August Windows Update corrupts dlls/netframe?

Run icacls C:

From Administrator Prompt returns:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>icacls C:
C: NT AUTHORITY\SYSTEMOI)(CI)(F)
The system cannot find the file specified.
(OI)(CI)(F)
CrossroadsInn\AdministratorOI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
C:\Users\Administrator>

Run from elevated prompt returns:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\windows\system32>icacls C:
C: NT AUTHORITY\SYSTEMF)
The system cannot find the file specified.
(F)
Successfully processed 1 files; Failed processing 0 files
C:\windows\system32>

Hello again!

Well, that doesn't look too good! I shall return C: and C:\ (for this, they are different!) to default security, and then we can go from there.

Can you please type in all of the following commands into a new Command Prompt, and then mark and copy the entire thing here or into a new file.

Just to confirm, you are using C:\ as your system drive?

wmic path win32_useraccount where name="%username%" get sid
icacls C:
icacls C:\
icacls C:\Windows
icacls C:\Windows\

Can you also please get me a copy of "C:\Windows\inf\defltbase.inf"

Then we shall do some permissions resetting!

Thanks a lot!

Richard

Attached:

Logs sevenforums contains:

1. CBS Log
2. OTL Log
3. OTL Log after custom run
4. Extras Log produced by OTL
5. defltbase
6. Results of wmic run from Hidden Admin command prompt
7. Reselt of wmic run from hidden Admin elevated command prompt

WindowsUpdate.txt is from MS Support and has not, and WILLNOT be run without your instruction.

The instructions are to rename as a vbs file, run, rebooot, try to install updates. I haven't done anything with VB since the 90's so I haven't looked at it.

I am now well into MS second level support and I thought this might give you an insight into their thought pattern. They have indicated this is the last step before removing and reinstalling the Net Framework. But as I said I will not process unless directed by you.

I would havenever gotten anywhere in my IT career if it was handed to me and even 2nd level MS support does not seem to like to explain what their plan, process or the expected outcome, other than 'you will now be able to process your updates'. If I am ever to be as helpful as you, and others on this forum, the only way is to experience the pain of learning. So as always, thank you.

On the C:\ system drive question....
Sorry, I should have given all background upfront but I did not realize going in this would be such a forensic adventure.

• C is system drive. (Hitachi HDS721010CLA332)
• D is CD/DVD drive and is first in boot sequence just in case
• F is RECOVERY
• G is SYSTEM IMAGE
• F and G are on same Hitachi Disk
• E, L, M when attached are external HD or flash drives being used for backups
• This is a 2 month old Dell XPS 8300 that is relatively unchanged from delivery (with the exception of whatever changes occurred in this update and anything subsequent run to address the WU issues)
• There has never been a problem with ANY Windows Update
• There has never been a problem with the execution or behaviour of any Windows element or application (including original software and post delivery installed software)
• On two occasions the Dell has been unable to start up. Once about a week after purchase, start up repair found nothing and for the next 6 weeks all was well. The second occurance of 'unable to start' was after the August 9 Windows Update
• This PC is not used for anything much other than to run my home business managment software, REZODesktop. So there are no 'oddball' programs installed. These are the only ones that I believe could have an effect.
  
  • Kaspersky Internet Security 2011
  • Malwarebytes (post WU failure)
  • MS Office 2007
  • REZODesktop (seems to run fine in W7 but is run in compatibility mode XP SP3 per software vendor)
  • MS SOAP Toolkit Version Three (for REZO)
• The PC is on a network with two other PC's and there is a Netgear Wireless N Router with a DSL connection
• Kaspersky and Malwarebytes have never reported an issue.

Please enjoy the day with friends and family. I am going to mow my well overgrown lawn and try to think about non-electronic things.

Hello again!

Thanks for all of the additional information! It really is so helpful for me! Any updates on the state of the upload

Also, (really sorry to push this issue) is "CBS Log" a single log file or a folder?

Thanks so much!

Richard

Sorry I had attached them, saw it with my own eye.

niemiro said:

Hello again!

is "CBS Log" a single log file or a folder?

I just included the CBS log.
If you need them I also have the CheckSUR and CheckSur.persist logs.

Or are you in need of the entire folder? (ie with CBSpersist cabinet folders?)

droolingelmo said:

Sorry I had attached them, saw it with my own eye.

Sorry about that. I honestly have no idea what happened. I can see them now though, and that is the most important bit!

When I saw that WindowsUpdate.txt -> .vbs, I nearly jumped out of my skin! I was shocked stiff! It is not that it doesn't work, and it won't harm your computer, but it isn't actually owned by Microsoft, nor is it very good! I can tell you one thing! If they are sending you that, they are running out of ideas, badly!

Here is the actual source of that script: Windows Update Troubleshooter v1.3 | HackSys Team

As you can see, not Microsoft!

I have looked into that script before, to decide whether I would use it on this forum or not. In the end, I decided that although not dangerous, I wouldn't be using it.

Here is what it does:

• Creates a folder on your Desktop called "Logs"
• Stops all of the Windows Update Services, and renames SoftwareDistribution and CatRoot2, and then restarts these services. This is what this fix-it does in Aggressive Mode: How do I reset Windows Update components?, but not as thoroughly!
• Runs SFC (you already have done so)
• Then goes and runs that Microsoft Fix-It linked above - yes, the same one, but not in aggressive mode. Why try to re-write Aggressive Mode, but use Microsoft's product for the rest!?
• It then adds Microsoft update sites to the Trust List (first good part of the script)
• It then runs the System Update Readiness Tool
• It then copies CheckSUR.log and CBS.log to the Logs folder, but I have use of more logs than that.
• It then launches msconfig - but what you are supposed to do in it is anybody's guess!

Often, I won't use all of these tools. If I have a network error code, I add to the Trusted List, Firewall etc. etc., but if I have a file corruption error code, I don't. If I have errors in a System Update Readiness Tool (SURT) log, I don't run SFC unless I fix all in the SURT log and still have problems, and because of the deletion of history, I don't empty SoftwareDistribution unless I find a corrupt file in it from the CBS.log, which is why I chose not to use this script.

However, it is safe. If I were you, I WOULD run it, and report back to Microsoft, and hopefully you will get another elevation (because this level two guy is obviously out of ideas as well). The reason is that I honestly don't know exactly what is going on here. I intend to check out your CBS.log, see if there is anything I can do, repair those SFC corruptions, and check out your SURT logfile, and your C:\ drive. If there is still a problem, I shall elevate you to the one very best of the best across all forums. And I tell you now, if he can't fix this, nobody can. But I shall do all of the preliminary work, and simple stuff first (simple relative to his knowledge!)

I just included the CBS log.
If you need them I also have the CheckSUR and CheckSur.persist logs.

Or are you in need of the entire folder? (ie with CBSpersist cabinet folders?

If you could provide me with the entire folder, that would be great. The most important parts are the persisted CBS.logs, because you have so much logging data that the important information has already been persisted, and I haven't yet seen any of the important CBS.logs yet, and they are my most important log file. Also, if you could provide me with your CheckSUR.logs, and filterlists, I will look over them as well (basically, I want the WHOLE folder if that is OK)

Thanks a lot!

Richard

P.S. I need to go out for a couple of hours now, and I shall look through your logs later today, but I will say now that those SFC found files were corrupt, and I shall be performing a fix.

Complete Folder of windows\logs\CBS

E drive is currently attached and doing todays full data backup.

Normally I would leave the drive attached all of the time, but since this occurred with Windows Update I have been running minimalistic, only MS services running and only Kaspersky in startup, all peripherals eccept printer are generally remaiing removed, but I have to still do my daily and weekending backups.

Dear Rakesh,

Thank you for the VB Script. I ran it as you instructed but the results were not as expected. Was the script run through Microsoft Quality Assurance before sending it to me?

From the results, it appears the script was written by Apple.



Thank you for all of your help so far, but would it be possible to refer me to 3rd level suport? Ask them to bring sticks and marshmallows please.

Elmo

OTL installed trojan swisyn.bsgf on my machine. It's all over the security sites and even being posted on the OTL site.

OTL by OldTimer – A Modern Replacement for HijackThis « Geeks to Go! – Free help from tech experts