b:DfzQPLln0amA1WEkYD81PcHYAOOl5Dbu6Vxl/eFzmM8=}
2008-11-15 14:33:38, Info CSI 00000168 [SR] Cannot
repair member file [l:16{8}]"qmgr.dll" of Microsoft-Windows-Bits-Client,
Version = 6.0.6001.18000, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture
neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35},
Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2008-11-15 14:33:38, Info CSI 00000169 Hashes for file
member \??\C:\windows\System32\qmgr.dll do not match actual file
[l:16{8}]"qmgr.dll" :
Found: {l:32 b:ScKp+5jFLhLGBnC2rsI7ZVgLr8fL0Aaqv5OCHa9uJjo=} Expected:
{l:32 b:DfzQPLln0amA1WEkYD81PcHYAOOl5Dbu6Vxl/eFzmM8=}
2008-11-15 14:33:38, Info CSI 0000016a Hashes for file
member
\SystemRoot\WinSxS\x86_microsoft-windows-bits-client_31bf3856ad364e35_6.0.6001.18000_none_2390c4ecf9720b8c\qmgr.dll
do not match actual file [l:16{8}]"qmgr.dll" :
Found: {l:32 b:ScKp+5jFLhLGBnC2rsI7ZVgLr8fL0Aaqv5OCHa9uJjo=} Expected:
{l:32 b:DfzQPLln0amA1WEkYD81PcHYAOOl5Dbu6Vxl/eFzmM8=}
2008-11-15 14:33:38, Info CSI 0000016b [SR] Could not
reproject corrupted file
[ml:520{260},l:46{23}]"\??\C:\windows\System32"\[l:16{8}]"qmgr.dll"; source
file in store is also corrupted
2008-11-15 14:33:38, Info CSI 0000016c Repair results
created:
POQ 64 starts:
0: Move File: Source =
[l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\19f35d262f47c901321c0000e4058413._0000000000000000.cdf-ms",
Destination =
[l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"

POQ 64 ends.
2008-11-15 14:33:38, Info CSI 0000016d [SR] Repair
complete
2008-11-15 14:33:39, Info CSI 0000016e [SR] Committing
transaction
2008-11-15 14:33:39, Info CSI 0000016f Creating NT
transaction (seq 1), objectname [6]"(null)"
2008-11-15 14:33:39, Info CSI 00000170 Created NT
transaction (seq 1) result 0x00000000, handle @0x178c
2008-11-15 14:33:39, Info CSI
00000171@2008/11/15:14:33:39.154 CSI perf trace:
CSIPERF:TXCOMMIT;103851
2008-11-15 14:33:39, Info CSI 00000172 [SR] Verify and
Repair Transaction completed. All files and registry keys listed in this
transaction have been successfully repaired"

Thanks

Chris






"MowGreen [MVP]" wrote:



Chris ... download and save AU Check (v78a):
http://www.codeplex.com/aureset/Release/ProjectReleases.aspx?ReleaseId=17263

Disable Trend temporarily, including all services and processes
associated with it. Either consult the User Guide, Trend's web site, or
use MSConfig to disable all of it's services.
Run au_check_v78a_codeplex.exe by *right* clicking it and choosing 'Run
as administrator'. Follow the prompts.
Allow some time for it to complete it's operation and reboot after it's
done.
Try to update now.

MowGreen [MVP 2003-200]9]
===============
*-343-* FDNY
Never Forgotten
===============

PA Bear [MS MVP] wrote:



Thank you. Please await Mow's next reply to your thread.

Chris Lucas wrote:



Thanks - the Trend F/W is not activated, the Windows F/W is fine,
survives
most pen tests...

Before Trend Micro 2009, I has Trend Micro 2008. 2009 has been installed
for about 3 months, no problems till now. The problem with Windows
Update
(and the rest of the "collapsing" services is about 3 days old.

"PA Bear [MS MVP]" wrote:



<kibbitz>

Trend Micro Internet Security 2009 includes a firewall. You don't want
both firewalls enabled, Chris.

What "internet security" suite or anti-virus application was installed
before you installed Trend Micro Internet Security 2009?

</kibbitz>
--
~PA Bear

Chris Lucas wrote:



Thanks for this.

1/ Both RPC services are already set as you suggest
2/ Firewall is Windows F/W
3/ A/V is Trend Micro Internet Security 2009

Hope this helps, and look forward to your response - thanks.

"MowGreen [MVP]" wrote:

.

Loading