No Win Update, cannot download KB981028

paramaibo · 16 Mar 2014

Code:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>ICACLS C:\Windows\System32\catroot2
C:\Windows\System32\catroot2 NT SERVICE\CryptSvc:(OI)(CI)(F)
                             NT SERVICE\TrustedInstaller:(I)(F)
                             NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                             BUILTIN\Administrators:(I)(F)
                             CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                             BUILTIN\Administrators:(I)(OI)(IO)(F)
                             BUILTIN\Administrators:(I)(CI)(IO)(F)
                             NT AUTHORITY\SYSTEM:(I)(OI)(IO)(F)
                             NT AUTHORITY\SYSTEM:(I)(CI)(F)
                             Everyone:(I)(OI)(IO)(F)
                             Everyone:(I)(CI)(F)
                             BUILTIN\Users:(I)(OI)(IO)(F)
                             BUILTIN\Users:(I)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\System32
C:\Windows\System32 NT SERVICE\TrustedInstaller:(F)
                    NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                    CREATOR OWNER:(OI)(CI)(IO)(F)
                    BUILTIN\Administrators:(OI)(IO)(F)
                    BUILTIN\Administrators:(CI)(F)
                    NT AUTHORITY\SYSTEM:(OI)(IO)(F)
                    NT AUTHORITY\SYSTEM:(CI)(F)
                    Everyone:(OI)(IO)(F)
                    Everyone:(CI)(F)
                    BUILTIN\Users:(OI)(IO)(F)
                    BUILTIN\Users:(CI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ATTRIB C:\Windows\System32\catroot2\*.*
A       I    C:\Windows\System32\catroot2\dberr.txt

C:\Windows\system32>SC QC Cryptsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Cryptsvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k NetworkService
        LOAD_ORDER_GROUP   : TruPrevent
        TAG                : 0
        DISPLAY_NAME       : Cryptographic Services
        DEPENDENCIES       : RpcSs
        SERVICE_START_NAME : NT Authority\NetworkService

C:\Windows\system32>SC QUERYEX Cryptsvc

SERVICE_NAME: Cryptsvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1196
        FLAGS              :

C:\Windows\system32>

NoelDP · 16 Mar 2014

Have you been using some kind of system repair tool, such as the Tweaking.com WIndows Repair tool?
You have some very strange permissions there which will significantly lower your machine's security.

Please run the following commands and post the results...

SC QC APPID
SC QUERYEX APPID

There is an unusual entry in the LAOD_ORDER_GROUP entry above, which is from Panda, and appears to have been superceded in 2010 by another technology.

What exact version of Panda in actually installed?

paramaibo · 16 Mar 2014

I used Tweaking.com when this issue first arose.

Code:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>SC QC APPID
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: APPID
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : \SystemRoot\system32\drivers\appid.sys
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : AppID Driver
        DEPENDENCIES       : FltMgr
                           : DisCache
        SERVICE_START_NAME :

C:\Windows\system32>SC QUERYEX APPID

SERVICE_NAME: APPID
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

C:\Windows\system32>

Currently I have Panda Antivirus Pro 2014 13.01.00. I have no idea why the load order has changed, and certainly not why Panda initiated it. However, I have had rare cases of malware infestation a couple of years ago that required other Panda tools (assuming they would leave the same signature).

As regards permissions etc., I had connected a hdd to the wlan this time last year, and have been plagued by pemissions and sodding errors telling me that I'm not entitled to fiddle as I wish. In the end, I have managed to get the hdd working to my liking. Would these changes have any bearing on what you are referring to?

NoelDP · 16 Mar 2014

It may be normal for a Panda install - we don't see many here, and I suspect that it may depend also on which version is installed.
It's quite common for AV's to slip themselves into the startup axis, so that they get loaded early in the boot process and get the chance to prevent startup malware.
It can however make troubleshooting more difficult, as it introduces an extra layer into the complexities of booting.

Perhaps I should explain what I'm looking for...
Your system is showing problems with the cryptography associated with all the monitored files for the Software Protection Service.
These problems are usually (about80% of the time) corrected by re/installing the IRST drivers, and where that doesn't work, most systems will respond to the CATROOT2 rename - sometimes it fails, as in your case.

The problem then is one of working out where the disconnect is - it's probably in the registry, but that is a rather large database that changes on a daily basis, so it's like looking for size 12 needle in a bin of size 13s that being continually stirred and refilled.

All we can see is the effects, as a rule, unless we know where to start. Up until now, we don't really have much of a clue, except that it's definitely something to do with the CATROOT2 folder.
This is controlled (at least partly) by the Windows Management Instrumentation Service - but so far, no machine we've checked has shown any problems with the service itself.

Let's check that, and a few other things as well, anyhow..

Run the following commands, and post the results.

SC QC WINMGMT
SC QUERYEX WINMGMT

also, please follow the Blue Screen of Death (BSOD) Posting Instructions and post the results - it'll give us a lot of information that may prod me into spotting something relevant.

paramaibo · 16 Mar 2014

Code:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>SC QC WINMGMT
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WINMGMT
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Windows Management Instrumentation
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : localSystem

C:\Windows\system32>SC QUERYEX WINMGMT

SERVICE_NAME: WINMGMT
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1964
        FLAGS              :

C:\Windows\system32>

What would behaviour/actions would typically tamper/corrupt the cryptographic services. I ask in order to prompt my memory of any relevant events that may hasten your search. I confess that up until now I had been unaware of the existence of cryptographic services and Windows manifests, but you have probably guessed that.

paramaibo · 16 Mar 2014

I've just thought of something.

Would it be any help to you if I reinsert my old OS hdd which may still yield underlying corruptions, though these have not been further stirred up by more recent interferences/incompatibilities?

paramaibo · 17 Mar 2014

I also have a couple of practical observations that have occurred recently.

The last command that you asked me to run has improved the boot time, however, the file transfer speed over WLAN has just about halved over the last few days. Incidentally, I experienced a significant improvement in transfer speed after tweaking.com repairs to repair WU.

Funny ol' world.

This morning I've also been receiving a spate of "This copy of Windows is not genuine" - which has also added to my my good cheer.

NoelDP · 17 Mar 2014

the 'not genuine' messages are interesting - next time one appears, please post the results of an MGADiag scan before attempting any fixes.

To properly analyse and solve problems with Activation and Validation, we need to see a full copy of the report produced by the MGADiag tool
(download and save to desktop - http://go.microsoft.com/fwlink/?linkid=52012 )
Once saved, run the tool.

Click on the Continue button, which will produce the report.
To copy the report to your response, click on the Copy button in the tool (ignore any error messages at this point), and then paste (using either r-click/Paste, or Ctrl+V ) into your response.

paramaibo · 17 Mar 2014

I don't understand, I already have the MGADiag tool and have posted loads of these scans.

I was rather hoping that you may have found anything interesting as a result of #24/25 from last night.

Here are the MGAD scan results:

Code:

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0x8004FE21
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-24FM6-626F6-2X46Y
Windows Product Key Hash: aVSvaN08Cpfya6UCZ7EqSoPkgu0=
Windows Product ID: 00426-OEM-9179745-04135
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {8E5EB5B9-4D07-4C2F-9401-3615F8138954}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: Windows 7 Ultimate
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.130828-1532
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Plus 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005_E2AD56EA-765-8009_E2AD56EA-766-2efd_E2AD56EA-148-80004005_16E0B333-89-80004005_B4D0AA8B-1029-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Maxthon3\Bin\Maxthon.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\sppobjs.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppc.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppwinob.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slc.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slcext.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppuinotify.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\slui.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcomapi.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppcommdlg.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\sppsvc.exe[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\drivers\spsys.sys[6.1.7127.0], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7601.17514], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7601.17514], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{8E5EB5B9-4D07-4C2F-9401-3615F8138954}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2X46Y</PKey><PID>00426-OEM-9179745-04135</PID><PIDType>3</PIDType><SID>S-1-5-21-575296468-2180832810-2140896998</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>Qosmio G50</Model></SYSTEM><BIOS><Manufacturer>TOSHIBA</Manufacturer><Version>Version 2.30</Version><SMBIOSVersion major="2" minor="5"/><Date>20090828000000.000000+000</Date></BIOS><HWID>39BB3C07018400F8</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GTB Standard Time(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>TOSHIB</OEMID><OEMTableID>A0060   </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0011-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Plus 2007</Name><Ver>12</Ver><Val>83770C147C39586</Val><Hash>HujjXRyTgOYjf4RCWfGtC0B0HlY=</Hash><Pid>89409-707-1230233-65598</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, OEM_COA_NSLP channel
Activation ID: cfb3e52c-d707-4861-af51-11b27ee6169c
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00182-797-404135-02-2057-7601.0000-2402013
Installation ID: 017280694241765211214676292446964325955474601770711190
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: 2X46Y
License Status: Licensed
Remaining Windows rearm count: 5
Trusted time: 17/03/2014 19:39:36

Windows Activation Technologies-->
HrOffline: 0x8004FE21
HrOnline: N/A
HealthStatus: 0x000000000001EFF0
Event Time Stamp: 3:16:2014 16:59
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:
Tampered File: %systemroot%\system32\sppobjs.dll
Tampered File: %systemroot%\system32\sppc.dll|sppc.dll.mui
Tampered File: %systemroot%\system32\sppcext.dll|sppcext.dll.mui
Tampered File: %systemroot%\system32\sppwinob.dll
Tampered File: %systemroot%\system32\slc.dll|slc.dll.mui
Tampered File: %systemroot%\system32\slcext.dll|slcext.dll.mui
Tampered File: %systemroot%\system32\sppuinotify.dll|sppuinotify.dll.mui
Tampered File: %systemroot%\system32\slui.exe|slui.exe.mui|COM Registration
Tampered File: %systemroot%\system32\sppcomapi.dll|sppcomapi.dll.mui
Tampered File: %systemroot%\system32\sppcommdlg.dll|sppcommdlg.dll.mui
Tampered File: %systemroot%\system32\sppsvc.exe|sppsvc.exe.mui
Tampered File: %systemroot%\system32\drivers\spsys.sys


HWID Data-->
HWID Hash Current: OAAAAAEABAABAAEAAAACAAAABAABAAEAeqjmUe715I1c+viHEB6GGQa2nmJcPz64hm0Uz4ztRso=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			TOSHIB		A0060   
  FACP			TOSHIB		A0060   
  DBGP			TOSHIB		A0060   
  HPET			TOSHIB		A0060   
  MCFG			TOSHIB		A0060   
  SSDT			TOSHIB		A0060   
  TCPA			TOSHIB		A0060   
  SLIC			TOSHIB		A0060   
  SSDT			TOSHIB		A0060

NoelDP · 18 Mar 2014

Sorry - I was in a hurry (posting at work behind the boss's back) so only looked at the thread title and the last post

I'll review the thread at leisure today, and post back later.