Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After removing malware: Windows Updates, SFC, etc. totally broken


  • Please log in to reply
7 replies to this topic

#1 LTLeaf

LTLeaf

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 26 July 2013 - 12:37 PM

I was directed to post here by Marius, who was helping me in Malware Removal Logs section. 
 
Here are my previous threads for more info, if you want to see them:
1st thread, in "Am I infected?" 
2nd thread, in Malware Removal Logs
 
 
Long story short: I had the ZeroAccess trojan on my system, and it seems to have broken Windows Updates good and proper. Also not working are the sfc /scannow command, the CheckSUR tool, or an in-place upgrade. I've run Windows Update troubleshooter and Microsoft Fix-its for the problem, but they didn't help. 
 
Windows Update gives this message: 
Error(s) found:
Code 80073712 Windows Update encountered an unknown error.
Most recent check for updates: Never
Updates were installed: Never (SO not true)
 
sfc /scannow says this:
"Windows Resource Protection could not perform the requested operation."
25hiz6g.png
"This process will take some time" Ha. 
 
Here is the log that CheckSUR gives:
=================================
Checking System Update Readiness.
Binary Version 6.1.7601.21645
Package Version 19.0
2013-07-26 00:07
Checking Windows Servicing Packages
Checking Package Manifests and Catalogs
Checking Package Watchlist
Checking Component Watchlist
Checking Packages
(f) CSI Unable to Query Store Version 0x00000002  
Summary:
Seconds executed: 607
Found 1 errors
  CSI Unable to Query Store Version Total count: 1
 
 
After I attempted CheckSUR most recently, I checked the CBS.log file, and here is the relevant part of it from that time. (In case it has any useful info.) 
2013-07-26 00:05:44, Info                  CBS    Starting TrustedInstaller initialization.
2013-07-26 00:05:44, Info                  CBS    Loaded Servicing Stack v6.1.7601.17592 with Core: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17592_none_0b0e4b4025cf4049\cbscore.dll
2013-07-26 00:05:45, Info                  CSI    00000001@2013/7/26:07:05:45.172 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x5f64de79 @0x5fec5d7d @0x5fea205a @0xd01c99 @0xd01236 @0x761275a8)
2013-07-26 00:05:45, Info                  CSI    00000002@2013/7/26:07:05:45.278 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x5f64de79 @0x5ff07183 @0x5ff04013 @0xd01c99 @0xd01236 @0x761275a8)
2013-07-26 00:05:45, Info                  CSI    00000003@2013/7/26:07:05:45.345 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x5f64de79 @0x71e44bc8 @0x71e454a6 @0xd01327 @0xd01245 @0x761275a8)
2013-07-26 00:05:45, Info                  CBS    Ending TrustedInstaller initialization.
2013-07-26 00:05:45, Info                  CBS    Starting the TrustedInstaller main loop.
2013-07-26 00:05:45, Info                  CBS    TrustedInstaller service starts successfully.
2013-07-26 00:05:45, Info                  CBS    SQM: Initializing online with Windows opt-in: False
2013-07-26 00:05:45, Info                  CBS    SQM: Cleaning up report files older than 10 days.
2013-07-26 00:05:45, Info                  CBS    SQM: Requesting upload of all unsent reports.
2013-07-26 00:05:45, Info                  CBS    SQM: Failed to start upload with file pattern: C:\Windows\servicing\sqm\*_std.sqm, flags: 0x2 [HRESULT = 0x80004005 - E_FAIL]
2013-07-26 00:05:45, Info                  CBS    SQM: Failed to start standard sample upload. [HRESULT = 0x80004005 - E_FAIL]
2013-07-26 00:05:45, Info                  CBS    SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_all.sqm, flags: 0x6
2013-07-26 00:05:45, Info                  CBS    SQM: Warning: Failed to upload all unsent reports. [HRESULT = 0x80004005 - E_FAIL]
2013-07-26 00:05:45, Info                  CBS    No startup processing required, TrustedInstaller service was not set as autostart, or else a reboot is still pending.
2013-07-26 00:05:45, Info                  CBS    NonStart: Checking to ensure startup processing was not required.
2013-07-26 00:05:45, Info                  CSI    00000004 No store version format found; DLL store format 0.0.0.6
2013-07-26 00:05:45, Error                 CSI    00000005@2013/7/26:07:05:45.412 (F) d:\win7sp1_gdr\base\wcp\componentstore\storelayout.cpp(6636): Error STATUS_SXS_COMPONENT_STORE_CORRUPT originated in function ComponentStore::CRawStoreLayout::OpenCanonicalDataKey expression: (null)
[gle=0x80004005]
2013-07-26 00:05:45, Info                  CBS    NonStart: Failed to get store. [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:05:45, Info                  CBS    Failed to ensure no startup processing was required. [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:05:45, Info                  CBS    Failed during startup processing, continuing with Trusted Installer execution [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:05:45, Info                  CBS    Startup processing thread terminated normally
2013-07-26 00:05:46, Info                  CSI    00000006 No store version format found; DLL store format 0.0.0.6
2013-07-26 00:05:46, Error                 CSI    00000007@2013/7/26:07:05:46.017 (F) d:\win7sp1_gdr\base\wcp\componentstore\storelayout.cpp(6636): Error STATUS_SXS_COMPONENT_STORE_CORRUPT originated in function ComponentStore::CRawStoreLayout::OpenCanonicalDataKey expression: (null)
[gle=0x80004005]
2013-07-26 00:05:47, Info                  CBS    Failed to get CSI store. [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:05:47, Error                 CBS    Failed to initialize store parameters with boot drive:  and windows directory:  [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:05:47, Info                  CSI    00000008 No store version format found; DLL store format 0.0.0.6
2013-07-26 00:05:47, Error                 CSI    00000009@2013/7/26:07:05:47.314 (F) d:\win7sp1_gdr\base\wcp\componentstore\storelayout.cpp(6636): Error STATUS_SXS_COMPONENT_STORE_CORRUPT originated in function ComponentStore::CRawStoreLayout::OpenCanonicalDataKey expression: (null)
[gle=0x80004005]
2013-07-26 00:05:47, Info                  CBS    Failed to get CSI store. [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:05:47, Error                 CBS    Failed to initialize store parameters with boot drive:  and windows directory:  [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:05:53, Info                  CSI    0000000a No store version format found; DLL store format 0.0.0.6
2013-07-26 00:05:53, Error                 CSI    0000000b@2013/7/26:07:05:53.430 (F) d:\win7sp1_gdr\base\wcp\componentstore\storelayout.cpp(6636): Error STATUS_SXS_COMPONENT_STORE_CORRUPT originated in function ComponentStore::CRawStoreLayout::OpenCanonicalDataKey expression: (null)
[gle=0x80004005]
2013-07-26 00:05:53, Info                  CBS    Failed to get CSI store. [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:05:53, Error                 CBS    Failed to initialize store parameters with boot drive:  and windows directory:  [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:05:53, Info                  CSI    0000000c No store version format found; DLL store format 0.0.0.6
2013-07-26 00:05:53, Error                 CSI    0000000d@2013/7/26:07:05:53.847 (F) d:\win7sp1_gdr\base\wcp\componentstore\storelayout.cpp(6636): Error STATUS_SXS_COMPONENT_STORE_CORRUPT originated in function ComponentStore::CRawStoreLayout::OpenCanonicalDataKey expression: (null)
[gle=0x80004005]
2013-07-26 00:05:53, Info                  CBS    Failed to get CSI store. [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:05:53, Error                 CBS    Failed to initialize store parameters with boot drive:  and windows directory:  [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:15:54, Info                  CBS    Reboot mark refs incremented to: 1
2013-07-26 00:15:54, Info                  CBS    Scavenge: Starts
2013-07-26 00:15:54, Info                  CSI    0000000e No store version format found; DLL store format 0.0.0.6
2013-07-26 00:15:54, Error                 CSI    0000000f@2013/7/26:07:15:54.293 (F) d:\win7sp1_gdr\base\wcp\componentstore\storelayout.cpp(6636): Error STATUS_SXS_COMPONENT_STORE_CORRUPT originated in function ComponentStore::CRawStoreLayout::OpenCanonicalDataKey expression: (null)
[gle=0x80004005]
2013-07-26 00:15:54, Info                  CBS    Scavenge: Failed to get CSI store for scavenging. [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:15:54, Info                  CBS    Warning: Failed to scavenge CSI store. [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:15:54, Info                  CBS    Reboot mark refs: 0
2013-07-26 00:15:54, Info                  CBS    Warning: Failed while executing service idle processing. [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:15:54, Info                  CBS    Warning: Failed to execute service idle processing. Error code: 0X80073712 [HRESULT = 0x80073712 - ERROR_SXS_COMPONENT_STORE_CORRUPT]
2013-07-26 00:15:54, Info                  CBS    Idle processing thread terminated normally
2013-07-26 00:15:54, Info                  CBS    Ending the TrustedInstaller main loop.
2013-07-26 00:15:54, Info                  CBS    Starting TrustedInstaller finalization.
2013-07-26 00:15:54, Info                  CBS    Failed to unload the COMPONENTS hive. [HRESULT = 0x80070005 - E_ACCESSDENIED]
2013-07-26 00:15:54, Info                  CBS    Ending TrustedInstaller finalization.


Hopefully this is enough info to start out with.

Thanks in advance for any help with this issue. :-)

BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:16 PM

Posted 26 July 2013 - 12:52 PM

Lets see if this will help (although step 3 will probably end up with the same error as before since it's sfc /scannow, but we will see):

 

 

Please download and install Windows Repair (All in one) at this site.
 
To open the program click on the Start orb startorb_zps06e1f985.png.
 
Click on All Programs.
 
Click on Windows Repair (All in one), this may be listed as Tweaking.com.
 
If you are running Windows Vista, 7, or 8 right click on Windows Repair (All in one)  and then click on Run as administrator.
 
Notice:  You will need to disable your antivirus in order to run this program, for this reason you should run this while off line.
 
Go to Step 2 and click on the Do it button to allow CheckDisk to run. 
 
windowsrepairstep2-1_zps08aed02b.png
 
Go to Step 3 and click on the Do it button to run System File Check.
 
windowsrepairstep3-1_zps935b7603.png
 
Go to Step 4 and click on the Create button under System Restore.
 
windowsrepairstept4-1_zpseb336401.png
 
Go to Start Repairs and click on the Start button.
 
Important: Do not make any changes to the check marks.
 
For those running Windows 8 please note that  Reset Registry Permissions is not checked by design.
 
When the page below opens click on the Start button.
 
windowsrepairstartrepairs-1_zpsa179850d.
 
Please copy and paste the Windows Repair Log in your next post.  This log (_windows_repair_log.txt) is located in the following folder:
 
*  64-bit systems file path - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
 
*  32-bit systems file path - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs
 
Copy the file path for your version of Windows (32-bit or 64-bit), click on the Start orb startorb_zps06e1f985.png and paste it in the Search all programs and files box.
 
Click on Logs.
 
Click on _Windows_Repair_Logs.
 
Tell me how your computer is working now (please reboot).
 

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 hamluis

hamluis

    Moderator


  • Moderator
  • 56,279 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:16 PM

Posted 26 July 2013 - 01:00 PM

Hi :).

 

Did you go through the steps outlined at http://support.microsoft.com/kb/957310 :

 

To resolve this problem in Windows 7 and Windows Vista, use one of the following methods. For these methods to work, you must be logged on to your computer as an administrator. Or, you must be able to supply a user account name and password for an account that has administrative permissions. If you are using your home computer, you may already be logged on as an administrator.

For more information about how to log on as an administrator, go to the following Microsoft website:
Method 1: Run the System Update Readiness tool (Checksur.exe)
  1. Download and run the System Update Readiness tool. This tool runs a one-time scan for inconsistencies that may prevent future problems with installing updates or service packs. To download and run the System Update Readiness tool (Checksur.exe), go to the following Microsoft website:
  2. Install the updates again.
If you still cannot install the updates or turn on Windows features, go to Method 2.
Method 2: Install the latest service pack for your version of Windows.
If you do not have the latest service pack for your version of Windows installed, go to the Service Pack Center to download and install the latest service pack.
  1. Click the following link:
  2. Click the service pack download link for your version of Windows.
  3. Follow the instructions to download, and install the latest service pack.
  4. Restart your computer.
  5. Try to install the updates again.

If you still cannot install updates or turn on Windows features, go to Method 3.
Method 3: Run the System File Checker (SFC.exe) tool with the sfc /scannow command
To run System File Checker, follow these steps:
  1. Click Start, type cmd in the Start Search box (Windows Vista) or the Search programs and files box (Windows 7), and then press Enter.
  2. Right-click cmd.exe, and then click Run as administrator. Click Continue if you are the administrator or type the administrator password, and then click Continue.
  3. In the command box window, type Sfc /scannow, and then press Enter. Note that there is a space before the forward slash in this command.
The scan may take some time, so be patient. Windows will repair any corrupted or missing files that it finds. If information from the installation DVD is needed to repair the problem, you may be prompted to insert your Windows Vista or Windows 7 DVD.

After the scan is complete, try to install the updates again. If you still can't install the updates or turn on Windows features, go to Method 4.
Method 4: Perform an in-place upgrade
Important You should use an in-place upgrade only as the final alternative if the previous methods don't resolve your issue.
Be aware that it takes the same amount of time to do the upgrade as it does to reinstall Windows. Also, some of your customized Windows settings may be lost during this process.

Note Performing a repair installation will not damage files and applications that are currently installed on your computer.

To perform an in-place upgrade, follow these steps:
  1. Close all applications.
  2. Insert the Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2 DVD in the computer's DVD drive.
  3. In the Setup window, click Install Now.

    If Windows does not automatically detect the DVD, follow these steps:
    1. Click Start, and then type Drive:\setup.exe in the Start Search box. Note: The Drive placeholder is the drive letter of the computer's DVD drive.
    2. In the Programs list, click Setup.exe.
    3. In the Setup window, click Install Now.
  4. Click Go online to obtain the latest updates for installation (recommended).
  5. Type the product key if you are prompted to do this.
  6. In the Install Windows screen, select the operating system that you want to Upgrade or Inplace.
  7. Click Yes to accept the Microsoft Software License Terms.
  8. In the Which type of installation do you want? screen, click Upgrade.
  9. When the installation is complete, restart your computer.
     


After your in-place upgrade is complete, try to run Windows Update or try to turn Windows features off and on to see whether the problem is resolved. If you still cannot install Windows Updates or turn on Windows features, go to the following Microsoft website to contact support:


#4 LTLeaf

LTLeaf
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 26 July 2013 - 01:11 PM

@Toffee, I have run it less than a week ago. Is this recent enough?: requested parameters and log result


@Louis: Thanks, I have tried it already, see here and here.


Thanks for the replies :-)

#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:16 PM

Posted 26 July 2013 - 01:29 PM

You could try re-running to see if there is any difference, but lets see if this helps: http://support.microsoft.com/kb/947821

 

I do have a few things to try, but it may just be that windows is corrupted beyond repair so that you need to reinstall.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 LTLeaf

LTLeaf
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 26 July 2013 - 02:19 PM

I've already run CheckSUR (System Update Readiness), see first post for logs.

Yeah, I wouldn't be surprised if this takes a reinstall to fix. :-( I've been trying to get it working for so long, and nothing's worked yet.

#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:16 PM

Posted 26 July 2013 - 02:32 PM

My bad, I missed that. Try a repair install before that, if it doesn't work then a reinstall is your only option sorry to say. See here on how to do this: http://www.sevenforums.com/tutorials/3413-repair-install.html, make sure to make a note of your windows product key. Of course you could just reinstall if you find that easier, just backup your files onto another computer or somewhere safe. Sorry there are really not many other options.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 LTLeaf

LTLeaf
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 26 July 2013 - 07:03 PM

OK, thanks for the info. A repair install isn't working, so I guess I'll have to do the reinstall. Time to hunt up the installers and disks for all my programs....

Thanks to everyone for your help! :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users